All Episodes - QPC Security - Breakfast Bytes
Information technology security risk management
View Podcast Details97 Episodes
Navigating Financial Risk: Insights from Chris Bellchamber
In this engaging episode of Breakfast Bytes, host Felicia King invites wealth manager and seasoned investment specialist Chris Belchamber to share his 41 years of industry insight. Dive into a rich narrative exploring risk management from two unique perspectives: technology and finance. As Chris unveils his journey towards shaping informed risk takers, listeners are guided through his groundbreaking efforts in establishing clear success benchmarks while unveiling tips on tax efficiency and strategic asset management. Chris reveals the practical steps he's taking in democratizing financial clarity, from publishing his insightful book, "Invest Like the Best," to launching informative online platforms for both comprehensive financial guidance and free educational resources. As the narrative unfolds, learn about Chris's diverse strategies—from using sophisticated tools like the Calmar Ratio in investment analysis to collaborating with global professionals for unparalleled estate planning advice. https://chris-belchamber.com/ This episode is the latest in our series on risk management practices. Chris' expertise blends risk management and wealth preservation. He offers sage advice on evaluating investment advisors effectively. Resources Chris refers to: https://maxifiplanner.com/ https://www.interactivebrokers.com/en/whyib/overview.php
A Deep Dive into SaaS Risks and Backups
Join Felicia King in this eye-opening episode of Breakfast Bytes as she unravels the concept of third-party information security risk management. Felicia highlights the growing debates around software as a service (SaaS) platforms and the complexities they entail, raising poignant questions about security, backups, and risk. Dive deep into the intricacies of backups—from on-premise practices to the vulnerabilities introduced with SaaS. Felicia draws parallels between the supply chain practices of ancient times and the critical information security strategies needed in today's digital landscape. Through vivid storytelling and expert insights, discover why making informed decisions about SaaS requires more than just evaluating business functionalities—it demands a comprehensive risk management strategy and the right technological expertise. Don't miss this narrative packed with actionable advice for becoming an informed risk decision maker in the world of technology. Quick recap Felicia discussed the importance of third-party information security risk management in the technology industry, emphasizing the need for comprehensive backup methods and informed decision-making when evaluating software as a service solutions. She highlighted the misconception that Business Continuity and Disaster Recovery is primarily an IT problem, stressing the importance of business processes and human continuity. Felicia emphasized the crucial role of involving a qualified Chief Technology Officer in the evaluation process of software as a service solutions to ensure proper security measures, backup capabilities, and role management are considered before making procurement decisions. Third-Party Information Security Risk Management Felicia discussed the importance of third-party information security risk management, also known as counterparty risk, in the technology industry. She highlighted that this topic has been underestimated and is becoming increasingly relevant as more legacy applications are being considered for replacement into software as a service (SaaS). Felicia emphasized the need for informed risk decision-making and raised awareness about the nuances of backups, which are crucial for information security risk management. She also mentioned that the approach to backups should be based on the end goal of restoration, and that relying on a single method for backups can be naive. Comprehensive Backup Strategies for Businesses Felicia discussed the importance of backup methods for businesses, emphasizing the need for a more comprehensive approach than the standard 3-2-1 method. She highlighted the limitations of cloud storage and the need for brick-level backup, which allows for the recovery of individual objects or databases, rather than the entire server. This flexibility is crucial for businesses, especially those with complex systems like enterprise resource planning tools, where rapid and easy recovery from backups is essential for scenario planning and testing. BCDR: Business Processes Over IT Felicia discussed the misconception that Business Continuity and Disaster Recovery (BCDR) is primarily an IT problem, emphasizing that it is 80% about business processes and human continuity. She highlighted the importance of moving away from legacy apps due to their high maintenance and operational costs. Felicia also pointed out the limitations of on-premise infrastructure in meeting uptime requirements, suggesting that software as a service could be a more viable option. She concluded by stating that most businesses cannot afford the same level of uptime as software as a service, despite what are sometimes higher monthly fees for SaaS. Involving CTO in Software Evaluation Felicia emphasized the importance of involving a Chief Technology Officer (CTO) in the evaluation process of software as a service solutions. She highlighted that without a CTO, the evaluation process lacks essential technical questions, such as security, access control, integration with onboarding and offboarding processes, and backup and restore capabilities. Felicia stressed that these technical aspects are crucial for a successful procurement and should be evaluated before making a business decision. Involving Right People in Pre-Procurement Felicia emphasized the importance of involving the right people in the pre-procurement phase of software as a service, such as a qualified CTO, to ensure proper backup and security measures are in place. She used the example of XERO, an accounting platform, and its lack of native backups, requiring an additional third-party add-on, Control C, for backup solutions. Felicia stressed that without a competent CTO, it's impossible to make informed decisions based solely on price quotes from software companies, as additional costs for competent reporting and backup solutions need to be factored in. QuickBooks Backup Limitations and Security Risks Felicia discussed the limitations of QuickBooks Online's backup and restore capabilities and suggested considering alternatives like Odoo for more control over data. She emphasized the importance of understanding third-party information security and risk management to make informed decisions. Felicia also highlighted the risks associated with software as a service, including potential privacy violations and lack of full control over access logs. She advised considering the security implications of software development and the need for ongoing security processes. Saas Platform Evaluation Challenges Discussed Felicia discussed the challenges of managing roles and responsibilities in software as a service applications. She highlighted that only a small percentage of these applications allow for customization, which is a significant issue. Felicia emphasized the importance of considering various factors when evaluating a SaaS platform, suggesting that it's a task best suited for a Chief Technology Officer (CTO). She encouraged attendees to consult with their preferred CTO for guidance on evaluating Saas platforms.
Mastering Operational Maturity: The Secret to AI Success
Welcome to another episode of Breakfast Bytes with Felicia King. In this gripping sequel, Felicia delves deeper into the concept of operational maturity and its vital role in driving organizational profitability and AI readiness. If you've ever wondered why achieving consistency in management across departments can be challenging, this episode sheds light on the ubiquitous struggles faced by organizations regardless of size or industry. Drawing from her extensive 30-year career, Felicia shares eye-opening, real-world anecdotes that reveal the tangible barriers to operational maturity. Imagine a world where processes run smoothly, unaffected by the presence or absence of key personnel. A world where toxic workplace drama is curtailed by structured training, setting boundaries for employees, and instilling a culture of accountability. Through fascinating real-life examples and practical solutions, Felicia paints a vivid picture of how a lack of training and consistency can cause unwarranted drama and productivity loss, and how a mature operational framework can prevent such chaos. Managers play a crucial role, and Felicia discusses how they're uniquely positioned to counteract drama, empower their teams, and facilitate training that aligns with company standards and processes. As AI adoption becomes increasingly crucial, Felicia emphasizes that a solid foundation of operational maturity is not merely beneficial but essential. This episode not only highlights the risks of neglecting these elements but also inspires action by showcasing how adopting and enforcing standards can transform organizational culture, improve profitability, and ensure readiness for the technological advancements AI brings. Felicia King emphasized the importance of operational maturity in driving profitability and readiness for AI adoption, highlighting the risks of not achieving it and the need for a shared responsibility model. She discussed various issues such as misconfigured phone systems, lack of accountability, and the negative impact of a sales-centric culture on employee retention. Felicia also stressed the importance of proper training, decoupling roles from individuals, and moving away from loyalty to individuals towards a more role-based approach to improve process documentation and prevent businesses from becoming overly reliant on one person. Operational Maturity and AI Readiness Felicia King discussed the importance of operational maturity in driving profitability and readiness for AI adoption. She emphasized the risks of not achieving operational maturity, citing her 30 years of experience working with various organizations. Felicia also highlighted that most organizations face similar challenges and need to undertake the same actions to improve operational maturity. She then hinted at providing solutions to these problems in future discussions. Operational Maturity and Its Consequences Felicia discussed the importance of operational maturity in organizations, emphasizing the need for consistency, standards, and policies. She used real-world examples to illustrate the consequences of a lack of operational maturity, such as wasted payroll and toxic drama. Felicia stressed the importance of training and accountability in preventing such issues. She also highlighted the role of managers in proactively managing toxic drama and ensuring they have a solid command of the technical systems used in their departments. Felicia concluded by emphasizing the need for a shared responsibility model and the importance of using the resources provided by the company, such as the knowledge base. Misconfigured Extension Causes Toxic Drama Felicia discussed an issue with an employee who misconfigured their phone system extension, causing problems. The employee was not held accountable for their behavior, and instead wrote a manual to guide others on how to avoid the same mistake. Felicia highlighted the toxic drama that can arise when employees are not held accountable for their actions, and the potential for further issues if the problem is not addressed. Accountability and Adhering to Company Policies Felicia discussed a problematic situation involving an employee who caused weeks of disruption by forwarding business calls to an external individual's personal cell phone. This led to potential legal issues and a complaint against the company. Felicia emphasized the importance of accountability and adherence to company policies and processes. She also highlighted the issue of blaming IT departments for poor performance, which she described as a cancer that can negatively impact an organization's profitability. She suggested that managers should take responsibility for knowing what is right and wrong, and not be bamboozled by employees' claims of IT-related issues. Improving Accountability and Productivity Training Felicia discussed the importance of proper training and accountability in the workplace. She highlighted the issue of employees not utilizing company-provided technology effectively, leading to inefficiencies and a lack of business continuity. Felicia suggested that managers should create development plans for employees, utilizing company training resources, to improve accountability and productivity. She also pointed out the negative impact of a sales-centric culture on employee retention and the overall payroll. Decoupling Roles, Ensuring Business Continuity Felicia discussed the importance of decoupling roles from individuals in organizations to ensure continuity and efficiency. She argued that job rotation and quality control measures can improve process documentation and prevent businesses from becoming overly reliant on one person. Felicia also emphasized the need for organizations to move away from loyalty to individuals and towards a more role-based approach. She suggested that smaller businesses are better positioned to achieve operational maturity due to their ability to make decisions and set policies without needing a committee-based approach.
Driving Cultural Change Toward Profitability and Operational Maturity
In this enlightening episode of Breakfast Bytes, Felicia King draws upon her three decades of business experience to guide us through the crucial steps organizations must take to flourish amidst today's challenges. With a focus on operational maturity, Felicia unravels the strategies businesses need to implement to harness the power of AI without compromising data security. Explore the pitfalls of inadequate governance in the age of rapidly advancing technologies and discover why the absence of a robust data policy could be detrimental. Felicia also delves into the cultural shifts required within organizations to ensure not only survival but also increased profitability. As businesses navigate generational labor market shifts and the complexities of AI integration, this episode serves as a narrative roadmap. Listen in to learn how to foster a culture that supports both employee growth and organizational resilience. Summary Addressing Labor Challenges With AI Felicia King discussed the challenges faced by businesses in finding reliable, capable, and dependable employees. She highlighted the increasing use of robotics and AI as a response to these challenges, and the need for organizations to decouple their business processes from individuals. Felicia emphasized the importance of operational maturity for organizations to effectively utilize AI, and the lack of executive management wanting to put constraints around AI. She also noted that sales executives often drive the agenda in organizations, which can lead to a lack of focus on protecting company assets and customer data. Unregulated AI Usage Risks and Solutions Felicia discussed the dangers of unregulated AI usage in an organization. She emphasized the importance of having company policies and employee training to ensure proper use of AI technology. She stressed the risks of losing company data and increasing legal liabilities when AI is not controlled and its boundaries are not set. Felicia also highlighted the need for security measures like data loss prevention and digital rights management in AI usage. She noted the difficulty and time-consuming nature of implementing such measures, and the need for a paradigm shift in an organization's approach to technology. Data Retention Policies Drive Operational Maturity Felicia discussed the importance of data retention policies, data classification, and data sensitivity labels in driving operational maturity and cultural change within a company. She emphasized that these measures are crucial for an organization's readiness for AI and can lead to increased profitability. Felicia also highlighted the challenges faced by Generation Z workers due to their habits, which can negatively impact their employability. She noted that some employers have found it more cost-effective to deal with the gap of not having an employee than to manage the negative impact of an unprofitable employee. Operational Maturity in AI Adoption Felicia discussed the importance of operational maturity in organizations, emphasizing that it is crucial for adopting AI without risking data and customer safety. She highlighted the need for policies, standards, processes, and key performance indicators (KPIs) to drive cultural change and achieve higher profitability. Felicia also warned against solely focusing on metrics like time to close a ticket, as it could lead to ignoring potential issues. She suggested that operational maturity is necessary to prevent employees from becoming the biggest risk factor. Felicia concluded by stating that she would provide more tangible steps to achieve operational maturity in a future discussion. Addressing Common Business Challenges Felicia discussed her extensive experience in consulting for over 450 businesses, highlighting common problems such as underutilized resources, inconsistent outcomes, and compliance issues. She emphasized the importance of maintaining consistent outcomes, adhering to compliance requirements, and avoiding policy violations. Felicia also stressed the need for businesses to make tough decisions, such as firing underperforming employees, to ensure operational maturity and avoid adverse impacts on the organization. Understanding Monthly Expenses and Profitability Felicia discussed the importance of understanding the monthly expenses per knowledge worker employee, excluding salary, which can range from $300 to $400 monthly. She emphasized that businesses should aim to cover total per-employee expenses three to four times over to ensure profitability. Felicia also highlighted the shared responsibility model for profitability, stressing the need for both the organization and employees to improve their operational maturity and skills. She concluded by noting that this approach is not only beneficial for profit-making companies but also for nonprofits seeking to provide wage increases while staying within budget.
Mastering the AI Landscape: A Guide for Businesses
In this episode of Breakfast Bytes, Felicia King delves into the intertwining worlds of AI and technology adoption for businesses. She sheds light on how small and midsize businesses can leverage AI safely and the pivotal role of adopting the right technology. Drawing from three decades of experience, Felicia explores real-world scenarios, such as a 100-person law firm facing a potential $9 million data risk, highlighting the necessity of robust data governance and security measures. Listeners will gain insight into the vital decisions that executive management teams must make to remain competitive. Felicia discusses the importance of informed risk management decisions, advocating for comprehensive training, data governance, and enforcement to empower employees and safeguard company and customer data. Throughout the episode, Felicia emphasizes the need for businesses to engage with the right advisors, particularly in the realm of AI strategy, and not just rely on IT departments. By sharing real-world examples, she illustrates the significant risks and costs associated with inadequate guidance, and offers solutions for businesses to thrive in an ever-evolving technological landscape.
Survive and Thrive in 2025: Empowering Your Team with Continuous Learning
In this episode of Breakfast Bytes, join Felicia King as she sits down with Chris Gross, the Director of Product at Breach Secure Now, to explore the revolutionary impact of continuous education in cybersecurity and productivity. Discover how Breach Secure Now's unique approach to training empowers managers and employees alike to enhance organizational culture, productivity, and security awareness. Learn why weekly micro-trainings are more effective than traditional annual methods, transforming end-users into informed, accountable team members. Chris shares the insights into the seamless integration of AI and security training with platforms like Microsoft Teams, and how this strategy keeps vital information at the forefront, ultimately cultivating a proactive workplace environment. Tune in to understand the significant role of employee empowerment in reducing risk, improving efficiency, and creating happier workplaces, while breaking down the traditional barriers of IT-led transformation. Finally, uncover how simple, actionable tools like the Security Risk Assessment can guide your organization in achieving operational maturity by 2025. Related shows: https://qpcsecurity.podbean.com/e/operational-maturity-practical-example/ https://qpcsecurity.podbean.com/e/why-you-need-a-cto-avoiding-costly-mistakes-in-document-management/ Improving Operational Maturity for 2025 Felicia and Chris discussed the importance of improving operational maturity for businesses to survive and thrive in 2025. Felicia emphasized the need for training, an AI strategy, and policies to prepare for competition and potential threats. She also highlighted the importance of implementing technical controls to protect company assets and the need for a cultural shift and policy management. Felicia suggested that a comprehensive tool like Breach Secure Now could be beneficial in this process. Chris agreed with Felicia's points, and they both agreed that a business needs to function as a whole, with all components working simultaneously, to be successful. Implementing Effective Cybersecurity Measures Felicia and Chris discussed the importance of implementing effective cybersecurity measures in organizations. They emphasized the need for a cultural shift within companies to prioritize cybersecurity, which requires the support of executive management teams. They also highlighted the role of AI tools like Copilot in enhancing cybersecurity, but noted that these tools are only effective if used in conjunction with proper data classification, retention, and management practices. They concluded that partnering with the right MSP and using the right tool set are crucial for successful implementation. Implementing Effective Strategies for 2025 Felicia and Chris discussed the importance of implementing effective strategies for businesses in 2025. Felicia highlighted the need for policies, operational maturity improvement, AI readiness, and security risk assessment. Continuous Education and Accountability Chris and Felicia discussed the importance of continuous education and accountability in the technology world. They agreed that traditional once-a-year cyber training is ineffective and that regular updates are necessary. Felicia highlighted the effectiveness of Breach Secure Now (BSN) in improving overall organizational awareness and driving accountability. She also emphasized the importance of empowering managers to manage their teams effectively. Chris and Felicia discussed the integration of BSN with Microsoft Teams and the introduction of AI training in shorter segments called Nanos. They agreed that educating employees on how to use technologies effectively, proficiently, and securely is crucial for business success. Cyber Security Focus and Training Tools Felicia commended the team for the accuracy of their material, noting a high success rate. She also expressed her appreciation for the platform's newsletters and a cyber security assessment tool, which she has incorporated into her job candidate assessment process. Chris emphasized the importance of demonstrating a cyber security focus culture and providing education to new employees. Felicia further highlighted the effectiveness of the platform's training tools in promoting cultural change, particularly the integration with Teams and the optional nano trainings. Improving Cyber Posture and Employee Training Felicia discussed the importance of improving the overall cyber posture of employees by presenting solutions directly to them, rather than treating it as an IT problem. She highlighted the use of Keeper Security's Breach Watch component, which alerts users to potential security issues. Chris agreed, emphasizing the need for employees to change their passwords immediately after a data breach and to undergo additional training to protect against sophisticated scams. He stressed the importance of continuous education and staying updated on the latest scams to mitigate risks. End User Empowerment and Upskilling Felicia and Chris discussed the importance of end user empowerment in their organization. They emphasized the need for tools that implement the right process, rather than relying on traditional methods that involve sending reports to the IT department and chasing managers for time from end users. They highlighted the effectiveness of their current system, which provides unique and actionable data to each individual end user, leading to better accountability and reduced friction. They also discussed the importance of upskilling employees to improve job performance and retention, and the potential for a positive culture within the organization. Felicia shared a personal anecdote about a struggling office that was not utilizing the available training resources, highlighting the cost-effectiveness of investing in employee training. Training, Accountability, and Workplace Culture Chris and Felicia discussed the importance of training and accountability in the workplace. They agreed that short, regular training sessions of 5 to 10 minutes a week are more effective than longer, less frequent ones. They emphasized the need for a cultural attitude towards training and the expectation that employees will use tools and follow policies competently. They also highlighted the benefits of rewarding employees who go above and beyond in their training. Felicia added that promoting a 15-minute daily training routine can help reduce disciplinary issues and improve payroll efficiency. They concluded that training should be bite-sized, fun, and not overwhelming, with a scoring system to track progress. Employee Training and Cybersecurity Assessment Felicia and Chris discuss the importance of employee training and proper tools for managers to assess productivity. Felicia emphasizes the value of the Security Risk Assessment product, which helps organizations identify deficiencies and track progress towards improving cybersecurity. Chris adds that the product provides a clear path and templates to address recommendations gradually, rather than overwhelming organizations with too many changes at once. They agree that the risk assessment is beneficial for both HIPAA-regulated and non-HIPAA entities, as it facilitates a comprehensive understanding of an organization's security posture.
