Quality Plus Consulting - Breakfast Bytes

Felicia King is known as the “Packet Whisperer” and considered to be one of the top network layer security strategists in the country. Since launching in 2004 on the WGTD network, her Breakfast Bytes podcast has focused on the current cybersecurity landscape and the security threats business owners need to be aware of. Learn about the most recent threats, what you can do to mitigate your risk, and how to protect your most valuable assets, your data and your time. Use the tags in the menu above to quickly access episode topics most relevant to you.

Listen on:

  • Podbean App
  • Spotify
  • Amazon Music
  • iHeartRadio
  • PlayerFM
  • Samsung


Wednesday Nov 30, 2022

Recent question I got: What are the major changes that you have seen from security auditors in recent years and/or where do you see the audit process heading? Quick response: For the sake of a high level, automation is and will continue to be used. The size of the IT service provider is NOT a conveyance of their capabilities or capacity. Many 60 person MSPs are grossly incompetent. Some small teams of about 8 people are exceptionally skilled. C-suite needs to drive it from the end in mind. The end is compliance attestation. Back into it from there and ONLY use a team which also has the technical capabilities to perform the remediations. Do not use vCISO services from one company and remediation services from another. You get too many cooks in the kitchen and a disjointed and more expensive outcome will be the likely result.   The insurance companies are pushing the cost of the audit on the insured or applicant. This will involve eating tools and processes that connect with their assessment process. Hence why it is crucial to work with a company like mine that has these workflows. Most don’t.   In this podcast, I provide an overview of the role of executives, managers, internal IT, and the CISO in business risk management. Until all parties understand that this is not information security risk or cybersecurity risk, it is business risk that they are responsible for managing, then it is not likely the situation will improve. In order for business risk managers to make good risk decisions, they first have to engage and be involved. They cannot put their head in the sand and believe that "It's an IT problem." No it's not an IT problem. When the HVAC system is open for hacking to everyone on the planet because the facilities director refuses to collaborate with IT security to come up with a solution to maintain business functionality while managing risk, that is a business risk issue. If the facilities director REALLY believes that it is an IT problem, then IT needs to be provided the authority to rectify the issues. And when the facilities director's access is interrupted, then they will be forced to engage and collaborate at that time. But executive management needs to have the intestinal fortitude to enforce policy. The policy that IT does have that authority and no IT will not be retaliated against. That is one approach. The other approach is that the facilities director needs to acknowledge that THEY are responsible for business risk management of the HVAC system. So if the facilities director wants the right to complain when their access is revoked, then they cannot abdicate their responsibility and accountability for the security of the HVAC system.

Saturday Nov 19, 2022

Breach attorney, Spencer Pollock joins Felicia for a vigorous discussion of what you must do in order to be prepared for an incident or breach. Learn from the breach attorney perspective.  Spencer is with the well-known firm McDonald Hopkins.  Policies preparation incident response plan tabletop exercises must get breach attorney involved before there is an incident determine your team in advance What's new? regulatory enforcement multi-state class action lawsuits attorney generals getting together to class action effort Regulators DIG They want to see your policies. You must demonstrate your administrative, physical, and technical controls. Attestation proof of state is mandatory You better be able to enable your breach attorney to tell a legally defensible story. How many data breaches could have been avoided by properly encrypting the data? - 90%  

Friday Oct 28, 2022

What is information security versus cybersecurity? What are policies and why do we care? Isn't that IT's problem? Examples to learn from

Wednesday Oct 12, 2022

Special guest: Vince Gremillion – President and Founder of Restech: CISSP, CvCISO, GCIH Overview Travelers policy – requires MFA on switches. They require you comply with the intent of that. Recent Cowbell application did not require MFA! What is required is contingent upon the coverage you are asking for. Some suggestions: Never fill out an app for a client, not even partially MSP comms to a client should be in a document in a detailed format and it should be digitally signed and locked for editing through that digital signature. I use Adobe EchoSign for that. I address everything in a CRAQ format and then include for the client a spreadsheet which is a cross reference. I will never answer any of those questions on the application directly because I can tear holes in every single one of those questions. I reject many of those cybersecurity insurance application questions as yes or no. Yes/No just does not fit. All the insurance carriers and underwriters have accepted my method which I fine to be the only defensible approach since yes/no is inadequate and does not protect the insured/applicant or their MSP. Future strategy This is exactly why we need CISO platforms which have automatic data ingestion and transmission of the data to insurance carriers in standardize pre-scored format. Check out this podcast on the topic: https://qpcsecurity.podbean.com/e/ciso-workflows/ Business owners: You own the risk, you decide what to do with that. If you did not vet the MSP or the vendor or their stack, that is ultimately your risk problem. HUB International as a broker specifically tried to suggest to one of our clients that the MSP should be filling out the cybersecurity insurance application. I found working with HUB International to be very difficult. Marsh McLennan Agency https://www.marshmma.com/ was very good to work with, but they cater only to larger employers. Gem from Vince: Compliance as a threatIf law firm A can no longer do business with customer B because they don’t have compliance, that is a threat.