Survive and Thrive in 2025
In this inspiring episode of Breakfast Bytes, Felicia King delves into the pressing strategies businesses need to adopt to thrive in the year 2025. With intriguing insights, Felicia articulates why companies must stay competitive and adapt to the ever-changing landscape—focusing on the integral role of a Chief Technology Officer and the imperative cultural shift towards continuous staff training. Felicia sheds light on the complexity of finding competent talent, the importance of establishing and enforcing effective policies, and the necessity of blending technology with human oversight. She compellingly emphasizes that regardless of workforce demographics, training needs to become a staple and an evaluated performance metric. The episode is rich with anecdotes and expert advice, warning against the risks of ignoring technological and cultural progression, even as it highlights the detrimental impact of inadequate policy management and technical incompetency in various sectors. Felicia’s narrative provides actionable insights into aligning your organizational structure for maximum efficiency and effectiveness in the looming future. Quick recap Felicia King emphasized the importance of having a Chief Technology Officer (CTO) and a cultural shift towards ongoing training for staff to ensure compliance and productivity in businesses. She also stressed the need for effective utilization of technology, data classification, and vendor risk assessments, and warned against the lack of technical aptitude and security capabilities in marketing agencies. Lastly, she highlighted the importance of executive management teams taking an active role in managing risks and issues within their organizations, and the need for strategic adoption of technology and operational maturity. Next steps • Executive management team to establish a partnership with a qualified CTO/CISO for strategic technology guidance and risk management. • HR/Leadership to implement a mandatory ongoing training program for all staff, with accountability measures tied to performance evaluations. • IT team to develop and maintain a risk register and project backlog, with monthly budget allocation for addressing identified issues. Summary Surviving 2025: CTOs, Training, and Payroll In the meeting, Felicia King discussed the key factors for businesses to survive in 2025. She emphasized the importance of having a Chief Technology Officer (CTO) to provide leadership and guidance on technology and policy matters. Felicia also stressed the need for a cultural shift towards ongoing training for staff, regardless of age, to ensure compliance with company policies and improve productivity. She warned against the misconception that a younger workforce automatically solves these issues. Felicia concluded by urging businesses to view their payroll as their primary inventory and to efficiently utilize it to avoid wasting resources. Lack of Training and Policy Enforcement Felicia shared a scenario where despite providing extensive training, staff members failed to use a technological system effectively due to a lack of enforced policy and cultural shift. She emphasized that if a manager had advocated for a policy and cultural shift, the staff could have taken just 15 minutes a few times a week to move the needle on their problem. However, because the manager did not prioritize training, the staff did not read the instructions and missed out on efficient use of the system. Felicia concluded that if everything else is secondary to sales, as the manager had told the staff, then training is not considered important. Respecting Employers and AI Implementation Felicia emphasized the importance of respecting employers, coworkers, and company policies for efficient technology utilization. She highlighted the need for understanding best practices and avoiding unnecessary tech support requests. Felicia also stressed the importance of data classification, retention, and policy management systems for AI usage and adoption. She underscored the necessity of a combination of policies, training, technical controls, and accountability to ensure successful implementation and utilization of AI in 2025. Marketing Agencies' Technical Limitations Felicia expressed her belief that marketing agencies struggle to execute effective marketing services due to a lack of technical aptitude and security capabilities. She attributed this to the agencies' refusal to hire qualified CTOs or CSOs, and their lack of technical training. As a result, they lose business due to ineffective marketing strategies and poor security practices. Vendor Risk Assessments for All Felicia discussed the importance of vendor risk assessments, highlighting that they are not only relevant to tech companies but also to law firms, accounting firms, medical offices, and investment brokerages. She mentioned that her company, QPC Security, offers vendor risk assessments and counterparty risk assessments, with a baseline cost of $300. Felicia emphasized that failing a basic vendor risk assessment can indicate serious issues within an organization's IT infrastructure. Addressing Competence in Organizations Felicia expressed her concerns about the lack of competence in various organizations, regardless of their size. She cited examples of IT service providers and larger companies where the collective intelligence of the employees was insufficient to identify and address public-facing security risks. Felicia emphasized the importance of having competent professionals in IT roles and the need for executive management teams to surround themselves with objective, knowledgeable advisors rather than yes-men. She concluded by urging the need for deep paradigm shifts in 2025 to remain competitive. Maintaining Risk Register and Project Backlog Felicia discussed the importance of maintaining a risk register and project backlog, and the need for organizational commitment to allocate time and budget for these tasks. She emphasized the necessity of regular meetings with the designated CTO and CISO, ideally quarterly or monthly, to discuss planning and initiatives. Annual meeting frequency is insufficient. Felicia also suggested a SWAG number approach for budget allocation, with the goal of completing a certain amount of work each month to address issues on the project backlog and risk register. She stressed the importance of teamwork and collaboration in managing these tasks. Executive Management's Active Risk Role Felicia emphasized the importance of executive management teams taking an active role in managing risks and issues within their organizations. She warned against the practice of delegating and abdicating responsibilities, which often leads to poor decision-making and unresolved problems. Felicia shared an example of a client who finally resolved a long-standing issue after the CEO took the time to have a crucial discussion. She stressed that the executive management team should be willing to have meetings and be informed about risks, even if they don't become experts in the subject matter. Strategic Risk Management and Technology Felicia discussed the importance of managing risk and adopting technology strategically. She emphasized the need for a policy and standard around printer technologies, as well as the adoption of wireless technologies, to avoid interference and reliability challenges. She stressed the importance of operational maturity and the need for a partnership with a CTO to achieve this. Felicia also warned that failure to make cultural shifts, adopt AI correctly, and implement technical controls could lead to a loss of competitiveness and potentially even business closure by the end of 2025.
The Hidden Risks of Data Centers: A Deep Dive with Dr. Eric Woodell
In this episode of Breakfast Bytes, host Felicia King sits down with Dr. Eric Woodell, founder of Ameris and a leading expert in data center infrastructure and operations compliance. Dive into the world of data centers as Dr. Woodell reveals the shocking truths behind their operations and the risks that could be lurking behind the scenes. Dr. Woodell shares his journey from nuclear submarines to becoming a key player in the data center industry, highlighting his relentless pursuit of truth and transparency. Discover why he believes that the current standards for compliance, such as SOC 2, may be nothing more than a façade, and how his groundbreaking audit program can change the game. Explore the complexities of counterparty risk management and the importance of having real control over your data infrastructure. Learn about the potential pitfalls of relying on colocation facilities and public cloud services, and why owning your infrastructure might be the most cost-effective and secure option. Join Felicia and Dr. Woodell as they challenge conventional wisdom, offering a fresh perspective on data center management and the critical need for accountability. Whether you're an IT professional, a business decision-maker, or just curious about the hidden workings of the digital world, this episode promises to engage and enlighten. Quick recap Dr. Eric Woodell and Felicia discussed the issues with the co-location industry, the importance of strong leadership in business, and the complexities and costs associated with maintaining multiple sites for redundancy. They also emphasized the need for proper documentation and certification in critical infrastructure and cybersecurity, and the importance of evaluating risks in business decisions. Lastly, they proposed the need for a significant industry alert regarding the unreliability of certain security standards and the development of a new standard in risk management. Addressing Industry Issues and Certification Process Dr. Woodell discussed the issues with the co-location industry, particularly the lack of proper maintenance and potential for fraud. He mentioned developing an audit program to track these issues but noted that the problem persisted. Eric criticized the SOC2 certification process, suggesting it was designed to generate fees and lacked legitimacy. He highlighted the inadequacy of the current certification process for cyber security, emphasizing the need for pressure to rectify these issues. Eric and Felicia also discussed the lack of a quality control process in their current system, with Eric sharing an example of a compliance issue at Equinix. The conversation ended with Eric expressing concerns about the legitimacy of a situation where a company lost their maintenance records due to a dispute with a labor provider. Addressing Counterparty Risk in Vendor Evaluation Felicia and Eric discuss the importance of addressing counterparty risk when evaluating vendors, particularly related to data extraction and contract terms. They criticize companies for writing contracts without clearly defining roles and responsibilities, leading to a lack of consequences for service disruptions. Felicia argues for the cost-effectiveness of owning and maintaining servers on-premise over using public cloud services. Eric agrees, acknowledging the potential for lower costs and better control with in-house IT management. They also discuss the challenges small to medium businesses face due to overreliance on public cloud services and the risks of data exposure from negligent co-location companies. Leadership, Waste, and Oversight in Business Eric and Felicia discussed the importance of strong leadership in business, using Apple as an example of a company that has thrived due to its leadership. They also shared their personal experiences of uncovering waste in organizations and the challenges of addressing it. The conversation then shifted to the issue of conflicts of interest and lack of oversight in the cyber security industry, with Equinix being cited as an example of stock manipulation and fraud. They also discussed the concept of 'unjust enrichment' and the lack of control and standards in the industry. The conversation ended with Eric sharing his positive experience with Vanguard, a company that was meticulous about compliance. Managing Multiple Sites and Vendor Complexity Eric discussed the complexities and costs associated with maintaining multiple sites for redundancy. He highlighted the exponential increase in complexity and costs as more sites are added, and the potential for introducing new problems. Eric also mentioned the frustration and indirect costs associated with dealing with multiple vendors. Felicia agreed, emphasizing the complexity of managing multiple vendors and the soft, indirect costs involved. They both agreed that having a small core set of sites, properly maintained, could be a more viable option. Eric pointed out the alarming rate of data center outages, likening it to the airline industry, and questioned why IT executives continue to pay for such unreliable services. Competent Assistance and Counterparty Risk Assessment Felicia and Eric discussed the importance of competent assistance in decision-making for clients in the industry, emphasizing the need for a CTO for contract review. They highlighted the issue of CEOs and CFOs seeking advice from friends rather than professionals, which can lead to legal issues and confirmation bias. The importance of independent audits and assessments in mission-critical facilities was also stressed, with Eric suggesting he could provide a solution for the lack of a standard for evaluating critical facility security. Felicia concluded the discussion by asking for Eric's recommendations for business decision-makers who want to better understand counterparty risk and make more informed decisions. Industry Alert and New Risk Management Standard Eric and Felicia discussed the need for a significant industry alert regarding the unreliability of certain security standards, particularly for critical facilities and cybersecurity. They highlighted the increasing scrutiny from insurance providers on third-party information security risk management and the importance of a high-quality CTO and CISO or a dedicated compliance manager. They also discussed the need for a new standard in risk management, particularly in the context of vendor and counterparty relationships, and agreed that the current approach was insufficient.
Why You Need a CTO: Avoiding Costly Mistakes in Document Management
In this riveting episode of Breakfast Bytes, host Felicia King delves into the often overlooked but crucial aspect of business technology: document management platforms. With a sharp focus on how organizations of all sizes can benefit from these systems, Felicia underscores the importance of operational maturity and strategic decision-making. Through compelling narratives and real-world examples, she illustrates the perils of inadequate technology leadership. From misguided IT directors to costly missteps, Felicia shares stories from her 30-year career, shedding light on the vital role a Chief Technology Officer (CTO) plays in safeguarding a company's resources and ensuring seamless technology integration. Listeners are invited to explore the intricacies of technology planning, from policy formulation to platform selection, and the far-reaching consequences of neglecting expert guidance. This episode is a must-listen for business leaders eager to avoid lighting money on fire and to achieve sustainable growth through informed technology investments. Quick recap Felicia King discussed the importance of document management platforms and the need for a technology executive in organizations of all sizes. She emphasized the significance of strategic architecture choices, operational maturity, and inclusive decision-making in implementing these platforms. Felicia also highlighted the challenges of managing contracts with consulting firms and stressed the importance of having a clear engineering and implementation plan before purchasing any technology. Next steps • Business leaders to consult with a qualified CTO before making strategic technology decisions, especially for document management platforms. • Organizations to develop written requirements, document business processes, and create an engineering/implementation plan before purchasing new technology systems. • Companies to review and potentially modify contracts with technology vendors to ensure compliance with organizational policies and support protocols. Summary Document Management and Operational Maturity In the meeting, Felicia King discussed the importance of document management platforms for organizations with more than one employee. She emphasized the need for operational maturity and the use of systems to scale a business. Felicia also highlighted the necessity of a technology executive, even for small organizations, to navigate complex issues. She stressed the importance of understanding these matters, as they are too complicated to be handled by IT support alone. Importance of Technology Executives in Orgs Felicia discussed the importance of having a technology executive in organizations, emphasizing that an IT director often lacks the necessary skills and capabilities. She shared a past example where an IT director made a costly mistake due to lack of oversight, leading to significant financial losses and compliance issues. Felicia advised business decision-makers to use their technology executive in an advisory capacity to avoid such problems, particularly when making large purchases or embarking on significant projects. Avoiding Costly Technical System Mistakes Felicia discussed a long-standing relationship with a client that migrated to a new system, resulting in numerous issues. She reviewed the service contracts and master services agreements, discovering that the client was sold a system that was technically impossible to achieve an effective outcome with. The system violated its own requirements, leading to constant issues and financial losses for the client. Felicia emphasized the importance of using a chief technology officer to avoid such costly mistakes. Strategic Architecture Choices in Document Management Felicia discussed the importance of strategic architecture choices in document management platforms, emphasizing the need for operational maturity, understanding of business processes, and inclusive decision-making. She highlighted the cost implications of using platforms like Atlassian, Sharepoint, and iManage, and the need for a written set of requirements for any project. Felicia also pointed out the challenges of outsourcing document management platform implementations and the need for a highly qualified CTO for consultation. She suggested that Microsoft 365, with its advanced premium licensing and purview, could be a viable alternative to other platforms. Managing Contracts With Consulting Firms Felicia discussed the challenges of managing contracts with consulting firms and the importance of having a CTO to navigate these complexities. She highlighted the need for clear communication and contractual agreements to ensure project success, as she has often encountered issues with support protocols and project kickoffs. Felicia emphasized the importance of having a CTO who understands business, legal, and economic aspects to ensure smooth project implementation, completion, and ongoing support. Clear Engineering Plan for Tech Purchases Felicia emphasized the importance of having a clear engineering and implementation plan before purchasing any technology, likening it to buying a server without understanding its capabilities. She stressed the need for a Chief Technology Officer (CTO) to review proposals and ensure they meet the business's requirements, as well as to avoid potential breaches of contract with other vendors. Felicia also highlighted the value of having a CTO with the right skills, rather than relying on IT personnel, to make informed decisions.
Navigating the Cloud: Unveiling the Hidden Costs and Risks
In this compelling episode of Breakfast Bytes, host Felicia King delves into the complex world of cloud computing, exploring the intricacies of public cloud, private cloud, self-hosting, and premise servers. With insights from a newly recognized expert in the field, this episode promises to challenge conventional wisdom and offer fresh perspectives on hosting decisions. Felicia unravels the hidden costs and maintenance challenges of managing workloads, whether in the cloud or on-premise. She highlights the significant financial implications and the importance of competent management, urging listeners to reconsider the assumptions surrounding the efficiency and cost-effectiveness of cloud solutions. The episode takes a surprising turn with revelations from Dr. Eric Woodell, whose groundbreaking work questions the reliability of current data center practices. Felicia discusses how Dr. Woodell's findings, backed by Lloyd’s of London, cast doubt on the presumed dependability of cloud-hosted environments, drawing a startling analogy to the aviation industry’s safety standards. As the narrative unfolds, Felicia emphasizes the critical need for effective vendor risk management and the pitfalls of relying on inadequate compliance certifications like SOC 2. She challenges listeners to rethink their approach to third-party risk management and the true value of certifications in ensuring data security and operational integrity. Join Felicia King in this thought-provoking episode that not only informs but also inspires a reassessment of the assumptions driving today's cloud computing decisions. It's an essential listen for anyone navigating the evolving landscape of IT infrastructure and risk management. Quick recap Felicia discussed the importance of competent management and cost considerations in cloud hosting, and introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry. She also highlighted the high failure rate in the data center industry, the challenges of outsourcing workloads, and the limitations and misuse of the SOC 2 certification in the data center space. Lastly, she criticized the inefficiencies in vendor risk management processes and recommended a shift in focus towards real integrity processes. Next steps • IT teams to reassess their reliance on SOC 2 certifications for vendor and data center evaluations. • Business leaders to review and update their Written Information Security Plans (WISPs) to ensure alignment with actual practices and legal defensibility. • Organizations to develop more robust vendor risk management and counterparty risk assessment processes, considering factors beyond standard certifications. Summary Discussing Cloud Hosting and Legacy Workloads Felicia discussed the topic of public cloud, private cloud, self-hosting, and premise servers, emphasizing the importance of competent management and the need to consider the cost of capital expenditure when comparing on-premise servers with cloud hosting. She highlighted the historical maintenance costs of legacy workloads, such as servers on-premise and in the cloud, and the potential cost-effectiveness of hosting physical servers in someone else's data center. Felicia also mentioned a newly recognized expert in this technology who is involved with a company that certifies cloud hosting providers for insurance by Lloyds of London. Limitations of SOC 2 Audits and Expert Insights Felicia discussed the limitations of SOC 2 audits, which are conducted by accountants (CPAs) who may not have the necessary expertise to assess data center operations. She introduced Dr. Eric Woodell, an expert in physical data center and infrastructure industry with extensive experience in auditing major organizations' assets in public clouds and colos. Dr. Woodell expressed his opinion that CPAs are not qualified to audit data centers and their operations, as they lack the ability to build and maintain them from scratch. He also shared his findings from years of audits, indicating that third-party vendors often fail to fulfill their maintenance obligations. Data Center Industry Failure Rate Comparison Felicia discussed the high failure rate in the data center industry, comparing it to the aviation industry. She used a metaphorical analysis from a speaker, who claimed that if the aviation industry had the same level of failures as the data center industry, there would be approximately 530 plane crashes per day. Felicia emphasized the significance of this comparison, noting that if people knew about these statistics, they might not use airplanes. She also mentioned that Lloyds of London, an insurance company, uses the speaker's certification program to assess data center risk. Felicia concluded that she believes in the speaker's numbers and calculations, and that the data center industry's failure rate is a cause for concern. Outsourcing Workloads Challenges and Vendor Risk Management Felicia discussed the challenges of outsourcing workloads, particularly in terms of reliability and support. She emphasized the importance of vendor risk management, counterparty risk management, and the underlying assumption of competency. Felicia also highlighted the need for workloads to be hosted where they can be supported by competent individuals. She mentioned the work of Dr. Eric Waddell, which has raised questions about the reliability of cloud-hosted services. Felicia also noted the shift in focus towards vendor risk management and third-party information security risk management, particularly in the insurance industry. SOC 2 Certification Limitations and Misuse Felicia discussed the limitations and misuse of the SOC 2 certification in the data center space. She highlighted that SOC 2 certifications are often conducted by CPAs rather than infrastructure architects, and thus may not be a reliable indicator of competency. She also pointed out that the certification is often used as a check-box exercise by business decision makers, rather than a genuine evaluation of a company's infrastructure. Felicia also touched on the HIPAA space, noting that the use of Business Associate Agreements (BAAs) is not always appropriate and can lead to unnecessary costs and risks. She emphasized the importance of third-party information security and risk management, and suggested caution when dealing with SOC 2 certifications and BAAs. Addressing Vendor Risk Management Inefficiencies Felicia discussed the inefficiencies in vendor risk management processes, particularly in relation to compliance certifications and the Written Information Security Plan (WISP) for tax preparers, accountants, and car dealerships. She argued that these processes often lack legal defensibility and do not align with reality, instead being mere theatre. Felicia also mentioned a class action lawsuit against a breached company, suggesting that the focus should shift to real integrity processes around vendor risk management. She recommended watching Joe Brunsman's YouTube channel for more insights on this topic.
Exploring Network Security and AI Threats with Crystal Redmann
In this riveting episode of Breakfast Bytes, host Felicia sits down with Crystal Redmann, the inquisitive Operations Director from Redmann Farms, to dive into the intricacies of network security. Crystal brings forth compelling questions about network segmentation, shedding light on how this fundamental security measure can protect even the smallest of organizations. As the conversation unfolds, Felicia and Crystal explore the evolving landscape of cybersecurity threats, particularly focusing on the alarming use of AI by cyber criminals. Through vivid analogies and real-life examples, Felicia illustrates the critical need for advanced security measures and the role of zero trust in safeguarding digital assets. This episode promises to not only educate but also captivate listeners with its deep dive into the world of cybersecurity, making complex topics accessible and engaging for all. Tune in to discover practical insights and proactive strategies to protect your digital world. Quick recap Felicia and Crystal discussed the importance of network segmentation and micro segmentation for enhancing security, and the challenges of balancing security and functionality in an organization. They also explored the potential risks of deep faking in financial transactions, the evolving threat landscape, and the need for vigilance in device maintenance. Lastly, they emphasized the concept of zero trust in computer security, the significance of personal data protection, and the need for enterprise-grade security for home use. Understanding Network Segmentation and Security Crystal expressed her need to understand more about network segmentation and its benefits, particularly in terms of security. Felicia explained the concept of network segmentation, emphasizing its foundational role in network layer security. She elaborated on the concept of micro segmentation, which involves treating different assets differently based on their needs and requirements. Felicia highlighted that this approach can bring enterprise-grade security to even the smallest organizations, making it economically feasible and sustainable. Security Profiling for Device Segments Felicia discussed the importance of creating a security profile for different segments of devices, such as printers, to prevent unauthorized access, data leakage, and the spread of malware. She emphasized the need to restrict communication between devices to enhance security. However, she pointed out the challenges in implementing this approach across various devices, including TVs, printers, and corporate laptops, on the same subnet, stating that it would be practically and economically impossible. Crystal agreed with Felicia's assessment. Balancing Security and Functionality in AI Felicia discussed the importance of balancing security and functionality in an organization, using the example of the unregulated use of AI leading to potential risks. She emphasized the need for a governance system and leadership that prioritize risk management. Felicia also highlighted the potential of AI being used by cybercriminals, mentioning its use in creating deepfakes and its ability to collect and analyze vast amounts of data. She suggested using services like Abine's Delete Me to reduce the number of lists an individual is on and advised against publicly listing employees on company websites. Deep Faking Risks in Financial Transactions Felicia discussed the potential risks of deep faking in the context of financial transactions. She highlighted an instance where seven people at a company were deep faked, with one legitimate participant, who was the only one to realize the fraud. Crystal expressed her concern after learning about this case. Felicia further explained that AI could potentially execute a video conference call deep fake to manipulate financial decisions, emphasizing the importance of having proper protocols in place. AI Training and Evolving Threat Landscape Felicia emphasized the importance and effectiveness of the AI training they offer, highlighting its practicality and relevance. She also discussed the evolving threat landscape, particularly the increasing sophistication of malware and the emergence of ransomware kits that allow even novice users to generate their own variants. Felicia pointed out the limitations of signature-based detection in the face of such evolving threats and advocated for a zero trust approach. She also expressed skepticism about the effectiveness of paying ransomware demands, suggesting it to be a naive approach. Computer Maintenance and Device Integrity Concerns Felicia explained the challenges and potential threats in computer and device maintenance, emphasizing the need for vigilance and dynamic live updating databases. She highlighted the risks associated with malware and the need to question the integrity of peripherals like USB devices, keyboards, and monitors. Felicia also discussed the importance of procurement policies that prevent the use of unverified or potentially compromised devices. Crystal expressed concern about the threats posed by USB phone chargers, leading Felicia to suggest the use of wireless chargers as a safer alternative. Zero Trust Concept in Computer Security Felicia explained the concept of zero trust in computer security, emphasizing the importance of assuming all unknown or unclassified computer behavior is malicious until it's been inspected. She detailed how this approach, coupled with machine learning and AI, has led to no breaches among clients under their full management. Felicia also clarified the term's significance, stating that 'antivirus' only represents a small portion of the necessary protection capabilities for an individual computer. Crystal, on the other hand, questioned the effectiveness of antivirus software and its impact on machine learning. Personal Data Protection and Enterprise-Grade Security Crystal and Felicia discussed the importance of personal data protection and the need for enterprise-grade security for home use. Felicia emphasized the risks of using unverified or low-quality devices and highlighted the significance of brand reputation in ensuring security. Crystal acknowledged her previous naivety about these threats and expressed her commitment to further inquire about these issues. Both agreed to continue this discussion in future meetings.
The Real Skinny on Penetration Testing: Debunking the Myths
Welcome to Breakfast Bytes with Felicia King. Today, we delve deep into the often-misunderstood realm of penetration testing. As business owners grapple with the necessity and costs associated with these tests, Felicia demystifies the process, drawing from her three decades of cybersecurity expertise. In this episode, discover why traditional penetration testing might just be a costly theater act and learn the importance of continuous vulnerability assessments. Felicia shares compelling anecdotes and practical advice on how to genuinely safeguard your business without burning through your budget. Join us as we explore the intricate dance between IT teams, automated tools, and the critical decisions that can make or break your company's security posture. This is not just another tech talk; it’s a narrative that could redefine how you view cybersecurity investments. Quick recap Felicia emphasized the importance of understanding the objectives of the test, and cautioned against overpaying for tests that may not be necessary or effectively scoped. Next steps • IT team to implement continuous vulnerability assessment and penetration testing platforms for regular, automated security checks. • CTO/CSO to assess and oversee the implementation of security tools like Tenable One and Senteon for secure configuration management. • Executive management team to allocate budget and provide support for IT department/MSP to implement necessary security changes and tools. Summary Test Scope and IT Consultancy Management Felicia also advised that the test should be scoped correctly and conducted by the IT consultancy that manages the company's networks, servers, and applications. She cautioned against overpaying for tests that may not be necessary or effectively scoped. External Testing Approach and Cots Definition She argued that the approach of bringing in an external third party to conduct a test without proper consultation and scope can lead to incorrect results. She emphasized that this approach would be more effective in identifying and addressing vulnerabilities, and would provide demonstrable results. Felicia also clarified the term 'COTS' as defined by the National Institute of Standards and Technology in the context of information security technology. Enhancing IT Configuration for Business Acquisition She argues that this approach provides more meaningful and actionable information, enabling IT configuration personnel to effectively address identified gaps. Felicia also highlights the importance of using recognized and professional tools like Tenable One and Senteon for secure configuration management. She emphasizes that this approach offers a better return on security investment and is more beneficial for businesses seeking to be acquired. IT Testing and Business Decision Makers' Guidance She suggests that business decision makers should provide clear direction and funding for IT before such tests are conducted.
Lessons from the CrowdStrike outage
Good morning and welcome to another episode of Breakfast Bytes. I'm your host, Felicia King, and today, I'm joined by my colleague, Jeff Birner, hailing from Florida. Our riveting discussion centers around the recent CrowdStrike incident that has sent shockwaves through the cybersecurity community and beyond. This episode promises to offer insights and perspectives you won't find in the typical news coverage. As we delve into the conversation, Jeff and I explore the core issues surrounding CrowdStrike, including its lack of trustworthiness as a counterparty and the legal implications of delayed security updates. We discuss the broader impacts of the incident, such as the staggering $5.8 billion in losses faced by companies worldwide, and discuss how technology decisions could have eliminated the impact. Through engaging storytelling, Jeff and I break down the complexities of cybersecurity, offering practical solutions and strategies for organizations to consider. From the importance of testing updates to the choice of operating systems for critical infrastructure, this episode is packed with valuable takeaways for IT professionals and business leaders alike. Join us as we navigate the nuances of the CrowdStrike controversy, highlight the lessons learned, and provide actionable advice to help you safeguard your organization against similar pitfalls. Whether you're a seasoned cybersecurity veteran or just starting your journey, this episode of Breakfast Bytes is a must-listen.
Navigating the AI Frontier: Caution, Control, and Opportunity
Good morning, you're listening to Breakfast Bytes, and I'm Felicia King. Today's episode takes a deep dive into the world of artificial intelligence, offering a perspective that challenges the mainstream narrative. Instead of jumping on the AI bandwagon, we'll explore the importance of cautious engagement and risk management when dealing with this powerful technology. We'll delve into the profound implications of AI, discussing the potential risks and the measures you can take to mitigate them. From the economic challenges of running closed AI systems to the dangers of data leaks and professional pitfalls, this episode covers it all. Hear about real-world examples, such as the attorney sanctioned for relying on faulty AI-generated content, and learn how to navigate these treacherous waters. Discover how AI is reshaping industries and the critical need for policies and training to ensure safe and effective use. We'll discuss the importance of governance, accountability, and transparency in adopting AI, and how regular, ongoing training can make a significant difference in risk management and productivity. Join us as we uncover the darker side of AI, from its role in technocratic control to the enhanced capabilities it provides to bad actors. Learn how to protect yourself and your business in this rapidly evolving landscape. Whether you're a small business owner or part of a large corporation, this episode is packed with insights and strategies to help you make informed decisions about AI. Tune in to Breakfast Bytes for a thought-provoking discussion that will leave you better prepared to navigate the AI frontier with caution and confidence. Quick recap Felicia discussed the potential benefits and risks of artificial intelligence (AI), emphasizing the need for caution and thoughtful risk management in its use. She highlighted the importance of operational maturity and the role of technology executives in developing customized policies for clients. Felicia also underscored the significance of maintaining relationships with service providers, having consistent policies and strategies, and regular training to effectively manage risks and improve productivity. Next steps • Business owners to develop and implement an AI policy for their organization, including staff training on AI risk management. • Organizations to consult with technology executives (CTO/CISO) to create appropriate AI usage guidelines and risk mitigation strategies. • Companies to implement regular (preferably weekly) cybersecurity and technology training programs for all staff to reduce risks and improve productivity. Summary AI Risks and Potential Applications Discussed Felicia discussed artificial intelligence (AI) in her radio show, "Breakfast Bytes." She emphasized the need for caution and thoughtful risk management when using AI, highlighting its potential implications and the importance of understanding its deep impacts. Felicia pointed out that AI could be beneficial in areas like marketing content and sales promotions, but warned against using it for financial, medical, or legal matters due to the potential risks. She also advised against using AI chatbots, citing the lack of security and the risk of data leakage. Felicia's Operational Maturity and AI Advice Felicia argued that over 80% of businesses, regardless of size, lacked operational maturity and were not utilizing AI appropriately. She claimed that smaller companies could more easily achieve operational maturity and consistency in policy, while larger companies struggled with governance, accountability, and transparency. Felicia also highlighted the potential cost of not seeking advice, relating numerous examples of organizations that had incurred significant expenses due to their lack of consultation with technology executives. She further indicated that operational maturity not only reduced costs but also increased profits, efficiency, and reduced waste. AI Policy and Risk Management Strategies Felicia discussed the importance of providing clients with an AI policy and risk management courses to mitigate potential risks. She emphasized that these tools, which are part of their Vcto and Vc services, are designed to help clients proactively manage risks. Felicia further pointed out that having a technology executive, such as a CTO or CISO, is crucial in developing policies that are customized to the client's specific needs, as opposed to relying on a generic template. She criticized the use of templates and reliance on attorneys to develop policies, stating that this approach is ineffective and can lead to non-compliant and misleading policies. Managing Relationships With Service Providers Felicia discussed the importance of managing relationships with service providers such as lawyers, tax advisors, and recruiters. She highlighted the benefits of having ongoing relationships with these providers, allowing for budget planning and better service. Felicia also raised concerns about the misuse of AI, particularly in the staffing industry, emphasizing the need to carefully consider the nature of the relationships with customers and the confidentiality of information. She suggested that if information is non-confidential, it is acceptable to use AI, but organizations should always approach AI usage with a risk management approach. Consistency, Accountability, and Transparency in AI Governance Felicia discussed the importance of having consistent policies and strategies across an organization to prevent conflicts and unproductive activities. She emphasized the need for organizations to consult with their technology executives to devise such policies and to provide training to their staff. Felicia pointed out that a lack of governance, accountability, and transparency could lead to challenges, particularly with AI, which could be exploited by bad actors. She highlighted the importance of driving accountability within the organization and utilizing technology effectively. Regular Training for Risk Management and Productivity Improvement Felicia emphasized the importance of regular, ongoing training for individuals and organizations to effectively manage risks and improve productivity. She suggested that training should cover both company policy recommended strategies and how to use technology, such as Outlook and OneDrive. Felicia also highlighted the increasing threat of scams due to lowered technological barriers, advocating for proactive measures to combat this. She warned against over-reliance on AI, which could lead to digital control and profiling of individuals, and encouraged further research on this topic. Lastly, she offered her assistance in developing a sophisticated, highly effective risk-reducing program for businesses.
Understand implications of IT procurement using cabinets as an example
Felicia stressed the importance of informed decision-making in technology services and products, and the need for involving skilled professionals in decision-making processes. She also discussed the longevity of structural furniture, the challenges in network switch installation, and the need for a formal procurement process in the IT department. Furthermore, she highlighted the issues with current wall-mount cabinets and open racks, the business impact of operations beyond regular hours, the need for proper equipment maintenance, and the importance of having an on-site technical point of contact at every facility. Action items • Felicia recommends ensuring the IT department follows a defined procurement process with oversight from a technology executive. • Felicia recommends establishing written requirements and standards for IT infrastructure like racks and cabinets. • Felicia recommends implementing a policy for designating on-site technical contacts to handle basic equipment issues. Summary Informed Decision Making in IT Services Felicia emphasized the importance of informed decision making in technology services and products, which is beneficial for all IT stakeholders. She pointed out the persistent negative financial impact caused by ill-informed decisions, often made by business leaders delegating to inexperienced internal IT departments. Felicia advocated for the involvement of skilled professionals, such as CTOs or senior architects, in decision-making processes to mitigate these adverse effects. She also cautioned against the common practice of selecting the cheapest bid as a decision-making criterion, highlighting it as a recipe for failure. Structural Furniture Longevity and Design Felicia discussed the longevity and durability of structural furniture, particularly cabinets and racks. She emphasized that these pieces, often made of steel, aluminum, glass, and possibly plastic, can last for decades if not physically damaged. Felicia argued that considering a 20-year life cycle for such hardware is a more realistic approach than starting from an acquisition cost requirement. She also highlighted the advantages of a four-post full floor standing cabinet over a two-post rack, especially for secure and critical infrastructure. Finally, she noted the importance of wheels in cabinets from a maintenance perspective and referred to cabinet design as an art form. Felicia's Network Switch Installation and Maintenance Insights Felicia shared her extensive experience and insights on the challenges and considerations in network switch installation and maintenance. She emphasized the preference for a 4-post configuration due to the weight and depth of modern switches, and the issues that may arise with alternative setups. Felicia also highlighted the importance of understanding the ramifications of equipment placement, sharing a troubling example of a poorly executed setup. She suggested ways to prevent such issues from occurring in the future. Improper Procurement Process in IT Felicia discussed the lack of a formal procurement process in the IT department, which leads to inefficient and often unnecessary purchases. She explained that the department, composed of individuals not highly proficient in business value justification or total cost of ownership articulation, often sourced items themselves using credit cards, without proper checks and balances. Felicia emphasized the need for a written requirements list to facilitate better decision-making and prevent the focus on apparent acquisition cost. She indicated that she would provide two examples to illustrate these points. Addressing Inadequate Infrastructure and Procurement Felicia discussed the recurring issues with the current wall-mount cabinets and open racks in the infrastructure, which were not deep enough to accommodate modern switches. She emphasized that this problem wasn't new and had been ongoing for at least a decade. Felicia pointed out that previous investments in these inadequate setups were essentially wasted, not just in terms of money but also project time and potential business unit outages. She underscored the need for an appropriate procurement process and oversight to avoid such issues in the future. Managing Operations Outside Regular Hours Felicia discussed the business impact of operations extending beyond regular business hours. She highlighted that this not only affects payroll and product but also has implications for business continuity outside of IT. Felicia emphasized that IT personnel, such as PC technicians and IT managers, often only consider their own needs, which differs from the perspective of a technology executive. She stressed the importance of a different mindset, drawing from her experience as a chief operating officer and service manager, to effectively manage a large number of remote offices. Client's Server Outage Due to Unauthorized Access Felicia shared a story about a client who opted not to spend $350 on an idrac enterprise card, a decision that led to a server issue causing an outage. She emphasized the importance of proper equipment maintenance and restricting unauthorized access to technology cabinets. Felicia pointed out that allowing staff without proper training or maintenance responsibilities to have access to such spaces can lead to unintentional damage, as seen in the case of the client where a staff member put a box on a server keyboard, causing an outage. She underscored the significance of having a mature policy in place regarding remote support and access to technology cabinets. On-Site Technical Point of Contact Importance Felicia stressed the necessity of having an on-site technical point of contact at every facility to handle minor technical issues. She used the example of rebooting cable modems, which she stated often require physical intervention and should not disrupt other equipment. Felicia also emphasized the importance of setting up the facilities in a way that allows easy access for the on-site technical point of contact to perform these tasks without causing further problems. She underscored that this is a common requirement and should be considered in the facility's setup. Technology Executive's Role in Procurement Felicia emphasized the importance of having a technology executive oversee procurement policies and standards in IT departments to ensure good outcomes. She highlighted that the IT department alone should not be making procurement decisions, as they often lack an understanding of the total cost of ownership. Felicia also rejected the idea that a dollar amount should be the sole determinant of procurement decisions, citing the potential for malware to compromise the system. She advocated for a designated technology executive to establish policies and standards, warning that failing to do so could lead to adverse financial outcomes for the organization. For more information, review this resource about racks and cabinets. https://www.qpcsecurity.com/2024/04/26/why-buy-racks-and-cabinets-from-qpc-security/ Peruse the value of vCISO services. https://www.qpcsecurity.com/vciso-services/
What is zero trust cybersecurity?
Welcome to an insightful episode of Breakfast Bytes, featuring an in-depth discussion about Zero-Trust Cybersecurity, a vital approach to modern cybersecurity practices. Understand why this network layer protection strategy is essential to guard your business and residential networks against harmful threats. From a reflective analysis of the cybersecurity landscape four years ago, Felicia highlights the repercussions of a weak cybersecurity posture, emphasizing the necessity of a resilient and efficient cybersecurity stack. She elaborates on the integration of various concepts like endpoint protection product (EPP), endpoint detection and response (EDR), and managed detection and response (MDR) into a single efficient agent, stressing the significance of regular patch management and advanced reporting. Dive deeper into specific cybersecurity products that embrace the robust Zero-Trust model, like Panda Adaptive Defense 360 and ThreatLocker, and understand how they can suitably fit into varying scales of businesses and homes. Felicia additionally debunks a common misconception about technology by default ensuring security and clarifies the crucial need for actively adopting an apt security profile catering to specific contexts. In this episode, we also discuss the importance of equitable administrative access, insist on local data collection and prevention of unauthorized data file collection, and delve into the need for stringent network security in the face of growing security breaches and ransomware attacks. Understand the comparison between different products, their cost differences, and the underlying need to harmonize cybersecurity mechanisms with operational structures, concluding with an open invitation for consultations on effective and budget-friendly cybersecurity solutions.
Incident response and mitigating supply chain attacks
In this episode of Breakfast Bytes with Felicia King, we navigate the complex but crucial realm of cyber security. We explore the emerging menace of supply chain attacks and underscore the vital need for proactive incident response planning. Felicia reveals the staggering average cost of a cyber-attack, per employee and endpoint, and explains why smaller businesses might suffer even greater losses. King sheds light on the often unnoticed aspect of incident response planning: the critical period between discovering a potential compromise and confirming a successful attack. She also scrutinizes the implications and expenses of in-house response strategies for sizable businesses and outlines how smaller establishments could face heftier costs. Offering valuable advice, Felicia provides business-centric recommendations on methods of dealing with a reported incident. She addresses important issues such as identifying data breaches and managing downtime during a crisis, stressing the importance of having a contingency plan for extended recovery periods. Moving on to supply chain risks, King critiques the increasing trend of outsourcing in the IT sector. She cautions against granting upstream providers unrestricted access to systems, noting counterparty risk as an area demanding heightened vigilance. Deeper discussions on access control, audit logs, automated compliance reporting, and other factors in selecting an efficient identity and access management system also unfold. King further navigates the topic of APIs - the lifeblood of numerous industrial integrations - offering crucial insights into associated risks. She concludes with a call for a mindset shift required to tackle supply chain attacks effectively. In contemporary threat landscapes, relying solely on the cybersecurity kill chain is a losing battle. This episode underscores the need for encompassing multiple defensive strategies for cybersecurity, such as multi-factor authentication, and conditional access for all accounts. Real-time analytics, endpoint protection strategies, and a zero-trust posture are championed as critical for preventing malicious activities and providing swift threat responses. We delve into the pros and cons of network layer security, a powerful yet complex technique requiring specific expertise. When appropriately utilized, it presents a scalable solution managing traffic filtering and robust protection from supply chain attacks. The episode concludes with the importance of having a solid incident response plan as a vital proactivity measure in cybersecurity.
K12 Technology and Cybersecurity Challenges and Solutions
In today's episode of Breakfast Bytes, hosted by Felicia King, we delve into the pressing issue of cybersecurity in K-12 education with special guest, Chris Rule, a Technology Director with 25 years of experience. We discuss the urgent need for tangible action in this area and explore operational maturity practices like third-party information security risk management, vendor risk management, vulnerability management, and password management. A focus of the episode is the need to translate cybersecurity concerns into strategic actions at the executive level. We also discuss the impact of cyber insurance programs and the severe disconnect between cybersecurity compliance requirements and their implementation at the school level. We dive into the critical necessity of creating operational structures that prioritize cybersecurity, incorporating crucial regulatory compliances such as CIPA, FERPA, and COPA. A poignant part of our discourse is managing the 'human element' of cybersecurity as cyber-attacks are increasingly centered on social engineering. This necessitates not just a technical solution, but a cultural shift in organizations, making cybersecurity training a mandatory part of human resource management. This episode also touches on the challenges of implementing IT security measures in small school districts. It emphasizes the importance of an institutionalized onboarding program that includes both technology aspects and basic legal knowledge. We highlight the need for better collaboration between board professional organizations and security companies, and discuss parental demands and voluntary programs that schools can utilize to assure their commitment to student data protection. In conclusion, we explore the practice of hiring fractional CISOs and CTOs to help IT directors manage their various responsibilities within limited resources. Tune in to this comprehensive episode to learn more about the challenges of and solutions for implementing cybersecurity in K-12 education.