Friday Sep 30, 2022

Frank Raimondi, VP of Channel Development at IGI Cyber Labs IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment. PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test. CEO buyer’s journey Security velocity Risk scoring is part of security velocity Improve your cyber-hygiene – all small businesses Security 101 is inventory 101 Cysurance – warranty and liability company It’s good that insurance companies are trying to be more objective about the real risk metrics. Get the scoring and get the data about how risky they are. This feeds into the evaluation data which is used for underwriting. FTC Safeguards policy impact Operational security issues – MSPs that post all their personnel information publicly. The impact of customer contracts and compliance. Squeeze between cost and staying in business in terms of insurance and customer contract requirements.

Thursday Sep 29, 2022

Ken Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months! I asked Ken to cover with me some topics that from his perspective don’t get talked about enough. Business Email Compromise Also known as CEO fraud. Impersonating a CEO for purposes of wire fraud. We are focused on the technological solutions. There is no technological solution for eliminating BEC. CEOs must be part of the solution. Example: Subcontractor to Airbus. Used to dealing with multi-million-dollar wire transfers. BEC is a large Fortune 500 issue, it scales down to one user environments. Title companies are a big target. Retention policies and standards for WHERE to store what kinds of data to make sure that email is not a file server thereby increasing the risk of what data is compromised as part of BEC. Perfect example of the beginning of an incident response plan or a tabletop exercise. Orgs must define the cost of compromise. That plan needs to be in place long before. It makes a recovery so much more straightforward. Attackers analyze their victims in tiers. Potential victims $10 - $50mm revenue organizations. Reputational damage, but not big enough to have an adequate cybersecurity budget. ShadowIT is a problem, which is why you must address it with a CFO-enforced procurement policy. Proactive management of M365 tenant security configuration is so critical The security of your tenant is not included in the fee for biz premium or the overall licensing. How much activity there is, changes, products, services, vendors. Ideal stack, layers, point solutions within that. Revisit that in a period of time like a year. This is a nice resource for M365 security and BEC. https://www.blumira.com/office-365-security-issues Direct advice from Ken One topic I believe falls directly into this category is the issue of Business Email Compromise, as opposed to actual malware / hacking / ransomware attacks. As you know, the losses to BEC still represent a greater dollar value than ransomware, according to the FBI statistics. But BEC isn’t even a technology problem, it’s pure social engineering – and no additional layers of hardware or software “solutions” will prevent it or reduce the cost to its victims. In my opinion, that’s why you hear so little on the subject from the cybersecurity vendors. Another topic I find interesting, but haven’t really heard any vendors or industry pundits talk about, is the whole new ecosystem and infrastructure produced by modern threat actors. The whole business model of these sophisticated criminals has created occupations, titles, and job descriptions that didn’t exist a few years ago. Some of these are a result of the specialization, compartmentalization, and outsourcing by these organizations; here are a few that come to mind: Breach attorney Ransomware Negotiator Initial Access Broker Cloud Access Security Broker Multiple “As-a-Service” offerings: Ransomware as a Service Phishing as a Service C2 as a Service Another area that is mentioned fairly frequently, but typically fueled by more heat than light – and raised as a point of frustration by MSPs and IT Solution Providers in general – is the users who still believe they don’t have to worry about cybersecurity, hackers, malware, or ransomware, because they “don’t have anything the criminals would want,” or words to that effect. I believe those users need to comprehend how real and serious the threats are to their business. By defining the multiple tiers of threat actors, the threat vectors they may employ, their potential victims, the assets owned and managed by those victims, and the attacker’s strategy for monetizing those assets, I believe it becomes obvious that every organization and every individual is the intended target of some subset of those threat actors. Visit this resource for help making argumentation. Ken is working on some additional materials for end user cybersecurity awareness training. https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/  