Practical example of how operational maturity improves productivity while reducing risk
In this episode of Breakfast Bytes, vCISO Felicia King of QPC Security uses an example of dark web data and how it can be leveraged. She describes how operational maturity in an organization can make that organization more competitive, lower risk, improve collaboration, improve culture and employee retention, while reducing risk. She explores why actioning relevant, specific data is more critical than simply having it available. Learn how the combination of constant training and right data can effectively reduce risks and add value in a business of any size. These methods are practical for large and small organizations. QPC has deployed these tools and methods for orgs as small as one user! This episode takes you through the potential uses of dark web data and platforms like Telegram, leading to better risk mitigation strategies. Felicia, with her hands-on approach, shares the best practices adopted for her own clientele. She emphasizes empowering end users by presenting them the relevant information at the opportune moment. By fostering a culture promoting consistent training, businesses can enhance operational efficiency and employee satisfaction while reducing conflict. The episode also stresses upon a culture of shared responsibility to make risk management more cohesive and less confrontational. The responsibilities lie not only with the CEO, but also under the active purview of CTO, CIO or CISO in an organization. With the advent of affordable cybersecurity training platforms capable of dark web monitoring, organizations can now lower risks attributed to their data. But what makes the real difference is how these platforms are utilized. The episode extensively discusses the gap between compliance and security, drawing focus towards the need for proactive, contextual security measures. Discover the significance of a cultural shift, with due attention to training, policy enforcement and personal responsibility in maintaining top-notch information security. A well-informed staff equipped to deal with real-time issues, not only boosts productivity but also helps in managing IT costs. Tune in to this episode and delve into the world of dark web data, risk management, and securing a technology-driven business environment today. Check out our supporting article on getting value from dark web data. https://www.qpcsecurity.com/2024/04/25/dark-web-value/
Unlocking Strategic IT Investments and Information Security
"Unlocking Strategic IT Investments and Information Security: Expert Insights with Gina King" dives into the critical aspects of IT investments and infrastructure. Felicia King, host of 'Breakfast Bytes', engages in a captivating conversation with Gina King, a leading Chief Information Security Officer. The extensive dialogue sheds light on necessary expenditures on Information Systems and Technology, managing and optimizing security investments, and realigning perceptions of IT as a valuable strategic asset. Through their enriching discussion, Felicia and Gina tackle widespread issues of underinvestment in IT, encouraging businesses to understand and optimize their IT expenditures. Pointing to the risks of non-compliance and inadequate IT security measures, they illustrate how a thorough approach to IT spend analysis can tremendously impact a company's financial bottom line, customer satisfaction, and overall client experience. The episode highlights the importance of a proactive and continuous IT security investment to nurture an effective information security risk management program. Felicia and Gina underscore the significance of considering cybersecurity as an aspect of overall business risk, rather than an isolated problem. They also emphasize the value of tech-savvy leadership and security education in fostering a vigilant workforce and strengthening an organization's security posture. Switching gears to effective risk management amidst the digital landscape, the episode ends on a call for creating clear policies, continuous vigilance, and an understanding of organizational identity to safeguard online infrastructures. This engaging discussion is a must-listen for anyone involved in IT procurement, investments, security, and overall business operation.
Domain/DNS hosting, account ownership, security issues and TCO
Join us in this insightful episode of Breakfast Bytes with Felicia King, along with our guest Kyle Wentworth of the Wentworth Group. We delve into a balanced exploration of business needs vs IT security needs, demonstrating the magnitude of this issue with a case study of a massive spam operation hijacking over 8000 trusted brand domains. https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html In this detailed conversation, our experts elucidate steps towards prevention and emphasize the significance of effective domain ownership and control. Kyle highlights the central role of Technology Management departments in mitigating IT risks and stresses the importance of a comprehensive understanding of orderly processes for DNS management, timely publishing of DNS records, and the related cost implications. This episode underscores the need for operational maturity in businesses, and how maintaining domain infrastructures and adhering to robust protocols can protect your business from digital threats. Listen to gain invaluable insights into how businesses of all sizes can level up their understanding of the intersections of business and IT security systems. The episode also draws attention to the potential vulnerabilities of newly registered domain names and the common pitfalls relating to outsourcing these functions. We underscore the necessity to take caution or face serious losses and discuss the ramifications of transferring control of key business aspects to external vendors. With a candid look at the dangers of ill-considered network security and the hazards of transferring all risks to an external IT service provider, we make a strong case for integral security measures. Listen in to gain an understanding of the importance of viewing technology as a business partner rather than an expense and to learn how focusing on strengthening your network security can pave the way for business success.
Cyber Insurance versus Cyber Warranty
In today's episode of Breakfast Bytes, we are delighted to have Joe Brunsman from Brunsman Advisory Group as our special guest. Known for his extensive knowledge on the intersecting worlds of insurance and cybersecurity, Joe offers beneficial insights on the evolving sphere of insurance exclusions and how businesses can navigate these changes amidst the increasing threats of cyber warfare. Tune in as we explore the importance of adopting risk mitigation strategies with tangible security investment returns rather than relying solely on insurance coverage. Join our profound discussion on the role of senior management in establishing a secure digital environment, starting from understanding IT risks and challenges, creating actionable plans, and sticking to a consistent policy. We also delve deeper into topics like legacy technical debt, the role of a Chief Information Security Officer (CISO), gaps in current insurance policies, and breaches of customer contracts owing to the lack of managerial insight in the IT sector. In this knowledge-packed episode of Breakfast Bytes, we help you understand the intricate relationship between insurance and cybersecurity, and how enhancing comprehension in these two areas can secure your business in this fast-paced digital age. Listen as we unwrap various complexities surrounding cyber insurance and the emergence of warranties as an alternative, exploring their potential pitfalls and inconsistencies. From diving deep into the history of insurance to shedding light on the impending exclusions in the upcoming insurance policies, we've got it all covered. Moreover, we highlight the need for skepticism and caution while dealing with Cyber Insurance, emphasizing comprehension over rushing headlong into the risky space of cyber warranties. Also, discover the correlation between proactive security measures and reduced insurance coverage needs, and understand why more insurance doesn't guarantee better safety. Lastly, our guest Joe Brunsman sheds light on the seldom-discussed aspect of cyber insurance and data security. Learn how states are regulating insurance companies for holding sensitive data and the shockingly minimal regulations surrounding warranty companies. Get enlightened about the real-world realities of cybersecurity and how, despite utilizing SaaS platforms, corporations are not as secured as they think. This episode guarantees both enlightenment and critical thinking around cyber insurance and data security. Tune in to gain a wealth of knowledge on this important but often unexplored domain!
Demystifying IT Services and the Shared Responsibility Paradigm
Welcome to another eye-opening episode of Breakfast Bytes hosted by Felicia King. In this episode, we dissect prevalent misconceptions in the IT industry particularly regarding services like NOC, SOC, XDR, and SOAR. Explore the conundrum between cybersecurity checkbox exercises and the pivotal need for legitimate risk reduction efforts. Moreover, discover potential pitfalls of co-managed IT and strategies to sidestep them. We delve extensively into co-managed IT services, illustrating their significance, pitfalls, financial risks associated with improper executions, and real-life challenges and liabilities. Emphasis is also laid on the involvement of the clients and their responsibilities in relevant scenarios. Our host Felicia does not just spotlight the issues in the IT sector but equally provides insightful solutions and pragmatic advice. Crucial facets like service evaluation, defined requirements, discrepancies between 'theater' and real risk mitigation are discussed at length. This episode includes a discussion about shared responsibility, a cornerstone to successful IT operations. Unravel the importance of clients understanding policies, embracing HR enforcement, and being proactive in managing potential IT and security risks. We further cover the vital part they play when ensuring efficient IT systems and cybersecurity. We question the practice of delegating SOC to third parties due to its contribution to fragmented security operations and poor risk management. Instead, we advocate for a converged NOC and SOC model. Explore how greater comprehension and collaboration paired with user training, self-reliance, and policy adherence can prevent catastrophes like litigation. Beyond outlining potential risks and solutions, this episode offers practical advice for managing complex escalations and ensuring secure configurations, all through the converged NOC and SOC model.
How establishing requirements properly results in best outcomes
Felicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities. the importance of vulnerability assessment and management requirements in contracts It is imperative for resource owners to be designated and held accountable to outcomes. Exit strategies must be established as part of the procurement process Lack of right to audit clauses in cloud services contracts How the lack of an effective paradigm leads to destructive decision-making IT must not be seen as the dumping ground or janitor. Instead the business must be charged back for the real proportional costs for the cost of service. True TCO calculations must be made as part of the procurement requirements definition. Systems integration and interaction maps are incredibly valuable IT must be seen as a business partner and involved in decision-making. Just because IT wants to say yes to help the business does not mean the business gets to disrespect IT standards. Talking to the CISO can lead to utilization of an already vetted, approved platform making the pace of business faster. Why procurement justification statements are imperative Why it is necessary to track TCO and actual costs for product and services associated with a business function Why it is essential to use operationally mature processes in a paradigm focused on governance, accountability, and transparency Why the CISO and CTO should sign off on procurement of anything for which there is not already an approved policy standard on. Why your CISO needs to review the contracts for a service or product before an officer of the company signs the contract Why business leaders must consider how their revenue is event driven Why the shared responsibility model is imperative. Resource owners must be defined and made accountable.
Operational Maturity is required to have Information Security Risk Management
Felicia is joined by Laura Conrad, a Security Architect with 30 years of experience in enterprise environments. Laura currently reports directly to a CISO, and has been an integral part of the information security program at two large enterprises. Felicia has consulted with 26 large enterprises and numerous SMB organizations in the last 30 years. She finds that the same problems occur in every organization that lacks operational maturity. Are you a person working in information security frustrated by the lack of progress of a security program in an organization because of the org's lack of operational maturity? Do you struggle in dealing with toxic, unproductive people? What approach could address these problems and more? Learn from two experts how they have seen companies engage in self-destructive and resource wasting approaches simply due to the lack of drive by executive leadership to install a structure for governance, accountability, and transparency in the organization. Org structure required for CISOs to be effective This article and its impact are briefly covered as they are related to this topic. https://www.darkreading.com/cybersecurity-operations/cisos-struggle-csuite-status-expectations-skyrocket It is quite a good article, but it implies that if the CISO reports directly to the CEO, the problems in an organization will be reduced. While that is partially true, that by itself will absolutely not fix the problems. Felicia and Laura deep dive the decision-making failures that occur throughout an organization and what drives them. Also discussed are methods to truly and structurally correct the problems across an entire company. 95% of information security risk management issues are HR management issues Executive management want to run the company, not manage people. This leads to toxicity and unproductivity being tolerated when personnel issues are not fully investigated and actioned. The desire to make an emotional problem go away cannot override the need to get to the core of the issue and put a system in place to prevent it from happening again. This is not about firing people. This is about instilling a culture where the facts matter, personnel issues will be investigated, and structural systems will provide the governance to drive productive staff behavior. Org executives are unaware of the real costs of inputs It seems to be a pervasive problem across most organizations that there is no financial management structure which facilitates the tracking of expenses as inputs to a service or product delivery to customers. Without this real understanding, leaders persistently price products and services incorrectly. This leads to one business division or a product line losing money and needing to be subsidized by another. Executives rarely understand that by tolerating operational immaturity in their organization, they are actually failing in their duty to stakeholders to effectively manage the assets of an organization to maximize value. Drive change and org-wide staff effort alignment with dashboards that drive transparency and healthy internal competition Felicia and Laura discuss in detail the how and why of dynamically updating dashboards which help CTO, CIO, CISO manage upward to the CEO and board, while driving downward alignment to objectives. Governance, Accountability, Transparency in IT Security Felicia and Laura discussed the importance of governance, accountability, and transparency in IT security and business processes. They emphasized that these principles could help prevent problems caused by a lack of collaboration and understanding between IT and business units. Felicia cited instances where poor prior planning led to unnecessary expenses and internal toxicity, which she believes could be avoided with a more mature approach to operations. Laura added that these principles could also lead to cost savings and risk reduction. Harden the procurement policies Felicia and Laura provide many examples of problems that could have or were avoided by having an enforced procurement policy which resulted in all technology purchases being signed off on by the CISO or security architect and often the enterprise architect. It is infinitely easier to rectify issues before an implementation and before signing a contract than to do so after a purchasing decision has already been made.
Managing the impact of changing IT service providers
Felicia shares insights on the pitfalls of changing IT service providers or MSPs for both clients and the IT service providers themselves. This content is based upon a number of questions that other MSPs have posed to Felicia asking for advice as well as numerous first hand experiences on the subject. This podcast is primarily for IT service providers or MSPs, but business decisions makers who are considering making a change would also benefit from the content.
CMMC and latest DoD memo implications and far reaching effects related to FedRAMP
Special guest Tobias Musser of MNS Group generously shares with the Breakfast Bytes audience his wisdom and insight into what is a challenging and nuanced regulatory landscape that has far reaching business implications. https://mnsgroup.com/ A vigorous discussion of the implications of the latest DoD memo about DFARS 7012 FedRAMP or FedRAMP moderate. FedRAMP Compliance Challenges and Hybrid Approach Tobias and Felicia discussed the implications of a DOD memo mandating FedRAMP compliance for all products used by a DOD contractor or subcontractor. They explored the potential challenges, especially for small businesses, and the difficulties in achieving equivalence. They considered the idea of using on-premise solutions as an alternative, but noted the need for specific documentation and careful implementation. Tobias and Felicia also deliberated on the potential benefits of this approach, including the severability benefit of on-premise solutions. They discussed the challenges of finding cost-effective, user-friendly FedRAMP tools, noting their high cost and complexity. They also touched upon the implications of a recent memo that increased the requirements for FedRamp compliance and the potential security issues associated with it. Tobias emphasized the need for increased security to protect soldiers and the country. They concluded that a hybrid approach was necessary, but the current tools were not up to the task.
Why the ship has sailed on BYOD
Tom Dean of Consulting Adventures joins Felicia for part three of the analysis on mobile devices and the problems with them. OKTA breach, IT admin’s password getting stored in gmail password synced manager Two-way problems. Personal on business and business on personal Lack of clarity around device wipe, device use policies, apps running on devices Compliance is easier when business owns the asset and delineation of ownership of asset and data is clear. If the configurations are not managed, the cost profile to the company is a lot higher. Credentials and MFA spill over in both directions Data compliance issues DLP and encryption issues Lack of ability to define device security settings like PINs How are you doing effective device configuration backups? How do you prevent malicious apps from being installed on the devices? How do you have leveraged support capabilities from the mobile devices? Asset inventory is mandatory Compliance costs can be drastically reduced by having company owned assets that only get approved applications. This is another reason why end users CANNOT have admin access. No VPN access until someone has been part of the company for 30 days. Onboarding and offboarding is crucial to information security Information security is not a technical controls issue, it is a HR management issue. Verizon fell for fake “search warrant,” gave victim’s phone data to stalker https://arstechnica.com/tech-policy/2023/12/verizon-fell-for-fake-search-warrant-gave-victims-phone-data-to-stalker/ As if all that wasn't bad enough, if an employee of a company has issues in their personal life, it will spill over to business and especially in the context of allowed personal use of company assets.
Threats to mobile devices and how to manage them, part 2
Part 2 of a series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats. Cohost: Tom Dean – Consulting Ventures Tom has decades in capital goods manufacturing industry (fortune 500 scale) Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale) Current focus is strategy & risk management consulting Lifelong learner and an interest in technology. Strategy + risk management ---> mobile devices Topics: Apple find my network; useful feature, but privacy considerations SSO risks where there are too many items that can be compromised if there is a single compromise of a single system Out of band SMS Problems with Twilio and 10DLC for VOIP SMS Know your customer regulations, implications with SMS validation for ownership establishment Synology came up with their own Synology MFA app and the problems with that Do not call registry updates; Good news!
Physical threats to mobile phones, SIM hijacking, out of band SMS, and Yubikeys
Part 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats. Cohost: Tom Dean – Consulting Ventures Tom has decades in capital goods manufacturing industry (fortune 500 scale) Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale) Current focus is strategy & risk management consulting Lifelong learner and an interest in technology. Strategy + risk management ---> mobile devices Personal travel: Laptops have transformed to mobile devices (phones and tablets) Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?" Biometrics are convenient but quite dangerous Biometrics are a proxy for a numeric passcode on a mobile device. Physical compromise is a 5-alarm fire situation. Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up. Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen. Avoid banking apps. The first things that the baddies go after are Venmo, Apple Pay, Cash apps. Out of band SMS for MFA SIM swapping risk, or eSIM embedded in the phone Put a PIN on your physical SIM. MySudo – Can clone that instance to other phones. Password manager on phone Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey. Password manager helps you recover. Segmentation strategies They can see all the emails on your phone and change passwords or password reset is typically done via email Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers. Need to have an out of band mechanism to receive alerts and ability to remove kill the device. Microsoft Authenticator and Google Authenticator do not have a separate PIN. Authy is free. It has its own separate PIN. Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain. Diversification strategy with inventory. MDM Kill apps Apple configurator – small scale Apple Business Manager Jamf – requires Apple Business account for security Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that. Don’t let anyone change the account on this device. You have to figure out a lot on your own and block URLs that you don’t want accessed. Apple devices need to be in supervised mode, so it matters how you buy them. Intune Risk examples loss of device (resiliency e.g. MFA) theft of device involving passcode surrender (loss mitigation) SIM swap (cellular store employees) SIM card theft (removal of SIM card from phone) Risk reduction / resiliency OS decision (iOS vs. android) Note that one is not better than the other Risk reduction is all about an individual's ability to manage the risks based upon platform selection MDM (remote data wipe): small-scale co (Apple Configurator or JamfNow) vs. corporate MDM MFA backup/diversification (SMS via cell or VOIP providers vs. TOTP vs. passkey/yubikey etc.) App selection (OS-based or Independent) App protection (‘independent’ PIN protection vs. face/touch ID) ‘Attack Surface’ – minimization of exposure (e.g. banking apps, cash apps, findmyfriends etc.) Resources https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/
How to analyze workloads and decide how they should be hosted
The process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.
How a lack of understanding of business processes relates to adverse financial impact
CTO Kyle Wentworth joins Felicia for a discussion about how businesses can avoid adverse financial impacts. Lack of understanding of the language of technology It changes so incredibly fast that it takes a sea of people who understand the pieces Complete perspective of how the business of technology should be run Understand what governance and compliance standards your business is held to That dictates how you do business. Some tangible examples of how things can and should be done: Justification statement annually for expenses How it is being used and how the costs were arrived at Assignment of the resource owner Misallocation of funds paying for items that should not be paid for takes resources from other needed items. Walk through your business. Identify what you don't understand about the business? Do you understand every function of the business? You have to entire your entire business as a whole if you are the leader of the business. Gaps in your understanding indicate where you need an auditor to identify that your people doing the processes are doing it properly.
Email security management and monitoring is critical
Why it is critical to have an email security expert managing and monitoring email security configurations and delivery of email on an ongoing basis. Instructions from marketing automation platforms are not adequate. It matters A LOT what you are trying to do with email. Getting these items configured is an art form. Vendors are continually failing vendor risk management analysis and losing business over their email not being properly configured. New website resource: https://kb.qpcsecurity.org
CISO, CTO, CIO, what’s the difference?
Kyle Wentworth of Wentworth Consulting Group joined Felicia to compare/contrast three C-suite level IT/IS related roles. Kyle has 35 years of business experience and has been working on computers since 1976. He is a: Fractional CTO Business coach Business process modeler Kyle has a great resource on his website to help people understand the differences between these C-suite roles. https://wentworthconsultinggroup.com/cto-cio-ciso-consulting/ Listen to the podcast for some Kyle truth bombs such as: "Technology runs your business. You don't. We facilitate technology to run our business. IT is the most critical function of your business." "Technology is harder to manage than brain surgery. Then why are you having conversations with technologists? Technology footprint is harder to identify and manage than brain surgery." We talked about Felicia's hot button which is a lack of a quality, enforced procurement policy. "The reason you give someone the ability to purchase the product is because you don’t understanding why they should NOT buy it."