Wednesday Sep 21, 2022

This episode of Breakfast Bytes is Part 2 of a series where Felicia King and Dan Moyer of QPC Security continue their conversation on Vulnerability Management. Listen to Part 1 at https://qpcsecurity.podbean.com/e/vulnerability-management-part-1/.  In today’s episode, Felicia and Dan discuss vulnerability management workflows, supply chain risk management, starting with security on the front end rather than retrofitting, and proper patch management.  Workflow management  01:10 CISO-related (Chief Information Security Officer) workflows are at the core of what is today’s necessity, and we will only see it become more mandatory within the next couple of years. Organizations that do not have vulnerability management workflows in place in a comprehensive way are going to find they have too much technical debt, deferred maintenance, or deferred security to be able to dig themselves out. This won’t be from a lack of money either, but a lack of manpower and time in the day to rectify the issue.  Supply chain risk management  02:43 SaaS vendors have vulnerabilities and very few of them have in their contracts your rights and their obligations. What kind of questions should you be asking your SaaS vendors that in many cases you are responsible for as an organization? Here are just a few:  Do they have continuous vulnerability management scanning going on with regards to their SaaS platform?  How are they classifying vulnerabilities?   How quickly are they going to resolve vulnerabilities?   How are they communicating these issues to you?   Do they use API security scanning?   How do they adhere to OWASP API standards and best practices?   What are they doing for you in terms of supply chain risk management or software bill of materials?  Your organization’s CISO or vCISO should be in your court getting answers to these questions if they are not being addressed by your SaaS vendor or addressed in your contract. Having a proactive, highly functional, highly communicative, and open, honest working relationship with your CISO will ensure you have the protections your organization needs.  Proper patch management  04:51 Let's walk through an example of patch management in an environment with Hyper-V hosts, Dell PowerEdge server, domain controllers, business critical SQL servers with essential business applications, virtual machines, remote sites, on-site and offsite backups, hardware at different speeds, and then all these third-party software on these workloads – how do you patch all these things?  06:11 It is exceptionally important to note that some patches will step on or over each other, be required to be put in place and rebooted first, and then other patches applied on top of it. The time it takes to patch a server can be exacerbated by trying to accomplish, say, five patches in one changewindow rather than one patch/reboot followed by another one patch/reboot, and so on.  07:48 Watching the servers reboot is an important piece to verify the workload comes back up reiterating the point made in Part 1 of this series that adequate patch management of an entire server for $50/month cannot be done.  Domain controllers  09:19 There tends to be multiple domain controllers or, in the case of just one, it has been designed so that it can reboot whenever it needs to allow for patching. The domain controller is the brain of everything, and since it can reboot whenever needed to apply patches, it can facilitate that while staying available when everything else comes back up.  Typically we will start with domain controllers as the first thing patched and verified. Now if there are multiple, and depending on how critical the environment is, a rolling out patch might be done so that these secondary domain controllers or ones that are not on the best hardware are patched and then they sit for a period.  Backup plans and backstops  11:29 Part of that patching methodology is your backup plans and backstops – having the tools and everything else in place to uninstall a patch if needed. When we set up our servers, we always have Command Prompt and PowerShell already queued up on those devices when we log in. Then we have the availability of pre-planned scripts that we can adjust as we go but most importantly, all the tools are there and available.   Importance of roles on servers  12:25 Part of your ability to have resiliency in the environment is the ability to reboot whenever you need, because you have redundancy and resiliency. Because it is a single role server, it gives you that agility to be able to resolve and prevent issues.   Therefore, workload design is the name of the game. Whatever you think that cost is of that additional virtual machine, that is nothing compared to the problems that you cannot solve because you tried to shove a bunch of stuff together in workloads that did not meet because they were mismatched workloads.  Many patch managers are not comprehensive and there is a lack of consistency in of what is getting patched on a well-designed domain controller versus a third-party party application server.   Physical servers  16:09 Watching a virtual machine reboot while maintaining efficiency and not biting off more than one can chew is crucial, but we are also finding is increasingly important to watch the physical servers and that can only be possible with the right hardware.  How are you auditing and confirming that patches are being applied and which ones have not? At QPC Security, we bring all the virtual machines down and reboot the host as a prerequisite for patching because it gives you a clean slate to start your patches. Then we will use the patching methodology to push specific patches down to it. We use our patching piece to push specific ones because not everything is needed for hosts and other pieces that we have identified will cause an issue, is a multi-patch, or a multi-patch/multi-reboot process.  