Zero trust fundamentals
Zero trust is not a product you buy. The problem that most organizations have is that they are still not doing the fundamentals well. CIS has a community defense model. I did a detailed webinar on it where I covered a lot of these fundamentals. https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/ Let's look at inventory management, asset management, change management, onboarding and offboarding. You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught. Fundamentally, the most effective thing in zero trust are the protections that are in an always on state. Like for example the recent revelation about flaws in UEFI and SecureBoot. These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!! FUNDAMENTALS MUST BE MASTERED When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems. Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy. Procurement policy must include vetting and testing of cloud app integrations. Monitoring and technical controls must be in place to restrict or eliminate the ability of an end user to buy shadow IT and authorize it on their own. Azure AD has controls for this, but they are not on by default.
FTC SafeguardsRule, IRS requirements, and tax preparers
The IRS regulations for tax preparers being compliant with the FTC Safeguards rule is specified to be enforced starting in June 2023. It is doubtful that the majority of tax preparers are adequately compliant. The IRS published information about this compliance requirement as far back as 2019. https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan All of it is common sense and things that orgs should have been doing for ages. IRS publication 4557 https://www.irs.gov/pub/irs-pdf/p4557.pdf Before you use a tax preparer, ask them for their compliance certification statement. Practical examples of what to ask of your tax preparer and why https://qpcsecurity.podbean.com/e/business-survival-over-the-next-decade/ More information on this topic from Joe Brunsman, cybersecurity insurance expert. https://youtu.be/NOY249doJXg
Methods to prevent business email compromise
Methods to prevent business email compromise.
Business survival over the next decade
What is the number one thing you can do as a consumer to protect yourself when dealing with tax preparers? Practical examples of what to ask for from your tax preparer and why. What are the total number of people that would have access to my records if I do business with you? You want me to sign a contract with you, terms and conditions that I have to abide by. If you are going to prepare my taxes, show me your affirmation statement where you as a tax prep preparer have put it in writing that you are fully in compliance as a business with the IRS requirements for tax preparers. Put that in writing. If the IRS is the authority that is providing the designation that an organization is an IRS authorized tax preparer, then the IRS is the entity who defines the standard for what is the requirement put upon that organization or that person in order to have that designation. Therefore, it is completely legitimate to be asking as a prospective customer of that organization, "show me your compliance statements". How do you comply with the IRS requirements for tax preparers? And if you get anything other than a fully prepared premade statement they provided to you in writing, then that's problematic because it means that they are not compliant. What is one of the most important things that a business owner can do in order to make their business survive the next decade? Information security risk management is everyone's problem. Business leaders cannot delegate and abdicate involvement. If you are not having regular meetings with your vCISO, how can you make informed risk decisions? Do you know what the gaps backlog is for your organization? Do you have a risk register? If you refuse to make the time to meet regularly with your vCISO, your business is going to be squeezed by cybersecurity insurance requirements, governmental regulations, and customer requirements. The executive management team needs to understand that if they do not tell all of the managers in an organization that they need to take responsibility for the ownership over their resources, then what needs to happen is that the executive management team needs to make the CISO or the IT department have full total authoritarian control over those resources. But then that turns into a big can of shut the heck up to the people who've abdicated their responsibility to be involved in the process. Because you can't have it both ways. You can't say that IT is responsible for the security of those assets, but then refuse to be involved in the conversations about who should be having access to what and when. And claim that you don't have time to talk about it, that it is not important. Of course it's important. Are you the resource owner or not? So you can't make it somebody else's responsibility to define the policy around who has access to that resource that ultimately you're responsible for and then yet get grumpy. when your access or the people who you thought should have had access to that resource have their access denied because IT is trying to clean up the mess. You can't have it both ways. Whose responsibility is information security risk management? Ultimately, it's the executive management team. But they can delegate that through the organization to the resource owners and at the end of the day, IS risk management really needs to be everybody in the entire organization's responsibility. Information security practices need to permeate throughout the entire organization. The end users of an organization are the largest attack surface that an organization has. Suggestions for tax preparers Tax preparers need to comply with the FTC Safeguard rule which is currently slated to be enforced starting in June 2023. As of May 2023, the expected plan is that private contractors will be the enforcement auditing arm for compliance. In reality, any company that had taken cybersecurity insurance compliance preparedness and had engaged a vCISO proactively several years prior would likely have no issue in this area. But the vast majority of tax preparers were unwilling to invest in the kind of protections that should have been in place for decades. Here are some resources. https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan https://www.irs.gov/pub/irs-pdf/p5293.pdf https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf Page 13 of publication 4557 states that all tax preparers must comply with the FTC Safeguards rule. That means if you or your organization has an IRS tax preparer ID number, you must be in compliance and be able to prove that you are in compliance. Tax preparers that are under $2mm in revenue should expect to spend 15% of revenue annually on all inclusive IT costs. If your spend is not that high, then your organization is likely not going to be competitive in the market and is bound to lose market share to players who have invested in becoming FTC Safeguard rule compliant. Please also be aware that security theater is not compliance. I have seen some scams such as do-it-yourself kits through technical firms who specialize in servicing accountants (per their website). https://www.irs.gov/pub/irs-pdf/p4557.pdf More details from Joe Brunsman, cybersecurity insurance expert. https://youtu.be/NOY249doJXg
PSA or ERP - paradigm and requirements analysis
I get a lot of questions about PSAs, ERPs, and overall paradigms related to core business software. This podcast summarizes things you should be thinking about in your software selection process. After three years of investigating PSA and ERP options including spending a lot of money on software and payroll, the product we like is Odoo. Organizations using a PSA with add-ons approach are really missing the mark. There is no PSA that does project management well. None of them have accounting systems. Most of them are terrible at quoting. And they are all expensive. They also are all weak at analytics and business visualization or analysis. So a company ends up paying for: PSA Quotewerks Zomentum eCommerce processor Payment gateway provider project management platform QuickBooks or Xero PowerBI website hosting Applicant tracking system HR / people management system email newsletter system marketing automation platform CRM Social media marketing platform and more Whereas, a business could just get Odoo. Let's look at a brief cost analysis. Halo - $15,000/yr Quotewerks or Zomentum $500/mo QuickBooks or Xero $1300/yr ConnectBooster $300/mo or more Project management $300/mo or more ATS $5000/yr HR system $150/mo/employee Infusionsoft or Hubspot $1200/yr at least Social media marketing $200/mo CRM - $300/mo OR you could just stop all that nonsense. Odoo. $47/mo/user. Remember that this includes your website hosting too. And it turns out to be much better than WordPress, Joomla, or other smaller CMS. What I find really hilarious is when I ask other business owners how much they are spending on all the components they use that spackle over the deficiencies in their PSA, they rarely know. It's like it is a financial hole in their business that they don't want to look at. As of 11/22/2023, our 1 year Zoho subscription that we tried has been set for non-renewal. The primary basis for that was four wasted months of payroll, wasted time working with Zoho support, and wasted time working with Zoho consultants to try to get integrations with other modules in Zoho to work. The modules in Zoho One are designed to work independently. In order to get data to flow between them, integrations between the modules is required. We consistently found that those integrations between the individual Zoho modules did not work properly. We had other problems with it as well, but it became quite clear that Zoho One was not really an ERP because it is not foundationally designed with the premise that all of the modules are fully integrated automatically. I looked deeply into Manage Engine ServiceDeskPlus for MSP also. I spent about a year on that investigation. I encountered a plethora of challenges with that and it still is a PSA-like mindset where ServiceDeskPlus cannot be a comprehensive business tool. I encounter MSPs that use an outsourced helpdesk that requires the use of a specific PSA. I don't and won't outsource helpdesk for quality control reasons. Overall, Odoo does everything better than ZohoOne. Odoo integrations are all there from the very beginning automatically integrated because it was designed as an ERP from day one instead of individual modules. You can see a demo of Odoo at https://demo.odoo.com. Be aware that there are more modules available than what is shown in the demo, but the demo will give you a good overview. Odoo training is online and free. The documentation is online and free. Support is included with paid subscriptions and we have found that support is effective. Conversely, we rarely had any success with Zoho support. Odoo is more intuitive with things just working and being able to be figured out oneself through the use of documentation, training videos, and just playing with the software. We use the Maintenance module which is good for a facilities maintenance team. I wanted my team to be able to log time entries against particular maintenance tasks. In 2023, it is not possible for time entries to be applied directly on maintenance tasks that flow through to timesheets for payroll. When I put in a feature request, with Odoo, they responded very quickly stating that they were aware of the limitation and were also aware of the need and value. With Zoho, I would put in a feature request and get a response in 9 months. I think that Zoho is so busy writing new modules that they have little to no developer time allocated to making the ZohoOne integrated ERP vision a reality. We spent a LOT of time trying to use the recruiting module in ZohoOne and found it to be an exercise in frustration. We had a lot of success with the Odoo recruiting module with only a few limitations. The bottom line is this. Find just one thing you can use Odoo for that can justify the monthly fee for one user. Get in there and start using it. We have some clients who are using just one module for free. I got one client up and running on the project management module in a couple hours and got the client trained on it. Another client, we put on the website module. The feedback we get from clients emphatically is that it is intuitive and easy to use.
Tech E&O and cyber insurance with Joe Brunsman
Tech E&O and Cyber insurance with: Joe Brunsman of The Brunsgroup – Expert on Tech E&O and Cyber Insurance YouTube channel – Joseph Brunsman https://www.youtube.com/@JosephBrunsman https://www.thebrunsgroup.com/ Damage Control book https://www.thebrunsgroup.com/book2 Tech E&O and cyber MSP should have a tech E&O policy. They cover different things. What types of third-party claims will they cover? A guy on the Que recently said that he did not think that E&O was required because his customers have never asked for it. You must have a TECH E&O policy. What is the biggest thing that you need to pay attention into the E&O policy? Look at the definition of technology services in the policy. Everything past that point, it does not matter if the definition of technology services is correct. Avoid the named peril policy. An all risks policy is better. These are becoming harder to come by. Named peril: Technology services means: there is a list You have to prove to the insurance company that what you did falls within that definition. What do you need to look for? “Including but not limited to” contra proferentem = ambiguity is held against the draftsman. The onus is on the insurance company to prove that what you did was not covered under the definition. How much coverage in the policy should they have? How much cyber insurance do you need? Here are the variables that I think about. – See Youtube video Brokers – There is no legal requirement that they understand or read the insurance policies. Average IQ of an insurance broker is 104. They do not understand what they are selling. The onus is on the business owner to ask and to get the right things. What is your major loss event? What are we worried about? Is that even possible to insure for those issues? Step 1: Stop relying on the insurance broker. Step 2: Fellow decision-makers in the business, what are you worried about? Talk to the broker about that. Then the broker finds “these are the options in the cyberinsurance market that address those concerns”. Joe: Huge proponent of defense in depth over cyber insurance. Rank order the biggest bang for the buck. Felicia has been talking about that for years and is doing a webinar on 2/9/2023 on that very topic. Insights from plaintiff’s attorney Joe had a great convo with a plaintiff’s attorney and got his opinion on risk management. Risk discovery question: What is the one thing that sinks the ship in the lawsuit? There is an internal email. You knew you were supposed to do this. But they said it was too expensive. They were not going to do that. They understood the risk and just accepted it. What could the business do in order to circumvent that email being a death blow in the lawsuit? Plan of implementation. No business has unlimited resources. No business is perfectly secure. You sit down the with business owners and MSP. We need to work on a plan to better your security. You don’t have unlimited money. I am a business owner too. You need a roadmap. Everyone signs off on it. We were trying, we were getting there. Felicia: Wow this is astonishing because this is what we have been doing with clients for 20 years. It is the type of thing that a CISO knows how to do, but few others know how to do well. Life hack tip from Joe: Convo with the average business owner: Obviously you are really good at what you do. You have built this business. Build a relationship with them. The MSP is not the subject matter expert on the client’s industry. Fluff their feathers. Transition that. I asked you a bunch of questions, thank you for hearing me. Now we are going to go through this. Can we just do the same thing in reverse? If you do not understand this yet, let me know and let’s break it down. Joe and Felicia agree: One way or another, those controls will be implemented. Read any breach notification letter. Magically we found more money to invest in cybersecurity. Either work on your information security program monthly at a pace that your budget can absorb, or that decision of timing and magnitude will be taken away from you.
Implications of poor design on security - an example
Google and how they do their technology Things that make security hard. This is not an exhaustive list of the implications of poor design on security. Covering that topic adequately would likely rival the size of War and Peace. This is a discussion of a tangible example to convey understanding of how technology selection directly correlates to an organizations’ ability to secure or secure their overall environment. In order to accommodate something poorly designed, larger than necessary holes through security may need to be carved. Please get your CISO and security architect to perform a risk assessment technology BEFORE procurement. Recent security news alerts discussed again why advertisements must be blocked. Google’s own ad network has been used for hosting and serving malware to victims. Google and their netblocks Their guidance to you is to whitelist their entire network blocks which is beyond insane. Just like the insanity of whitelisting *.windows.net which is what is advocated by some SaaS providers who host their resources on Azure. Azure hosted customer resources are on windows.net. That means that a hacker can dial up a hosted VM and that’s on a windows.net FQDN and IP space. You cannot just whitelist all of Azure either. https://ipinfo.io/AS15169 Beware that software companies will put out idiotic statements in their support documentation that tell IT professionals to “open ports [range of ports] to all IP addresses contained in the IP blocks listed in Googles ASN. Let’s be clear. Those are IP addresses not just for Google’s company internal resources. That is customer hosted resources that they don’t control, manage, or secure the content. So the Google netblocks represent 73.5 million domains. There is NO legal defensibility in creating a hole that massive through any security system. Yet this is likely what 99% of IT professionals are doing because they are not network security architects. Business decision-makers must understand that there is a lot of bad advice that comes out of even major companies as it relates to information security risk management. They put out insane statements such as whitelisting the IP space representing 73.5 million domains. Even if you look up a separate Google ASN, it is still 18,933,082 domains. That is clearly a massive amount more than just the small amount of resources that you legitimately need to access for something like Google reCAPTCHA to work. But because of the way that Google has designed their infrastructure, your ability to have network security is hampered. https://chronicler.tech/firewall-considerations-for-google-recaptcha/ Autoblocking and DNS latency. One of the major problems with using anything on Google’s infrastructure is that their entire system was never designed for compatibility with selective controls. It was not mail.google.com. It was google.com/mail. It was not drive.google.com, it was really google.com/drive. The real infrastructure was hosted as a subdomain of Google. And then so many web developers have made google analytics a mandatory component of how their website infrastructure works that you have to allow it. It just allows google to be a data vampire. Microsoft in contrast https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide There is a strong tendency to among IT support personnel to engage in over-troubleshooting. They follow software vendor’s recommendations and end up driving holes the size of North America through your security configuration. Please ensure that the personnel who are managing network security for your organization are actually qualified to do it.
Dark web monitoring and avoiding FUD decisions
Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring Scenario: FUD report from a competitor Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was. Good: Customer told their current IT service provider about the report. FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered: The key aspects of FUD (and how it does not work) What the Dark Web is, and the logistics of monitoring and combating it Leadership training and best practices for helping a team best meet their security and regulation requirements Identifying the key differences between commodified and relational partnerships, especially in the technological sphere Shared responsibility between MSPs, their customers, and those customers’ clients Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate? What really is the risk and the mitigation? Put the efforts into prevention. Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands. Resources https://haveibeenpwned.com/ Perception of the proper allocation of the budget Businesses must make time for training. ITSP must include in service catalog what the client is getting in terms of services. What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are. Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all. Common business objections to allocating time for training Payroll costs, but avoiding training is not legally defensible anymore. Policies The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies. Four pillars Policies Technical controls implemented Automation of technical controls Reported to the business – It’s YOUR report, your organization. Shared responsibility – some months the CFO does it, some months the CEO does it. Set a schedule and do it. 3 weeks any habit; trainer or partner Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT. An interesting lawyer opinion on the topic: https://abovethelaw.com/2023/01/dark-web-monitoring-for-law-firms-is-it-worthwhile/
The relationship between proper data handling and real risk reduction
Those who listened to the November 19th, 2022 podcast I did with breach attorney Spencer Pollock know that he stated that 90% of the breaches he was involved in over the prior 12-month period would have been non-reportable had the data been properly encrypted. https://qpcsecurity.podbean.com/e/what-you-must-do-in-order-to-prepare-for-a-breach/ (Review link above for attestation and regulatory enforcement proof.) I have three major points for you in this show. You need an IRP You need a CvCISO And you need to understand how data is being handled in your organization Let’s first talk about CvCISO Help you understand why you need a CvCISO working with you on a regular basis because even if you are a really large organization, the probability that all of your processes are clean, secured, compliant, and all your end user training is effective, well that probability is not high. https://qpcsecurity.podbean.com/e/understanding-vciso-services-and-why-you-need-them/ Incident response plan Virtually every organization is now required to have a written incident response plan. These are some examples of people that must be specifically listed in the IRP. What does your organization do when they don’t have these people as full-time internal staff? You need a CvCISO. People you are required to name explicitly as part of your incident response plan: IT technical staff Incident response manager (this better be a CvCISO or a certified incident response company) IT director CIO Stakeholders such as board of directors and heads of business units Finance director Communications manager – this is either your internal PR person, your internal corporate counsel, or your breach attorney Legal representative – either your internal corporate counsel or breach attorney Human resource manager Types of data Let’s talk about some real-world examples of data insecurity. Let’s start by establishing what some categories of data are. PII, PHI, PCI data. PHI is personal health information so think of that as drug screening results as well as medical records. So it’s not just healthcare organizations that have it. Anyone who does drug screening will have PHI. PII is personally identifiable information such as your name, contact information, social security number, I-9 information, a copy of your passport or driver’s license, and non-public photos of you. This is also your direct deposit bank information. I would also include your salary at your job is PII. It is certainly non‑public. So who has that kind of information on you? Well anyone who does HR recruiting or has employees is typically going to have this kind of data. I encourage small businesses to use a PEO and not store any of this data themselves. They should outsource that entirely. Some HR management firms have areas in their SaaS platform that their customers (your employer) can upload documents to and store them securely and NOT on the employer’s environment anywhere. PCI is payment card information. If an organization processes credit cards in any way outside of a contained e-commerce and merchant processing platform, then they probably have PCI data that is on a system they control. Many retailers just use SaaS apps that directly integrate with merchant processing to avoid any storage or holding of PCI data. You should expect that larger organizations are retaining your credit card information. Applicant tracking and employee onboarding systems The security of these systems is only as good as the security of the company that is using them, their processes, how they handle the data throughout the flow, and how documents you complete for them are disposed of if they were submitted in paper format. Good process As you interact with the recruiter or prospective employer, all of the data goes directly into an applicant tracking system that is SaaS by the applicant themselves. The only thing that may be emailed would be a resume. Any assessment results or applicant data is all direct input into the ATS. The ATS is SaaS cloud hosted with a very secure company and all accounts which access the data are on a need to know, RBAC approach with MFA enforcement. WOTC information is all submitted by you directly into the WOTC company website All of your PII would be submitted by you directly into the HR enrollment/payroll system without intervention from anyone else. No one else needs to handle your data. The data you submit is only being submitted to a high security SaaS HR management/payroll platform. Your employer never needs to download and retain any of that information because it is stored in the HR management system. Nor did your employer ever need to have a copy of the information you submitted because you submitted it yourself. So you know it is not in their email or on their servers anywhere. They also did not print it and then not shred it. Bad process You are an applicant and the company you are applying to has you fill out paper forms. You do and then they scan those forms with a scanner and send those files somewhere. Let’s say they are scanned to an insecure location on the internal network. Then someone retrieves the scanned images of the paper you filled out and emails them to a distribution list. So let’s go over what is in the scanned PDF file that got emailed to an internal company distribution list. Direct deposit information – full banking account and routing number Full name and address I-9 verification which includes social security number, driver’s license number, and birth certificate W-4 which contains PII and SSN again Copies of your signature Date of birth Your offer letter including salary and benefits Concerns What happened to the physical paper copies of the forms you completed? Were these shredded same day? Was the information in the email distribution list forwarded to anyone who did not have a complete need to know? Was the information forwarded to a party external to the company? Document management platforms Premise databases often have a lack of encryption Lack of data encrypted at rest and quite possibly the data is not encrypted in transit. If the system that the data is stored inside of is a premise-based thick client application such as an application that has SQL server as the back end, it is not likely that those communications between the thick client and the database server are encrypted in transit. The SQL server most assuredly is not encrypted because very few applications support SQL database encryption and even fewer IT people know how to set it up. I have seen document management platforms with 500,000 records in them containing some of the most sensitive PII and this data was not only housed on servers that were unpatchable and fully deprecated, but the data being transmitted to/from the server was not encrypted, nor was the data in the database encrypted at rest. If you put a dollar figure to the cost of a breach and it is associated with the number of unique records that contain reportable information, the cost of that old, insecure server just went through the roof. Even if you say $1/record, that is $500k. Wowzers! And it’s not likely that was the only server compromised in the breach. What data is stored in people’s emails when a company does not have solid policies, end user training, and technical enforcements to prevent the data from being improperly stored?