Taking one step at a time, pull it down, apply patches, make sure everything is happy coming up. Go through that entire process again. While we are connected to iDRAC, we watch the server, reboot, apply patches, come back up, make sure all the VM's are checking in properly, we are making sure everything is available, then they go through that process two to three times. It depends on how many patches are available and what things got pushed out.  Everything has patches  20:39 If you have a hypervisor that is not giving you patches; you should not be using them. Likewise, if there is no product improvement then there is no security management from that vendor. There is no easy button or a set it and forget it.  21:42 When IT is not confident in how a process is going to work, they do not want to touch it and that is exactly where a vulnerability arises. Say a consultant installs Cisco, but without a brand expert or budget in place keep the consultant to maintain it, it remains unpatched and therefore vulnerable. That is precisely why organizations need to have a business continuity and disaster recovery (BCDR) plan in place and a procurement policy that drives effective vulnerability management.  Incremental patching  25:26 When people are too afraid to patch the hardware, it does not get patch which accumulates over time in terms of technical debt and the technical issues it accumulates. Attempting to patch too many patches at once or jump too many versions results in the reboot cycle of death or a very time-consuming reboot because you are not running a vetted, tested, and supported configuration. The more time and versions you allow to pass between patches, the more divergent from manufacturer’s tested config those updates become.  Buying the right hardware to begin with saves you money down the line  33:20 A crucial piece to vulnerability management in your workstations is BIOS, drivers, firmware. If you buy the right hardware to begin with that has the automation engine built into it and when you deploy it you are configuring it accordingly, it becomes far less expensive than paying a human being to manually babysit your vulnerability management.  Not all workloads are created equal  34:59 A word of caution when an IT service provider quotes patch management for your organization. When it comes to patching business line apps that need high uptimes because it costs a business thousands of dollars per hour to be down, what patches does the ITSP apply and with what preparation for back out plan?   In many cases, an ITSP is giving a client the perception of patch management, certainly not vulnerability management, but in reality they are simply doing a Windows update and only some third-party patching, which might only be five third party applications. At QPC Security, our catalog of patches of over 9500 software titles that we are patching and there is no automation. Visit https://www.ivanti.com/partners/ivanti-software-catalog to learn more about the normalization of software titles.  Cybersecurity insurance applications require continuous vulnerability assessment and vulnerability management. However, most IT service providers do not offer comprehensive patch management. Their vulnerability management claims are grossly misrepresented to the point of malfeasance.  Vendor documentation & software bill of materials  37:43 You cannot keep your head in the sand – all these things must be considered when receiving a quote from an IT service provider.   In cases when the software vendor is not offering competent documentation, your organization must rely on the legwork of your IT service provider to offer timely patches at opportune times. Do not forget that many ITSPs will charge you to run patches on the weekend or evenings when there will be minimal impact to your business.   "Titrics" 43:02 Your ITSP should have vetted and tested procedures and protocols for implementing patches, yet all too many do not. So many times, we see the priority of IT companies are how quickly they can close a ticket and rely on the software companies to do it for them. This focus on first-call closures and ticket metrics (termed here as “titrics”) is grossly underserving their clients and their clients’ organizations. Proper documentation allows for better time management and to offer effective support to best serve the needs of the clients without requiring the assistance of the third-party software vendor.  47:05 Gaps in change management, change control, and documentation for server workloads arise when an ITSP is focused on ticket-based productivity rather than quality of service. The original scope of the project by the ITSP requires evaluation from someone who can accurately evaluate the needs of the client’s organization. When the bid is too low, the needs of the client are not going to be met, the work will not be completed, and the organization is left vulnerable.  50:03 Unfortunately, an incompetent ITSP will leave out what services they had to cut out on the race to the bottom of the pricing model and that leaves it up to you, as the business owner, to be aware of your organization’s cybersecurity insurance policy requirements and how they are being fulfilled.  Questions? Reach out to us QPC Security proudly serves businesses with virtual CISO services for our clients. If you are interested in learning more about how QPC Security can serve the needs of your organization please visit https://www.qpcsecurity.com/ or call one of our experts directly on (262) 553-6510.   Stay up to date on the most recent episode of Breakfast Bytes by following the podcast on Podbean at https://qpcsecurity.podbean.com/.    Learn more: https://www.complianceforge.com/faq/word-crimes/policy-vs-standard-vs-control-vs-procedure  

Wednesday Sep 21, 2022

We have seen some really goofy cybersecurity insurance application questions. It is always best to not answer a question that is goofy, but instead to write an addendum that defines terms and explains the cybersecurity posture of an organization related to the topic. You need to try to figure what the insurance company was trying to evaluate rather than just answering their questions because their questions are frequently not suitable for yes/no answers. Greg Cloon joins me to discuss this topic. We also touch on when you would use file hash integrity checking, when to use disk encryption, and when to use encryption for communications. Here's a link to IISCrypto. https://www.nartac.com/Products/IISCrypto/  

Tuesday Sep 13, 2022

Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off. Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap.  Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who: fail to follow required cybersecurity standards knowingly provide deficient cybersecurity products or services misrepresent their cybersecurity practices or protocols violate obligations to monitor and report cybersecurity incidents and breaches Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it. 01:23 The difference between vulnerability management and patch management  Holistic vulnerability management includes, but is certainly not limited to:  Software bill of materials analysis  Supply chain risk management  Third-party risk management  End-of-life software  Asset inventory up to date  Lifecycle management  Continuous vulnerability assessment  Frequency penetration tests  Tabletop exercises  Procurement policy  04:38 Cybersecurity insurance applications aren’t asking JUST about patch management  When did you have your last penetration test?  Do you have continuous vulnerability assessment in place?  How long are you going to go without having the patches applied in the environment?  If you think adequate patch management can be done for $50/mo/server, you are hallucinating. So, what’s included in patch and vulnerability management?   05:34 Patch management  Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.   How do you manage and protect those tools of your business from threat factors?  09:20 Third-party patches & vulnerabilities  IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down? 10:27 Asset management  Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:   “You can’t secure what you don’t have an accurate inventory for.”  It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own. 18:48 Implementing proper procurement policies  Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements? When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself. You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so. Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to  All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services. 20:24 Privileged access management and privileged password management  How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems. Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen.  24:27 A procurement policy can keep a business' IT costs stable  The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed.  Does your procurement policy support your business strategy and needs?  34:22 Understanding the cost and time of device and software procurement  There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.   SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are: counterparty risk structural increase in cost of doing business risk accessibility risk (redundant access is then required and cannot be fully mitigated) external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs takedown/contract risk 37:33 Cloud vs on-prem security  It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift. 46:48 IT/IS is not a utility  The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose.  Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.   An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.     This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/ This is another resource for vulnerability management information. https://land.fortmesa.com/vulnerability-management-101  

Sunday Jul 17, 2022

Scenario 1 Phone VLAN on a switch and cross connected into a Firebox with desk phones, PCs, and printers in the environment Questions we actually got: On Monday, we send over the list of what switch ports are for printers, which are for PCs, and which are for desk phones. Technician says that two of the three phones are not working. We use our awesome switches to find out exactly where these other phones were plugged in. The phones were plugged into the wrong switch ports. Move desk phones, phones work. Then later, the technician runs a test for the VOIP service from a PC on the PC VLAN not from a PC connected to the phone VLAN. So the test for the VOIP service fails. Security zone profiles exist. It is not acceptable to have an allow everything network security posture. Configures needed to support desk phones are completely different from those that are required to support domain joined Windows computer assets.   Some ITSPs have to pay for expensive add-ons like Auvik to try to compensate for the fact that they have inadequate switching equipment with inadequate design and a sprawl that they have to inventory and keep track of. TCO comes from how much time it takes to maintain, manage, adds/moves/deletes/upgrades, troubleshoot. If I have to physically go to a site to chase some cabling, something is really wrong. The technician in this scenario also could not believe we wanted two network cables between the switch and core router. They are not the only one. I encountered this lack of vision of understanding in another client IT director earlier in the year. If you don't know why you would have two network cables between a switch and a core router, go figure that out. Scenario 1 Phone system with desk phones. Each desk phone has its own network cable, which is good. Phone subnet should be a separate VLAN, but the choice is made by ITSP to separate the phones using physically separate switching equipment. That is something I would never do. Commentary provided by ITSP: I don’t like VLANs. I would rather setup a network with physical segmentation. Results in: Loss of visibility Loss of network resiliency More expensive because you have more switches to babysit and troubleshoot So if you have 20 or 40 VLANs, so does that mean you are going to have 20 or 40 physical switches? If you don’t have 20 VLANs then what network security do you really have? How do you present virtual servers on the proper microsegmented security zone when you cannot transmit tagged packets? Let’s just talk minimum VLANs that we typically see here: SwitchOOBM ServerOOBM SwitchMgmt WAPMgmt Phone Surveillance CorpWired CorpWireless GuestWireless HVAC ElecMon Chromebooks CaptivePortal Tier0 DCs AppGroup1 AppGroup2 DeprecatedApps Printer Storage IAM RMM Clearly anything over two becomes ridiculous to do with physically separate switch equipment. The days of this paradigm or strategy are long gone since cybersecurity compliance is requiring microsegmentation. And network security strategies and technical controls are some of the most effective primary and compensating controls for cybersecurity posture for all the protected assets regardless of type.