Understanding vCISO services and why you need them
Recent question I got: What are the major changes that you have seen from security auditors in recent years and/or where do you see the audit process heading? Quick response: For the sake of a high level, automation is and will continue to be used. The size of the IT service provider is NOT a conveyance of their capabilities or capacity. Many 60 person MSPs are grossly incompetent. Some small teams of about 8 people are exceptionally skilled. C-suite needs to drive it from the end in mind. The end is compliance attestation. Back into it from there and ONLY use a team which also has the technical capabilities to perform the remediations. Do not use vCISO services from one company and remediation services from another. You get too many cooks in the kitchen and a disjointed and more expensive outcome will be the likely result. The insurance companies are pushing the cost of the audit on the insured or applicant. This will involve eating tools and processes that connect with their assessment process. Hence why it is crucial to work with a company like mine that has these workflows. Most don’t. In this podcast, I provide an overview of the role of executives, managers, internal IT, and the CISO in business risk management. Until all parties understand that this is not information security risk or cybersecurity risk, it is business risk that they are responsible for managing, then it is not likely the situation will improve. In order for business risk managers to make good risk decisions, they first have to engage and be involved. They cannot put their head in the sand and believe that "It's an IT problem." No it's not an IT problem. When the HVAC system is open for hacking to everyone on the planet because the facilities director refuses to collaborate with IT security to come up with a solution to maintain business functionality while managing risk, that is a business risk issue. If the facilities director REALLY believes that it is an IT problem, then IT needs to be provided the authority to rectify the issues. And when the facilities director's access is interrupted, then they will be forced to engage and collaborate at that time. But executive management needs to have the intestinal fortitude to enforce policy. The policy that IT does have that authority and no IT will not be retaliated against. That is one approach. The other approach is that the facilities director needs to acknowledge that THEY are responsible for business risk management of the HVAC system. So if the facilities director wants the right to complain when their access is revoked, then they cannot abdicate their responsibility and accountability for the security of the HVAC system.
What you must do in order to prepare for a breach
Breach attorney, Spencer Pollock joins Felicia for a vigorous discussion of what you must do in order to be prepared for an incident or breach. Learn from the breach attorney perspective. Spencer is with the well-known firm McDonald Hopkins. Policies preparation incident response plan tabletop exercises must get breach attorney involved before there is an incident determine your team in advance What's new? regulatory enforcement multi-state class action lawsuits attorney generals getting together to class action effort Regulators DIG They want to see your policies. You must demonstrate your administrative, physical, and technical controls. Attestation proof of state is mandatory You better be able to enable your breach attorney to tell a legally defensible story. How many data breaches could have been avoided by properly encrypting the data? - 90%
Information Security, Cybersecurity, and Everyone’s Responsibility
What is information security versus cybersecurity? What are policies and why do we care? Isn't that IT's problem? Examples to learn from
Ripping apart cybersecurity insurance
Special guest: Vince Gremillion – President and Founder of Restech: CISSP, CvCISO, GCIH Overview Travelers policy – requires MFA on switches. They require you comply with the intent of that. Recent Cowbell application did not require MFA! What is required is contingent upon the coverage you are asking for. Some suggestions: Never fill out an app for a client, not even partially MSP comms to a client should be in a document in a detailed format and it should be digitally signed and locked for editing through that digital signature. I use Adobe EchoSign for that. I address everything in a CRAQ format and then include for the client a spreadsheet which is a cross reference. I will never answer any of those questions on the application directly because I can tear holes in every single one of those questions. I reject many of those cybersecurity insurance application questions as yes or no. Yes/No just does not fit. All the insurance carriers and underwriters have accepted my method which I fine to be the only defensible approach since yes/no is inadequate and does not protect the insured/applicant or their MSP. Future strategy This is exactly why we need CISO platforms which have automatic data ingestion and transmission of the data to insurance carriers in standardize pre-scored format. Check out this podcast on the topic: https://qpcsecurity.podbean.com/e/ciso-workflows/ Business owners: You own the risk, you decide what to do with that. If you did not vet the MSP or the vendor or their stack, that is ultimately your risk problem. HUB International as a broker specifically tried to suggest to one of our clients that the MSP should be filling out the cybersecurity insurance application. I found working with HUB International to be very difficult. Marsh McLennan Agency https://www.marshmma.com/ was very good to work with, but they cater only to larger employers. Gem from Vince: Compliance as a threat If law firm A can no longer do business with customer B because they don’t have compliance, that is a threat.
CISO Workflows
Frank Raimondi, VP of Channel Development at IGI Cyber Labs IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment. PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test. CEO buyer’s journey Security velocity Risk scoring is part of security velocity Improve your cyber-hygiene – all small businesses Security 101 is inventory 101 Cysurance – warranty and liability company It’s good that insurance companies are trying to be more objective about the real risk metrics. Get the scoring and get the data about how risky they are. This feeds into the evaluation data which is used for underwriting. FTC Safeguards policy impact Operational security issues – MSPs that post all their personnel information publicly. The impact of customer contracts and compliance. Squeeze between cost and staying in business in terms of insurance and customer contract requirements.
Business Email Compromise
Ken Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months! I asked Ken to cover with me some topics that from his perspective don’t get talked about enough. Business Email Compromise Also known as CEO fraud. Impersonating a CEO for purposes of wire fraud. We are focused on the technological solutions. There is no technological solution for eliminating BEC. CEOs must be part of the solution. Example: Subcontractor to Airbus. Used to dealing with multi-million-dollar wire transfers. BEC is a large Fortune 500 issue, it scales down to one user environments. Title companies are a big target. Retention policies and standards for WHERE to store what kinds of data to make sure that email is not a file server thereby increasing the risk of what data is compromised as part of BEC. Perfect example of the beginning of an incident response plan or a tabletop exercise. Orgs must define the cost of compromise. That plan needs to be in place long before. It makes a recovery so much more straightforward. Attackers analyze their victims in tiers. Potential victims $10 - $50mm revenue organizations. Reputational damage, but not big enough to have an adequate cybersecurity budget. ShadowIT is a problem, which is why you must address it with a CFO-enforced procurement policy. Proactive management of M365 tenant security configuration is so critical The security of your tenant is not included in the fee for biz premium or the overall licensing. How much activity there is, changes, products, services, vendors. Ideal stack, layers, point solutions within that. Revisit that in a period of time like a year. This is a nice resource for M365 security and BEC. https://www.blumira.com/office-365-security-issues Direct advice from Ken One topic I believe falls directly into this category is the issue of Business Email Compromise, as opposed to actual malware / hacking / ransomware attacks. As you know, the losses to BEC still represent a greater dollar value than ransomware, according to the FBI statistics. But BEC isn’t even a technology problem, it’s pure social engineering – and no additional layers of hardware or software “solutions” will prevent it or reduce the cost to its victims. In my opinion, that’s why you hear so little on the subject from the cybersecurity vendors. Another topic I find interesting, but haven’t really heard any vendors or industry pundits talk about, is the whole new ecosystem and infrastructure produced by modern threat actors. The whole business model of these sophisticated criminals has created occupations, titles, and job descriptions that didn’t exist a few years ago. Some of these are a result of the specialization, compartmentalization, and outsourcing by these organizations; here are a few that come to mind: Breach attorney Ransomware Negotiator Initial Access Broker Cloud Access Security Broker Multiple “As-a-Service” offerings: Ransomware as a Service Phishing as a Service C2 as a Service Another area that is mentioned fairly frequently, but typically fueled by more heat than light – and raised as a point of frustration by MSPs and IT Solution Providers in general – is the users who still believe they don’t have to worry about cybersecurity, hackers, malware, or ransomware, because they “don’t have anything the criminals would want,” or words to that effect. I believe those users need to comprehend how real and serious the threats are to their business. By defining the multiple tiers of threat actors, the threat vectors they may employ, their potential victims, the assets owned and managed by those victims, and the attacker’s strategy for monetizing those assets, I believe it becomes obvious that every organization and every individual is the intended target of some subset of those threat actors. Visit this resource for help making argumentation. Ken is working on some additional materials for end user cybersecurity awareness training. https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/
Vulnerability management with Felicia and Dan - Part 2
This episode of Breakfast Bytes is Part 2 of a series where Felicia King and Dan Moyer of QPC Security continue their conversation on Vulnerability Management. Listen to Part 1 at https://qpcsecurity.podbean.com/e/vulnerability-management-part-1/. In today’s episode, Felicia and Dan discuss vulnerability management workflows, supply chain risk management, starting with security on the front end rather than retrofitting, and proper patch management. Workflow management 01:10 CISO-related (Chief Information Security Officer) workflows are at the core of what is today’s necessity, and we will only see it become more mandatory within the next couple of years. Organizations that do not have vulnerability management workflows in place in a comprehensive way are going to find they have too much technical debt, deferred maintenance, or deferred security to be able to dig themselves out. This won’t be from a lack of money either, but a lack of manpower and time in the day to rectify the issue. Supply chain risk management 02:43 SaaS vendors have vulnerabilities and very few of them have in their contracts your rights and their obligations. What kind of questions should you be asking your SaaS vendors that in many cases you are responsible for as an organization? Here are just a few: Do they have continuous vulnerability management scanning going on with regards to their SaaS platform? How are they classifying vulnerabilities? How quickly are they going to resolve vulnerabilities? How are they communicating these issues to you? Do they use API security scanning? How do they adhere to OWASP API standards and best practices? What are they doing for you in terms of supply chain risk management or software bill of materials? Your organization’s CISO or vCISO should be in your court getting answers to these questions if they are not being addressed by your SaaS vendor or addressed in your contract. Having a proactive, highly functional, highly communicative, and open, honest working relationship with your CISO will ensure you have the protections your organization needs. Proper patch management 04:51 Let's walk through an example of patch management in an environment with Hyper-V hosts, Dell PowerEdge server, domain controllers, business critical SQL servers with essential business applications, virtual machines, remote sites, on-site and offsite backups, hardware at different speeds, and then all these third-party software on these workloads – how do you patch all these things? 06:11 It is exceptionally important to note that some patches will step on or over each other, be required to be put in place and rebooted first, and then other patches applied on top of it. The time it takes to patch a server can be exacerbated by trying to accomplish, say, five patches in one changewindow rather than one patch/reboot followed by another one patch/reboot, and so on. 07:48 Watching the servers reboot is an important piece to verify the workload comes back up reiterating the point made in Part 1 of this series that adequate patch management of an entire server for $50/month cannot be done. Domain controllers 09:19 There tends to be multiple domain controllers or, in the case of just one, it has been designed so that it can reboot whenever it needs to allow for patching. The domain controller is the brain of everything, and since it can reboot whenever needed to apply patches, it can facilitate that while staying available when everything else comes back up. Typically we will start with domain controllers as the first thing patched and verified. Now if there are multiple, and depending on how critical the environment is, a rolling out patch might be done so that these secondary domain controllers or ones that are not on the best hardware are patched and then they sit for a period. Backup plans and backstops 11:29 Part of that patching methodology is your backup plans and backstops – having the tools and everything else in place to uninstall a patch if needed. When we set up our servers, we always have Command Prompt and PowerShell already queued up on those devices when we log in. Then we have the availability of pre-planned scripts that we can adjust as we go but most importantly, all the tools are there and available. Importance of roles on servers 12:25 Part of your ability to have resiliency in the environment is the ability to reboot whenever you need, because you have redundancy and resiliency. Because it is a single role server, it gives you that agility to be able to resolve and prevent issues. Therefore, workload design is the name of the game. Whatever you think that cost is of that additional virtual machine, that is nothing compared to the problems that you cannot solve because you tried to shove a bunch of stuff together in workloads that did not meet because they were mismatched workloads. Many patch managers are not comprehensive and there is a lack of consistency in of what is getting patched on a well-designed domain controller versus a third-party party application server. Physical servers 16:09 Watching a virtual machine reboot while maintaining efficiency and not biting off more than one can chew is crucial, but we are also finding is increasingly important to watch the physical servers and that can only be possible with the right hardware. How are you auditing and confirming that patches are being applied and which ones have not? At QPC Security, we bring all the virtual machines down and reboot the host as a prerequisite for patching because it gives you a clean slate to start your patches. Then we will use the patching methodology to push specific patches down to it. We use our patching piece to push specific ones because not everything is needed for hosts and other pieces that we have identified will cause an issue, is a multi-patch, or a multi-patch/multi-reboot process. Taking one step at a time, pull it down, apply patches, make sure everything is happy coming up. Go through that entire process again. While we are connected to iDRAC, we watch the server, reboot, apply patches, come back up, make sure all the VM's are checking in properly, we are making sure everything is available, then they go through that process two to three times. It depends on how many patches are available and what things got pushed out. Everything has patches 20:39 If you have a hypervisor that is not giving you patches; you should not be using them. Likewise, if there is no product improvement then there is no security management from that vendor. There is no easy button or a set it and forget it. 21:42 When IT is not confident in how a process is going to work, they do not want to touch it and that is exactly where a vulnerability arises. Say a consultant installs Cisco, but without a brand expert or budget in place keep the consultant to maintain it, it remains unpatched and therefore vulnerable. That is precisely why organizations need to have a business continuity and disaster recovery (BCDR) plan in place and a procurement policy that drives effective vulnerability management. Incremental patching 25:26 When people are too afraid to patch the hardware, it does not get patch which accumulates over time in terms of technical debt and the technical issues it accumulates. Attempting to patch too many patches at once or jump too many versions results in the reboot cycle of death or a very time-consuming reboot because you are not running a vetted, tested, and supported configuration. The more time and versions you allow to pass between patches, the more divergent from manufacturer’s tested config those updates become. Buying the right hardware to begin with saves you money down the line 33:20 A crucial piece to vulnerability management in your workstations is BIOS, drivers, firmware. If you buy the right hardware to begin with that has the automation engine built into it and when you deploy it you are configuring it accordingly, it becomes far less expensive than paying a human being to manually babysit your vulnerability management. Not all workloads are created equal 34:59 A word of caution when an IT service provider quotes patch management for your organization. When it comes to patching business line apps that need high uptimes because it costs a business thousands of dollars per hour to be down, what patches does the ITSP apply and with what preparation for back out plan? In many cases, an ITSP is giving a client the perception of patch management, certainly not vulnerability management, but in reality they are simply doing a Windows update and only some third-party patching, which might only be five third party applications. At QPC Security, our catalog of patches of over 9500 software titles that we are patching and there is no automation. Visit https://www.ivanti.com/partners/ivanti-software-catalog to learn more about the normalization of software titles. Cybersecurity insurance applications require continuous vulnerability assessment and vulnerability management. However, most IT service providers do not offer comprehensive patch management. Their vulnerability management claims are grossly misrepresented to the point of malfeasance. Vendor documentation & software bill of materials 37:43 You cannot keep your head in the sand – all these things must be considered when receiving a quote from an IT service provider. In cases when the software vendor is not offering competent documentation, your organization must rely on the legwork of your IT service provider to offer timely patches at opportune times. Do not forget that many ITSPs will charge you to run patches on the weekend or evenings when there will be minimal impact to your business. "Titrics" 43:02 Your ITSP should have vetted and tested procedures and protocols for implementing patches, yet all too many do not. So many times, we see the priority of IT companies are how quickly they can close a ticket and rely on the software companies to do it for them. This focus on first-call closures and ticket metrics (termed here as “titrics”) is grossly underserving their clients and their clients’ organizations. Proper documentation allows for better time management and to offer effective support to best serve the needs of the clients without requiring the assistance of the third-party software vendor. 47:05 Gaps in change management, change control, and documentation for server workloads arise when an ITSP is focused on ticket-based productivity rather than quality of service. The original scope of the project by the ITSP requires evaluation from someone who can accurately evaluate the needs of the client’s organization. When the bid is too low, the needs of the client are not going to be met, the work will not be completed, and the organization is left vulnerable. 50:03 Unfortunately, an incompetent ITSP will leave out what services they had to cut out on the race to the bottom of the pricing model and that leaves it up to you, as the business owner, to be aware of your organization’s cybersecurity insurance policy requirements and how they are being fulfilled. Questions? Reach out to us QPC Security proudly serves businesses with virtual CISO services for our clients. If you are interested in learning more about how QPC Security can serve the needs of your organization please visit https://www.qpcsecurity.com/ or call one of our experts directly on (262) 553-6510. Stay up to date on the most recent episode of Breakfast Bytes by following the podcast on Podbean at https://qpcsecurity.podbean.com/. Learn more: https://www.complianceforge.com/faq/word-crimes/policy-vs-standard-vs-control-vs-procedure
File integrity checks (hashing) versus communications or data encryption
We have seen some really goofy cybersecurity insurance application questions. It is always best to not answer a question that is goofy, but instead to write an addendum that defines terms and explains the cybersecurity posture of an organization related to the topic. You need to try to figure what the insurance company was trying to evaluate rather than just answering their questions because their questions are frequently not suitable for yes/no answers. Greg Cloon joins me to discuss this topic. We also touch on when you would use file hash integrity checking, when to use disk encryption, and when to use encryption for communications. Here's a link to IISCrypto. https://www.nartac.com/Products/IISCrypto/
Vulnerability management that every business decision maker needs to know about - Part 1
Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off. Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap. Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who: fail to follow required cybersecurity standards knowingly provide deficient cybersecurity products or services misrepresent their cybersecurity practices or protocols violate obligations to monitor and report cybersecurity incidents and breaches Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it. 01:23 The difference between vulnerability management and patch management Holistic vulnerability management includes, but is certainly not limited to: Software bill of materials analysis Supply chain risk management Third-party risk management End-of-life software Asset inventory up to date Lifecycle management Continuous vulnerability assessment Frequency penetration tests Tabletop exercises Procurement policy 04:38 Cybersecurity insurance applications aren’t asking JUST about patch management When did you have your last penetration test? Do you have continuous vulnerability assessment in place? How long are you going to go without having the patches applied in the environment? If you think adequate patch management can be done for $50/mo/server, you are hallucinating. So, what’s included in patch and vulnerability management? 05:34 Patch management Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage. How do you manage and protect those tools of your business from threat factors? 09:20 Third-party patches & vulnerabilities IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down? 10:27 Asset management Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated: “You can’t secure what you don’t have an accurate inventory for.” It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own. 18:48 Implementing proper procurement policies Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements? When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself. You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so. Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services. 20:24 Privileged access management and privileged password management How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems. Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen. 24:27 A procurement policy can keep a business' IT costs stable The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed. Does your procurement policy support your business strategy and needs? 34:22 Understanding the cost and time of device and software procurement There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time. SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are: counterparty risk structural increase in cost of doing business risk accessibility risk (redundant access is then required and cannot be fully mitigated) external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs takedown/contract risk 37:33 Cloud vs on-prem security It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift. 46:48 IT/IS is not a utility The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose. Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP. An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication. This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/ This is another resource for vulnerability management information. https://land.fortmesa.com/vulnerability-management-101
Signs of insufficient networking knowledge
Scenario 1 Phone VLAN on a switch and cross connected into a Firebox with desk phones, PCs, and printers in the environment Questions we actually got: On Monday, we send over the list of what switch ports are for printers, which are for PCs, and which are for desk phones. Technician says that two of the three phones are not working. We use our awesome switches to find out exactly where these other phones were plugged in. The phones were plugged into the wrong switch ports. Move desk phones, phones work. Then later, the technician runs a test for the VOIP service from a PC on the PC VLAN not from a PC connected to the phone VLAN. So the test for the VOIP service fails. Security zone profiles exist. It is not acceptable to have an allow everything network security posture. Configures needed to support desk phones are completely different from those that are required to support domain joined Windows computer assets. Some ITSPs have to pay for expensive add-ons like Auvik to try to compensate for the fact that they have inadequate switching equipment with inadequate design and a sprawl that they have to inventory and keep track of. TCO comes from how much time it takes to maintain, manage, adds/moves/deletes/upgrades, troubleshoot. If I have to physically go to a site to chase some cabling, something is really wrong. The technician in this scenario also could not believe we wanted two network cables between the switch and core router. They are not the only one. I encountered this lack of vision of understanding in another client IT director earlier in the year. If you don't know why you would have two network cables between a switch and a core router, go figure that out. Scenario 1 Phone system with desk phones. Each desk phone has its own network cable, which is good. Phone subnet should be a separate VLAN, but the choice is made by ITSP to separate the phones using physically separate switching equipment. That is something I would never do. Commentary provided by ITSP: I don’t like VLANs. I would rather setup a network with physical segmentation. Results in: Loss of visibility Loss of network resiliency More expensive because you have more switches to babysit and troubleshoot So if you have 20 or 40 VLANs, so does that mean you are going to have 20 or 40 physical switches? If you don’t have 20 VLANs then what network security do you really have? How do you present virtual servers on the proper microsegmented security zone when you cannot transmit tagged packets? Let’s just talk minimum VLANs that we typically see here: SwitchOOBM ServerOOBM SwitchMgmt WAPMgmt Phone Surveillance CorpWired CorpWireless GuestWireless HVAC ElecMon Chromebooks CaptivePortal Tier0 DCs AppGroup1 AppGroup2 DeprecatedApps Printer Storage IAM RMM Clearly anything over two becomes ridiculous to do with physically separate switch equipment. The days of this paradigm or strategy are long gone since cybersecurity compliance is requiring microsegmentation. And network security strategies and technical controls are some of the most effective primary and compensating controls for cybersecurity posture for all the protected assets regardless of type.