Saturday Jul 16, 2022

More than 80% of breaches occur due to credential theft. All organizations have compliance requirements to have org-owned password management systems and MFA enforcement on accounts used by employees and contractors. Some other needs which must be met are: Compliance attestation documentation Proper use of the best MFA method on a per resource basis Aligning business continuity objectives with cybersecurity objectives Developing procedures for staff on how to use the company password manager system properly Aligning procedures with information security policy Developing/enhancing information security policy End user awareness training around credentials, MFA, password management and more I wrote a 16-page educational guide for clients to help them understand the complexities and challenges of password manager solutions and why this is not an easy button project. This podcast is a supplement to that whitepaper.   See the following supporting podcasts for additional information. https://qpcsecurity.podbean.com/e/requirements-for-premise-hosted-assets-cybersecurity-bcdr-and-more/   https://qpcsecurity.podbean.com/e/how-to-achieve-compliance-for-privileged-account-management/   https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/   Why buy from QPC QPC provides managed clients staff onboarding and training documentation. As we update the documentation with new procedures or enhancements, we publish the new versions of the documents to the client’s IT Training SharePoint library. We also make them available through the QPC Security portal which all M365 users have access to. QPC creates and maintains workflows for cybersecurity insurance and compliance attestation for managed clients. Compliance attestation and the maintenance of the reports and workflows to produce the compliance attestation are mandatory for cybersecurity insurance and some Federal or State regulatory compliance. As supply chain and vendor risk management becomes more prevalent, organizations will need to provide proof of these items to customers or prospective customers as part of contractual due diligence. Organizations can scramble to compile these items on their own. Managed clients benefit from QPC’s compliance preparedness. Access to QPC’s password manager import/export/business continuity procedures. Our expertise in password manager conversions reduce friction to staff adoption of the system. Support customized to client’s unique needs Strategic guidance on how to best use the tool to meet the staff’s needs while being in compliance and alignment HR, information security, and company use of technology policies Advanced security implementation services Reduced implementation time compared to implementation by client’s in-house IT Compliance attestation for cybersecurity insurance HR policies which support use of the solution; employee use policies QPC provided password security policy Training for end users on how to setup what kind of MFA QPC has systems for shared MFA even when OTP is not an option for a resource client staff are accessing. Managed clients benefit from QPC’s existing R&D investment as well as ongoing enhancements of managed functionality. No data loss or business continuity risk in doing so. At any point a client who wishes to separate from QPC can do so. This is covered in the separation area of this document. QPC has a strong relationship with the software vendor where the feature requests we submit are typically integrated in the product in three months. We submit feature requests for functionality for managed clients. QPC includes additional compliance modules in the subscription which are not part of the standard direct subscription. Keep this in mind when doing price comparisons. QPC can co-term licensing for user additions Direct software vendor support is not designed to be anything other than break/fix Quicker response time than direct software vendor support QPC is able to provide enterprise level support for the product whereas a direct customer would need to have a $25,000 per year support contract in order to receive a similar level of support direct from the software vendor. QPC can be the compliance delegated admin for clients where desired. If not desired, then the client must assign and fully train the compliance manager delegated admin. Responsibilities and recurring tasks must be assigned to that person. QPC works with managed clients to define staff user roles and assign security policies to them. Some employees should not be accessing the password vaults unless they are on company‑owned and secured systems. We define allowed platforms, security baselines, restrict data exfiltration and more. QPC can implement additional technical controls to prevent employees from storing passwords where they should not be stored, such as browsers. We strongly recommend technical controls and ongoing cybersecurity awareness training backed by employee policies the reduce the opportunity for storing passwords related to company assets in an unapproved manner. QPC can provide a separate end user support system for clients where they are able to contact the password manager support via email, chat, and phone. This service is not available for direct purchasers. Direct support includes only Level 1 help desk for basic user configuration or end‑user issues at the quantity of 25 per year. Free online documentation and videos is included of course. Onboarding, new employee training, and configuration management support is not available for direct accounts. Business continuity Not only should all organization or company-related credentials be stored in a company-approved password management system, but at least two individuals in every department should have modify access to any shared credentials. Password management systems which meet the security requirements and are cloud-based tend to have zero trust storage methods. Zero trust storage is a very important concept. It means is that if a second person was not granted access to that data, it may become irretrievable. It also means that unauthorized parties cannot see your passwords or the content you store with them. That includes your service provider and the password management system hosting provider. Business continuity also comes from techniques. For example, individuals who share a job function should always have their own unique logins and MFA into a system where possible. That is the dual-‑admin approach. A great example of that is Constant Contact, bank websites, your company UPS account, marketing automation platforms, etc. Multiple people may be sharing a job function, but each person should have their own login IDs where possible. In the cases where a website or resource does not allow for individual credentials for multiple individuals, the use of a password manager application with shared MFA allows the shared business function staff to have secure access to the same credential with MFA enforcement on the resource. This is a critical feature for security and risk mitigation. Separation from IT service provider In the case the client wishes to separate from QPC, they are able to convert to a direct paid account or able to migrate their licensing to another IT service provider. No data loss will occur as long as proper offboarding procedures are followed. The procedure is quite simple. First one must pay for separate licensing. Second, the master administrator account which is like a glass-break recovery account must be transferred to the new designated personnel. This is very easy to do since QPC’s standard business continuity protocol for configuration of a managed tenant involves the inclusion of this glass-break or master recovery account.