About Password Managers
More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors. Some other needs which must be met are: Compliance attestation documentation Proper use of the best MFA method on a per resource basis Aligning business continuity objectives with cybersecurity objectives Developing procedures for staff on how to use the company password manager system properly Aligning procedures with information security policy Developing/enhancing information security policy End user awareness training around credentials, MFA, password management and more I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper. See the following supporting podcasts for additional information. https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/ https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/ https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/ Why buy from QPC QPC provides managed clients staff onboarding and training documentation. As we update the documentation with new procedures or enhancements, we publish the new versions of the documents to the client’s IT Training SharePoint library. We also make them available through the QPC Security portal which all M365 users have access to. QPC creates and maintains workflows for cybersecurity insurance and compliance attestation for managed clients. Compliance attestation and the maintenance of the reports and workflows to produce the compliance attestation are mandatory for cybersecurity insurance and some Federal or State regulatory compliance. As supply chain and vendor risk management becomes more prevalent, organizations will need to provide proof of these items to customers or prospective customers as part of contractual due diligence. Organizations can scramble to compile these items on their own. Managed clients benefit from QPC’s compliance preparedness. Access to QPC’s password manager import/export/business continuity procedures. Our expertise in password manager conversions reduce friction to staff adoption of the system. Support customized to client’s unique needs Strategic guidance on how to best use the tool to meet the staff’s needs while being in compliance and alignment HR, information security, and company use of technology policies Advanced security implementation services Reduced implementation time compared to implementation by client’s in-house IT Compliance attestation for cybersecurity insurance HR policies which support use of the solution; employee use policies QPC provided password security policy Training for end users on how to setup what kind of MFA QPC has systems for shared MFA even when OTP is not an option for a resource client staff are accessing. Managed clients benefit from QPC’s existing R&D investment as well as ongoing enhancements of managed functionality. No data loss or business continuity risk in doing so. At any point a client who wishes to separate from QPC can do so. This is covered in the separation area of this document. QPC has a strong relationship with the software vendor where the feature requests we submit are typically integrated in the product in three months. We submit feature requests for functionality for managed clients. QPC includes additional compliance modules in the subscription which are not part of the standard direct subscription. Keep this in mind when doing price comparisons. QPC can co-term licensing for user additions Direct software vendor support is not designed to be anything other than break/fix Quicker response time than direct software vendor support QPC is able to provide enterprise level support for the product whereas a direct customer would need to have a $25,000 per year support contract in order to receive a similar level of support direct from the software vendor. QPC can be the compliance delegated admin for clients where desired. If not desired, then the client must assign and fully train the compliance manager delegated admin. Responsibilities and recurring tasks must be assigned to that person. QPC works with managed clients to define staff user roles and assign security policies to them. Some employees should not be accessing the password vaults unless they are on company‑owned and secured systems. We define allowed platforms, security baselines, restrict data exfiltration and more. QPC can implement additional technical controls to prevent employees from storing passwords where they should not be stored, such as browsers. We strongly recommend technical controls and ongoing cybersecurity awareness training backed by employee policies the reduce the opportunity for storing passwords related to company assets in an unapproved manner. QPC can provide a separate end user support system for clients where they are able to contact the password manager support via email, chat, and phone. This service is not available for direct purchasers. Direct support includes only Level 1 help desk for basic user configuration or end‑user issues at the quantity of 25 per year. Free online documentation and videos is included of course. Onboarding, new employee training, and configuration management support is not available for direct accounts. Business continuity Not only should all organization or company-related credentials be stored in a company-approved password management system, but at least two individuals in every department should have modify access to any shared credentials. Password management systems which meet the security requirements and are cloud-based tend to have zero trust storage methods. Zero trust storage is a very important concept. It means is that if a second person was not granted access to that data, it may become irretrievable. It also means that unauthorized parties cannot see your passwords or the content you store with them. That includes your service provider and the password management system hosting provider. Business continuity also comes from techniques. For example, individuals who share a job function should always have their own unique logins and MFA into a system where possible. That is the dual-‑admin approach. A great example of that is Constant Contact, bank websites, your company UPS account, marketing automation platforms, etc. Multiple people may be sharing a job function, but each person should have their own login IDs where possible. In the cases where a website or resource does not allow for individual credentials for multiple individuals, the use of a password manager application with shared MFA allows the shared business function staff to have secure access to the same credential with MFA enforcement on the resource. This is a critical feature for security and risk mitigation. Separation from IT service provider In the case the client wishes to separate from QPC, they are able to convert to a direct paid account or able to migrate their licensing to another IT service provider. No data loss will occur as long as proper offboarding procedures are followed. The procedure is quite simple. First one must pay for separate licensing. Second, the master administrator account which is like a glass-break recovery account must be transferred to the new designated personnel. This is very easy to do since QPC’s standard business continuity protocol for configuration of a managed tenant involves the inclusion of this glass-break or master recovery account.
Requirements for premise hosted assets; cybersecurity, BCDR, and more
You should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise. Cloud hosted assets have additional risks. Counterparty risk Additional outage and accessibility risk You have less control You have less security over the human or governmental access to your content Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about. Also do NOT get sucked into the scam that cloud hosting servers is more secure than if you did them on premise or somehow more cost effective. That is sheer lunacy. SaaS can be more cost effective and more secure. Look at Office 365 as an example. That is clearly more secure, more cost effective, and more value than a premise Exchange server. SalesForce could be better for you than running your own CRM, but then you are also fully open to their crazy policies which could rip the rug out from under one of your most business critical systems. There is no one right answer 100% of the time. Context and artistry of security strategy are exceedingly important. This show is about these things as well as what you must have in place to have premise hosted secure assets. I describe a Tier0 asset scenario in specific and what can easily undermine it. Premise hosted password managers It is worth noting that extremely high functionality privileged access management and identity management systems are available in a premise hosted format which are a perpetual licensing model with very low annual software maintenance fees. These systems are exceptionally valuable to IT departments and QPC has extensive experience in these platforms. They are an exceptional value to IT management functions and IT departments. However, most organizations, even those with full-time IT departments, will not meet the requirements for self-hosting. Why? In order for a self-hosted password management system to be successful, it relies upon many factors which must be in place and be fully executed with extremely high levels of skill and security. This level of skill is outside of the technical skill level of nearly all IT departments of companies with less than 5000 employees. If the requirements are not fully met continually for the life of use of the platform, the platform and its contents are likely to be compromised. A compromise could consist of the data exfiltration of the entire password vault database which would be catastrophic to the organization. Baseline requirements for premise password managers Extremely tight supply chain risk network layer security rules and management Ability to do offline upgrades for all software and systems involved Extremely adept underlying server, network, power infrastructure management Rapid patch management within 48 hours or less Always on scanning for vulnerability assessment backed by active monitoring and remediation Active monitoring Multiple first line backups per day with multiple encrypted offsite backups per day Two physically disparate sites with significant server, network, power infrastructure with automatic backup generator service and redundant internet Proficiency at managing SQL server replication over WAN links in an active/active SQL server configuration Proficiency at maintaining active/active application server configurations and automatic failover network configurations Absolute rigorous discipline to adhere to documented standards for vault creation, password management system administration, application updates, database system updates, OS updates, third party app updates, network layer security management across the entire internal and site-to-site connected networks Any laxity in the discipline of the IT personnel managing the system will cause it to fail to deliver the security profile required for critical assets. Minimum of two servers involved with the addition of more servers if internet facing roles such as mobile access are desired IT personnel’s ability to implement and maintain complex privileged access management systems Regular security compliance and audit report reviews. This will require a CISO and/or compliance officer with significant technical skill.
Virtual Patching, Telecom Fraud, Running VM Server on NAS
I got a request to post this podcast from 12/1/2018 to podbean. Here it is.
Video management system appliance analysis
Originally aired: 11/1/2018. I had a request to post this older podcast to Podbean, so here it is. VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version. https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf
Why real server hardware is usually the most cost-effective option
I got a request to publish a podcast I did a few years back on podbean, so here it is. Originally this was from 10/19/2018. Usually there is no substitute for real server hardware. Attempts to pay less for server hardware almost always end up costing you more in the long-run. Windows 10 as of Build 1809 10/2/2018 has an IPv6 requirement. There are a bunch problems with that. We cover the option of running an ACS Appliance instead of building your own ACS VMS using a real server. We will go into more detail about this in part 2. You must include the cost of labor over the life of the hardware as a consideration if you are going to come up with a viable cost comparison between solutions. We briefly touch on the option of running a VM on a Synology NAS. More about this on a later show. VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version. https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf
Resources for job candidates in cybersecurity - What you need to do to be employable
Overview Listen to the podcast or the list of these resources may not make sense to you. You cannot secure what you cannot engineer, implement, maintain, and support. Security was always infused into IT if you did IT correctly. I know. I've been doing IT since 1993 and was programming in third grade. Security was ALWAYS part of a proper strategy. I'm always trying to add to the team. But I find that a lot of people are just wholly unqualified to do baseline prerequisites. They get misled and sold on the idea of getting a degree in IT/IS/Cybersecurity. Unless you have mastered the items on this list, it won't matter what degree you have. Here are some other helpful articles. https://www.qpcsecurity.com/careers/ https://www.qpcsecurity.com/careers/cybersecurity-career-resources/
Right-sized software
Amazing interview with Colin Ruskin, CEO of WorkOptima, on the topic of right-sized software. Colin has an incredible talent at being able to distill the truth of something into a catchy and memorable tagline using spot on metaphors. Some highlights: Can I actually use the software and benefit from it? Floors versus software that grows with you All features all the time, but license it at the per-user Enterprise drama and enterprise mindset which is not really trying to sell to the SMB market and is really trying to break into the SMB market because they ran out of customers in the enterprise market. How to evaluate software What do you need to do in order to make it work for your transaction? Far too few product managers are on sales calls interacting directly with customers Every software company is behind on features the customers are asking for. Iceberg situation. Millions lines of code that no one sees and does not appreciate. You need to really be on top of it and prioritize fixing the items below the water in addition to the above the water items which are the features the customers want. A lot of companies have acquired software companies. They have failed to keep the software developers. They have lost the knowledgebase about how this thing does what it does. Huge resistance to changing, updating the code. What is this vendors real story? Who is this vendor actually focused on taking care of? Exit strategy from software. Who owns the data and how are you getting it out? When you say goodbye, how are you going to get out of that system? Will you ever want this thing 20 years in the future? Who really OWNS the content? Are they in it for the long game or are they in it for the transaction? They are very focused on the stock market, revenue recognition model. They are so focused on stock price manipulation. They have completely lost track of and lost focus on the actual goal. Try to understand the company and management is behind the product. 4/27/2022
How to achieve compliance for privileged account management
Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this? Examples of things you might access: switches firewalls servers printers workstations DNS hosting website hosting cloud management portals NAS BCDR appliances There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about. - Passwordstate remote integrated proxy authentication - tiered access control - compensating controls as an alternate for MFA - access portals with MFA - privileged admin workstations - account logon restrictions - hardened network access control restrictions (microsegmentation strategies) - more https://www.clickstudios.com.au/remotesitelocations/default.aspx
API Security and external vulnerability scanning
API Security is going to be the thing you need to be paying attention to in the next two years. Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work. A great API scanner https://www.wallarm.com/ RMM security topics/tactics Either fund your IT security or decide to go out of business Companies have some hard decisions to make. They are either going to continue to be in business and allocate budget to correcting gaps, or they are going to go out of business because they will find themselves uninsurable or unable to come up with the funds to rectify all their security gaps in the required allotted time. Reviewing your last cybersecurity insurance application My latest offer is to review your last completed cybersecurity insurance application. The offer is only open to business owners directly or the executive management team of an organization who would be a good fit to be a client of ours. https://qpcsecurity.com The truth about smart cities. https://www.theguardian.com/cities/2014/dec/17/truth-smart-city-destroy-democracy-urban-thinkers-buzzphrase There is an updated FAQ for the CAN-SPAM Act. https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business
Working with a Breach Coach/Attorney - A Primer
Cyberlaw podcast What needs to be pre-documented for the breach attorney to be effective? And in what format? What to do to protect yourself from outrageous fees? What to do in order to get proper service from a breach attorney? What are the advantages of having a pre-established relationship with a breach attorney? What positive outcomes arise from having pre-breach meetings with a breach attorney? 3/24/2022 Spencer Pollock – Cybersecurity breach attorney Felicia King – QPC Security, Security Architect and Information Security Officer What needs to be pre-documented for the breach attorney to be effective? Cybersecurity posture of the organization. Compliance/legal and the technical / security Security: identify the gaps and procedures And in what format? Data is everywhere. Clients that have an IRP, data map and have a list. Customers and data breach classification, impact / no impact What to do to protect yourself from outrageous fees? The more times you have to engage a breach coach in advance, the better off you are. The more time you bake people into your team, the less time is spent on the phone when an issue occurs. This means it is less expensive and your organizational response is faster. This is why it is critical to get the breach attorney written into the policy. When to get the breach attorney written into the policy? Business owner needs to be driving the breach attorney selection during the insurance application period. Insurance policy, Beazley example. You should do a retainer with them. Retainer: You get the benefit of cell phone, breach line. Preparation meetings are going to be paid out of pocket. Prebreach stuff is a separate engagement, and it will usually be a lower fee.
Avoiding real estate theft, deed theft, and related scams
Check out dark patterns for scam awareness. https://www.darkpatterns.org/ Avoid the new movers mailing list Avoid putting real estate in your personal name Use a service like Abine DeleteMe Get a PO Box and stop having snail mail delivered as much as possible Subscribe to paperless billing as much as possible Harden your digital life Get off social media and stop sharing your life in public digital media Be aware of deed fraud and how to verify that no one has stolen your deed. Be aware of how foreclosure rescue scams are perpetrated. and more!
Attestation, scoring, evaluation, and business process in achieving improved cybersecurity posture and compliance
Joy Beland joins Felicia to discuss: What Edwards Performance Solutions is doing in the CMMC training space Joy's team created the CMMC assessor textbook Many orgs have cybersecurity insurance enforcement for the first time ever Joy's extremely wise metaphor and perspective on cybersecurity insurance (15 mins) Transfer of risk and economic destruction DMARC, DKIM, SPF tuning What tools exist to help the SMB market with attestation, and establishing patterns of due care and due diligence? IS policies and processes are required as part of the proof mechanism Mechanisms to actually evaluate risk so that business leaders can make effective decisions Control planes for infrastructure Joy's sage advice: "Know what the crown jewels are." Learn to identify wasteful practices with Gemba walks. https://www.creativesafetysupply.com/content/PPC/gemba/index.html CMMC 2.0 scoping analysis https://www.linkedin.com/feed/update/urn:li:activity:6889627454466469888/ Future Feed for CMMC orgs https://futurefeed.co/ https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/ Special guest: Joy Beland, a CMMC Provisional Assessor and CMMC Provisional Instructor, who works with Edwards Performance Solutions as a Senior Cybersecurity Consultant. Joy owned an MSP for twenty-one years in Los Angeles. She has a CISM and Security+ certification.
Integrated IT risk management - part 2
Identity theft via insecure credit APIs Integrated IT risk management part 2
Assessments and Integrated IT Risk Management - Part 1
Problems with and limitations in many assessments Many assessment report results from automated tools can be incomplete, incorrect, or pretzel talk What realistic expectations should you have from a paid and unpaid assessment There are certain security baselines simply so your organization can be insurable. There are certain security baselines in order for your organization to be serviceable by an IT service provider. Small organizations can easily find themselves spending $50,000 that they don't have in order to recover from a cybersecurity event. It's not just about money. Are you sure that you can get access to all the personnel in order to get your organization back up and running in the designated time? You need to mitigate risk proactively in order to make sure the cybersecurity event never happens. Do not evaluate your risk based upon what you think the value of your data is. Evaluate your risk based upon whether or not you want to stay in business.
Technical Debt - a whole new perspective
10/28/2021 Cyber Matt Lee joins Felicia on Breakfast Bytes to talk about massive issues with technical debt. Senior Director of Security and Compliance at Pax8. You have to start with the right definitions. It’s not patch management, it is vulnerability management. You have to ZOOM in. Is your TPM up to date? Is your firmware up to date? Drivers, configurations, remove unpatchable software. Are you still susceptible to spectre and meltdown? What about SMB1, PowerShell 2.0, LLMNR, etc.? “That doesn’t have a patch, and you have to get rid of it.” Where there is technical debt with a software code base, on a 5-year journey, you need to move to different software because the software vendors are literally incapable of updating the code base of their software. They are not actually doing the work to update the software. Their paradigms for software development lifecycle and codebase are crippling them from being able to correct issues. Matt recommends finding SaaS platforms that suck over premise applications that suck because at least you are in the shared responsibility model. Modern dev sec op practices are what is needed. You can build software that has a good paradigm. We still acknowledge that there are issues with resources in the cloud as well unless an organization is willing to accept the risk of data sovereignty and the third-party risk of being disconnected from their services and data. Being disconnected from your data or being disconnected from your application because the SaaS vendor disagrees with your business model even though what you are doing is legal, this needs to be regulated out of existence. SaaS vendors are playing God. And some things are just not cost effective in the cloud or are financially unobtainable in a SaaS format. Are you comfortable with the government accessing your data through backdoors? This is a very personal decision to each organization and individual. 15:30 mins - Matt talks about paradigm challenges that impede the ability to ever create bug free software. True SaaS should be able to iterate an outcome regardless of the hardware and OS that is accessing the system, so the software vendor does not have to plan for all the variables in their testing. This allows them to have a CICD development pipeline for their software. Get to the nugget of what is required. An information security officer can get to what is really the intent of what the compliance requirements are asking for and translate that into what is required to fulfill that and protect the organization. Interpretation is required because too frequently the questions asked or requirements specified are not as specific or accurate as what is required. 26 mins – Vendor software development and vulnerability disclosure programs. The vendors need to tie revenue lost to the vulnerabilities. Software vendors are often setup for failure. Monolithic apps start at the top and run to the bottom of the code. Better models are where apps have microservices and each microservice can be corrected individually without a massive ordeal. A different software codebase paradigm allows for sprint teams to correct software bugs easier. 28 mins – There is no real effective possible way for many of these software vendors to fix their apps. 30 mins - It is in the C-Suite and the board to fix this. You are either going to die at the hands of threat actors, in an escalating war that we cannot win. Or you are going to start having practices that understand that this is a football game. There is no one right way to run a football play, but you cannot play with 9 players. You have no defensibility in your actions if you put only 9 players on the field when 11 are required. There are requirements and boundaries to any strategy or solution. If you don’t do the things you need to do, you don’t have defensibility. If you are already fighting with all this massive technical debt, you are not going to ever win. Go to tryhackme.com and find out how easy the threat actor side of this is. https://tryhackme.com/
Avoid cybersecurity insurance fraud
How to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers. You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity. Great article showing a claims denial and then accompanying lawsuit for a perceived insurance fraud indicent. https://www.insurancejournal.com/news/national/2022/07/12/675516.htm
Why converged NOC and SOC are so critical to security efficacy
Joining Felicia is Rui Lopes, Senior Technical Evangelist at WatchGuard Technologies. Rui was with Panda Security prior to the WatchGuard acquisition and has spent many years merging the technical with customer enablement at a level rarely seen. His efforts at WatchGuard are projects, partner support, and overall customer enablement of using the endpoint protection technology effectively. When I listened to an interview with Fortinet's CISO regarding converged NOC/SOC, I had to reach to Rui to formalize several conversations we have had over the last 1+ years because we both have seen the need for this strategy for a very long time. At QPC, we have been doing converged NOC/SOC since around 2009. Listen in to hear our breakdown about why this is such a critical strategy in today's threat landscape. _________________________________________________________________ ----more---- The Fortigate CISO talked a lot about NOC and SOC convergence at the network layer, but he did not talk about it at the endpoint level. Convergence architecture, SIEM, network operations, endpoint, cloud, authentication Panda: since 2015 EDR platform, advanced telemetry collection, for endpoint sensors The people who are monitoring and responding must be the same people who have intimate knowledge of the systems, clients, staff, applications, servers, workstations, cloud tech. They have to know what the technical controls are that are in place and then see the events and make judgement calls about what should and should not be happening and respond effectively. WatchGuard EDPR (formerly Adaptive Defense 360) has service-as-a-feature built into the EDR, zero trust and classify, attested goodware, not malware. The other service is threat hunting. Zero trust is when we only allow goodware to run. Threat hunting watches what happens when that goodware is weaponized. IOA are also included in alarming and reporting. This puts the ITSP in a position to effectively provide the MDR service. Service-as-a-feature is applied to the notion that you should get an "endpoint management" team by bringing together malware analysts and threat hunters into the product as "features" which when paired with competent MDR services by the ITSP are a stellar combination not found in other platforms. It's about avoiding a scenario where there are 120+ options to configure and validate that they are correct. With a platform that has service-as-a-feature paradigm, it allows the endpoints to leverage the collective intelligence of the global threat hunting team at WatchGuard combined with the purple team at the ITSP who has intimate knowledge of the client and what should and should not be happening on those endpoints. The people doing the MDR MUST HAVE the knowledge and authorization to trigger host isolation without any other contacts in order to arrest the spread of problems in an attack. There cannot be delays. And the people doing that service must also have full authority to conduct a lockdown at the network layer. EPDR also has extremely granular device control which is extremely useful. WatchGuard Fireboxes already have excellent alerting and monitoring when configured properly and used in the proper ecosystem. QPC has used these monitoring and alerting features extensively in its in-house NOC/SOC operations for more than a decade. WatchGuard is continuing to invest in the improvement of its WatchGuard Cloud platform bringing the whole XDR option to fruition for ITSPs that have lacked the capabilities that QPC has regarding deploying converged awareness of the endpoint and network layer with proper real time alerting and monitoring.
Act now so your emails will still be deliverable
NDAA 2021 legislation is forcing a gaps closure in SPF, DKIM, and DMARC. This stuff is really complicated. Get some seriously competent help. I don't think most ITSPs (IT service providers) have enough experience in managing this especially in light of the inclusions of marketing automation platforms on root domains. You cannot be driving a hole with a 20 lb sledgehammer through your email ingress filtration policies in order to accommodate for incompetently configured sender framework on behalf of your senders. It's time to push back on their incompetence. Get your VISO involved and get policies in place such as ones that IT will not be requested to put holes in security in order to accommodate senders with bad email systems. Instead, letters will go to bad senders to tell them to get their house in order. You need to get your own house in order in order to make sure that your emails are deliverable. Cybersecurity insurance providers are assessing this information as part of your risk profile. Salesforce Email Service Used for Phishing Campaign | eSecurityPlanet For more information on this topic: Email Deliverability- The Titanic Problem Headed Your Way
Gaps in EDR/EPP paradigms and what to do about them
Excellent and invigorating discussion on the gaps in EDR/EPP and what to do about them with Maxime Lamothe-Brassard, founder of LimaCharlie.io and Refraction Point. LimaCharlie avoiding tool proliferation avoiding the jedi mind trick of EPP identify gaps in a lot of EDR/EPPs challenges with outsourced SOC supply chain risk in toolset vendors paradigms around security tools and training
Kaseya VSA breach analysis
Why the breach happened and what people could have done to prevent it. What Kaseya could have done differently. How to manage supply chain risk when your software vendor is not. Smart vendors use the experts in their customer base. People really need to have a major paradigm shift and look seriously at an RMM as being nearly the same as a nuclear launch code. Kaseya VSA Limited Disclosure | DIVD CSIRT
Parsing out the risk issues associated with cloud technologies
Improper use of cloud and the problems caused by improper pre-planning and risk assessment of improper use of cloud. Kim Nielsen, founder and President of Computer Technologies, Inc. cti-mi.com joins Felicia to discuss dangers and risk of improper use of cloud hosted technologies. Business risk vs security risk, must have an exit plan. Dangers of subscriptions. Huge databases don't belong in the cloud because it is not more secure. https://www.infosecurity-magazine.com/news/over-60-million-americans
The REAL reason you cannot afford to have a cybersecurity incident
I have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape. As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance frameworks are incomplete and horrifically confusing. There is no compliance framework that will get you the fundamentals. There is no security control framework that tells you how to have effective network layer security. The gap between guidance and successful execution is wide. It occurs to me that the only real defense for small and medium businesses are organizations like QPC which have virtual information security officers and full remediation services on offer backed by ongoing management. There are plenty of penetration testers or those that will sell you MDR services. Execution of fundamentals is where it is at. There is little value in pursuing the frameworks until you have addressed the fundamentals. After you have the fundamentals in place, then review your status against frameworks and you will probably find that many items have already been addressed. Regardless, I'm always on the hunt for helping the SMB organization leader. It occurs to me that no matter what data you think you have a risk or don't at risk, there is one thing you don't have which is at risk. Listen to the show to find out the real reason you cannot afford to have a cybersecurity incident. Updated on 8/8/2021 I saw this great article today on this topic and decided to include it. The Disturbing Facts About Small Businesses That Get Hacked I will warn that their documented risk mitigations measures are H.S. And check out this excellent article on more reasons why you cannot afford to be hacked. 10 Terrifying Cybersecurity Stats | Cybersecurity | CompTIA
11 security vulnerabilities highlight the necessity of viable network layer security strategy
Topics: facial recognition Systems with Windows Defender compromised 11 recent security vulnerabilities highlight the necessity of viable network layer security strategy https://www.msn.com/en-us/news/us/fbi-ice-find-state-driver-s-license-photos-are-a-gold-mine-for-facial-recognition-searches/ar-AADZk0d?li=BBnb7Kw https://www.newstarget.com/2019-07-29-americans-already-in-fbi-facial-recognition-database.html https://www.forbes.com/sites/daveywinder/2019/07/31/windows-10-warning-250m-account-takeover-trojan-disables-windows-defender/#325add6f6fef Why network layer security and microsegmentation is critical Also why to use a good quality security appliance https://armis.com/urgent11/#foobox-4/0/bG6VDK_0RzU URGENT11 - Takeover of a Xerox Printer Originally aired: 8/2/2019
Real world examples of small business security compliance problems
Real world examples of small business security compliance problems Originally aired 5/1/2020
Evaluate your purchases to see if they have UPnP and understand why you should not buy devices that use UPnP technology
Evaluate your purchases to see if they have UPnP and understand why you should not buy devices that use UPnP technology Update on the Capital one data breach Adverse business impact and higher fees associated with subscription based software licensing versus perpetual Originally aired: 7/3/2020
How easy is it to not get hacked?
How easy is it to not get hacked? Originally aired 9/4/2020
Location services issues and how it relates to personal physical security
Location services issues and how it relates to personal physical security Originally aired 1/3/2020
Email security and cyber risk insurance
Email security and cyber risk insurance Originally aired 10/11/2019
The dark side of smart cities
The dark side of smart cities A clothing line designed to distract the panopticon Geofencing warrants Horror stories of hospital IN-security Originally aired 9/6/2019
Why bidding out IT jobs often fails
Why many IT business decision makers make mistakes Over 25 years, bar none, the business decision makers that have regular meetings with us are vastly better decision makers. This directly leads to them saving money by not wasting money. Why bidding out IT jobs often fails
SIM Jacking
Sim jacking More AWS data breaches affect hundreds of thousands of people Hacking using smart light bulbs IoT bricker MFA options https://simjacker.com/ https://www.sciencedaily.com/releases/2019/10/191023075139.htm Originally aired 11/1/2019
Vehicles and privacy issues
Vehicles and privacy issues Originally aired 2/1/2020
Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies
Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies Originally aired 3/6/2020
What to do in the event of a cyber attack
I read an article authored by two IT people where the article provided what I felt was a bunch of misinformation about what to do in the event of a cyberattack. I'm not disclosing here who the authors were or providing a link. Instead I thought the best approach was to provide direct actionable intel on what to do in the event of a cyberattack that counteracts the misinformation in the article.
PrintNightmare and business risk
What did you do about the PrintNightmare vulnerability? I describe what we did at QPC Security and for our clients. I also discuss how business owners and executive management can use IT steering committees to make sure that information technology decisions are being made properly and their risks are being mitigated. I often see poor, uninformed decisions being made that lead to massive adverse business financial impact that were completely avoidable by simply using a decision process that is not flawed. Listen in to learn more about using good decision-making practices that will protect you from financial ruin. We regularly save clients hundreds of thousands of dollars by simply having ongoing meetings and preventing missteps. Gone are the days that executive management can delegate and abdicate. You must be involved, and you must get external advice. Only large enterprise can afford to have industry connection subscriptions such as IANS. This resource is completely inaccessible to SMB. The cost of the annual subscription to something like that is typically in excess of $40,000 per year, but you would then have to employ an extremely skilled internal information security officer to even be able to make use of any of the value of the subscription. This is why those resources are financial unobtanium for SMB. It is critical that SMB have relationships with managed security services providers who have a certified virtual information security officer to manage your account. Think You Could Have Prevented The Impact Of The PrintNightmare Attack? – Think Again | QPC Security
Tough talk about cybersecurity insurance and ransomware incidents
I discuss converting the hearsay from some reported incidents into tangible, actionable intelligence. A ransomware remediator initially reported some really high level unusable data. I pushed for more details, and got them, but immense questions remained. I help you understand what you can do from a process and systems perspective in order to have provable, attestable, non-tamperable proof about the status of your systems. And I am including a list of questions below for you to ask your cybersecurity insurance provider. Scenario: Customer of IT service provider has their own insurance policy. They get a business email compromise event. Insurer for the customer denies the claim on the basis that the IT service provider (MSP) was not using an email security service that was known to then security expert of the insurer. Further investigation reveals that the MSP was providing their own EDR service with hundreds of whitelists in place. (Whitelists are exceptions to security scanning, which is an extremely bad practice.) The security expert for the insurer effectively claimed that the BEC occurred because they did not know who the email security service provider was, and they concluded that the EDR/EPP could not have been effective becuase the software was not known to them. The distillation is that the product could not have possibly had security efficacy if it was unknown to the security expert. There was no discussion about provable, non-tamperable, attestable configuration proof. It was around how that security product was not on Gartner and Forrester reports, the security expert thought that the IT service provider should not have using that tool. So they claimed that due care was not exercised and the claim was denied. I find this quite suspect because the insurance company in question was insuring the customer of the MSP, yet the insurance company required no attestable proof of efficacy of security solution prior to issuing a policy. Nor did the insurance company require an assessment prior to issuance of a policy. The additional outcome of that was that the security expert for the insurer claimed that the IT service provider was asked how they validated their claim that the product was effective when it supposedly had no industry vetting. Industry vetting in this context simply means that the software/hardware company has engaged in a pay to play evaluation scheme known as Gartner and Forrester. Simply buying a product that has been rated in a pay to play scheme as effective has no bearing on its configuration in a particular environment or context. NONE. Therefore, it should not be of any bearing in an evaluation of coverage. If the facts of this case as reported on a forum were true, then the insurance company sure needs to get its act together and require attestable proof of configuration efficacy before issuing a policy. The BEC customer is then suing the MSP (IT service provider). Some of the data we do not have is the content of the contract for service between the MSP and their customer. I also do not know what security coverage the customer declined but that the MSP offered. We do not know what other security measures were or were not involved. We do not know if the customer was offered phishing testing and cybersecurity awareness training and then declined it. Ultimately, it was the action of one of the users at the customer's site that caused the BEC and ransomware incident to occur. Negligence or responsibility is not knowable to us based upon the limited information. However, I think we can all agree that all parties involved would have been much better off if a viable ongoing configuration validation testing system would have been in place. Let's ask some questions of the insurance providers. In the mind of the security expert for the insurer, what qualifies as “industry vetting”? What evaluation criteria is being used to determine if it is a covered event or not? What criteria do they have for software and hardware vendor selection by IT service providers? What configuration attestation do they require? What constitutes an incident that the insurer is comfortable with the IT service provider responding to, versus what they deem the entire environment must be put in stasis for? If this BEC scenario occurs and causes ransomware on endpoints, for example, what is the procedure that the insurer requires? I have heard that the insurer requires that the IT services company do nothing. The covered party is supposed to call the insurer and then the insurer will send their incident response team. How long will that take? Is the internet connection supposed to stay on the entire time? When can a recovery from backups process start? If the insurer requires systems be frozen in time and that no one touch them, does the covered party have to acquire all new computer equipment and start the recovery process to their new computer equipment because the insurer will not allow them to touch their current equipment? If the insurer’s incident response team takes a week to get there and another week to do their analysis, this is at least two weeks where recovery cannot even start. For most businesses, this would mean that they are out of business if they cannot conduct for two weeks, but more likely four because of the time needed for recovery. What pre-planning does the insurer want the covered party to do in terms of incident response planning with the insurer? What reports or attestation of state of what assets does the insurer want? Does the insurer require 365 days of log data from all assets and will that need to be made available to the incident response team? Where can this data be stored assuming that the on-device storage is contaminated by the breach? And finally: What certification or credentialization on the part of the staff at the IT service provider is the insurance company going to presume is adequate for them to be considered experts in the stated technology or security strategies?
Understanding the concepts of the last mile and the last inch
Watch this excellent video: The Last Inch – Solari Report Hyper Precise location services Verizon unveils Hyper Precise Location service in more than 100 markets | VentureBeat Apple iPhone is constantly taking pictures of you if you use face unlock Apple Tech is Constantly Spying on You (renegadetribune.com) Good reference article on the Colonial Pipeline attack From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack? | SOCRadar® Cyber Intelligence Inc. CHD Sues FCC to Stop New Rule That Could Lead to ‘Wireless Wild West’ • Children's Health Defense (childrenshealthdefense.org) CHD 5G and Wireless Harms Project Team • Children's Health Defense (childrenshealthdefense.org)
Exposed Colonial Pipeline
Barb Paluszkiewicz Chief Executive Officer of CDN Technologies and Felicia King of Quality Plus Consulting discuss the Colonial pipeline cybersecurity incident. What would you do if it happened to you? Lessons learned Great examples of how to avoid this happening to you Felicia was a guest on Barb's KNOW Tech Talk podcast. It is posted here also for accessibility.
Privacy problems with IoT and wearables and bluetooth
Privacy problems with IoT and wearables Bluetooth Ransomware guidance from US Treasury Bluetooth BLUR attacks https://hexhive.epfl.ch/BLURtooth/ Bluetooth range estimator https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/range/#estimator Treasury warns that paying ransomware is a crime https://www.insurancejournal.com/news/national/2020/10/01/584906.htm How to upgrade the technology firmware in your automobile
Hackers compiled data from a bunch of breaches and it's in a reusable script
School cybersecurity attacks automated hack strategy
What is involved in a secure endpoint strategy?
Overview of the secure endpoint strategy The CIA you care about – confidentiality, integrity, and availability of the data on and accessed by your technology systems You need strategies effective a protecting against the efforts of nation state actors and large criminal enterprises Your bank account, identity, business, and mental health are at stake What security posture strategy works now? Who do you partner with and vet or assess them? It is not about simply selecting the technology. It is much more about the partner who services you. Zero-trust posture coupled with the proper services Welcome to "Breakfast Bytes," your go-to podcast for insightful discussions on hot tech topics. In this episode, hosted by Felicia King, we take a deep dive into the critical world of endpoint protection. With an increased shift of our lives online, protecting our data is more important than ever. But how much do we understand about endpoint protection and the steps needed to safeguard our data? We kick off with a discussion about our technology usage and the assumptions behind it. We delve into concepts like the 'CIA Triad,' the backbone of all data security strategies representing Confidentiality, Integrity, and Availability. We also explore the daunting facets of cybersecurity, such as hack attempts, nation-state actors, criminal enterprises, and the lack of regulation, illuminating the challenges individuals or small businesses face in combating such overwhelming threats. The episode then shifts gears to emphasize the significance of teaming up with a top-notch security architect to stay secure. We discuss the differences between a Security Operations Center (SOC) and a Network Operations Center (NOC), and why understanding these differences is vital when choosing an IT service provider. We further discuss why consumer-grade technologies may not be sufficient and why businesses should consider enterprise-level solutions. Special emphasis is put on endpoint protection platforms that maintain a zero-trust posture and the advantages they offer. We also delve into the key components of Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) technologies, spending time exploring how your endpoint's data is monitored by a 24/7 staffed data center. In addition, we provide crucial questions you should ask your IT service provider, particularly about administrative access. The perils of vendor agnosticism and outsourcing to under-protected NOCs are highlighted, as is the crucial need to evaluate endpoint protection critically and the importance of timely system patching. This episode aims to empower listeners with the knowledge they need to strengthen their data protection strategy and avoid leaving their data 'naked on the interstate'. Listen in and equip yourself with the information you need to protect your data more efficiently and effectively.
Assessing and understanding counterparty risk
Counterparty Risk Solarwinds hack and how it related Dominion voting machines Juice jacking - don't use public charging stations Juice jacking: Why you should avoid public phone charging stations (nbcnews.com) SolarWinds Exposed FTP Credentials Publicly in a Github Repo (ampproject.org) IoT Cybersecurity improvement act Text - H.R.1668 - 116th Congress (2019-2020): IoT Cybersecurity Improvement Act of 2020 | Congress.gov | Library of Congress Trickbot UEFI bios mods One of the Internet’s most aggressive threats could take UEFI malware mainstream | Ars Technica
The most secure helpdesk is the one that is not outsourced
Challenges with having baseline 101 level quality IT services Beware of outsourced help desks Items to use to assess your IT services provider The most secure help desk outsourcing is no help desk outsourcing. There are many ways in which help desk outsourcing can create compliance and security violations. How Help Desk Outsourcing Undermines Your Security | IT Pro (itprotoday.com) The user's identity should be validated when they are calling for support. We use a system where end users have support PINs that change and are readable to them and us through a system. That is not the only method of validation. How should you be investing in equities? You probably are not an industry insider. You probably cannot run a company like the one you are investing in. You don't have tremendous expertise in risk management for that industry. So how are you to make a decision about what company to invest in? How MSPs are the breach vector for a lot of clients The BIGGEST issue that creates problems for your business when you utilize any outsourced IT whatsoever is if the service provider's executive management team is not comprised of highly experienced, and highly trained security personnel. Businesses owned and operated by sales and marketing people usually end up making decisions using the wrong criteria. Since you cannot do what they do, you have to trust in the management of that company. Many of these companies have zero ability to assess the efficacy of any security solution or strategy. They use and promote the flavor of the year that they picked up at a conference or that is being talked about in their industry groups and peer accountability groups. There are tons of IT service providers that say that in order for them to scale, they have to use large help desks of 60 - 200 people or more that end up having administrative access to things in your environment. Questions for the technology service provider What type of technology do you use? Will the same be used to support my company? How will you manage my current infrastructure? How will integrations with legacy systems be managed? Do you use subcontractors?
Patching strategy and lessons from the Exchange HAFNIUM attack
Exchange HAFNIUM attack Pretty much every Exchange server on the planet got hacked that was internet accessible without protections in front of it Anything that does not have MFA protections in 2021 is going to be hacked, especially if it is accessible from the internet Not having MDR and THIS with zero trust posture is just not acceptable Yes this is increasing the cost substantially, but your alternative is what? It is possible to proxy the traffic ingressing to the Exchange server and inspect that for IPS signatures Fireboxes Detect HAFNIUM Attacks in the Wild | Secplicity - Security Simplified It is also possible to put a web portal in front of the Exchange server that is required to be accessed with MFA before it would be possible to use the services there. Reverse Proxy for the Access Portal (watchguard.com) Patching properly and thoroughly is an art form Getting updates deployed for an operating system requires quite a bit of technique and multiple layers with validation How thorough is your third party patch catalog and platform? Are you looking for EOL or deprecated software? Are you cataloging what business software is dependent on deprecated junk and what are you doing about getting rid of it? How frequently are the physical machines being patched for firmware, drivers, BIOS? Do you have mechanisms to update PowerShell? Are you auditing and restricting WMI and PowerShell? Ubiquiti - multiple significant security fails Ubiquitous for all the Wrong Reasons | Secplicity - Security Simplified