Friday Jul 01, 2022

You should not put things in the cloud unless you can secure them there at least as good as a highly competent professional would have if they had that asset on premise. Cloud hosted assets have additional risks. Counterparty risk Additional outage and accessibility risk You have less control You have less security over the human or governmental access to your content Zero 4th Amendment protections over that data. It's fully subject to FISA searches that the provider is required to never tell you about. Also do NOT get sucked into the scam that cloud hosting servers is more secure than if you did them on premise or somehow more cost effective. That is sheer lunacy. SaaS can be more cost effective and more secure. Look at Office 365 as an example. That is clearly more secure, more cost effective, and more value than a premise Exchange server. SalesForce could be better for you than running your own CRM, but then you are also fully open to their crazy policies which could rip the rug out from under one of your most business critical systems. There is no one right answer 100% of the time. Context and artistry of security strategy are exceedingly important. This show is about these things as well as what you must have in place to have premise hosted secure assets. I describe a Tier0 asset scenario in specific and what can easily undermine it.   Premise hosted password managers It is worth noting that extremely high functionality privileged access management and identity management systems are available in a premise hosted format which are a perpetual licensing model with very low annual software maintenance fees. These systems are exceptionally valuable to IT departments and QPC has extensive experience in these platforms. They are an exceptional value to IT management functions and IT departments. However, most organizations, even those with full-time IT departments, will not meet the requirements for self-hosting. Why? In order for a self-hosted password management system to be successful, it relies upon many factors which must be in place and be fully executed with extremely high levels of skill and security. This level of skill is outside of the technical skill level of nearly all IT departments of companies with less than 5000 employees. If the requirements are not fully met continually for the life of use of the platform, the platform and its contents are likely to be compromised. A compromise could consist of the data exfiltration of the entire password vault database which would be catastrophic to the organization. Baseline requirements for premise password managers Extremely tight supply chain risk network layer security rules and management Ability to do offline upgrades for all software and systems involved Extremely adept underlying server, network, power infrastructure management Rapid patch management within 48 hours or less Always on scanning for vulnerability assessment backed by active monitoring and remediation Active monitoring Multiple first line backups per day with multiple encrypted offsite backups per day Two physically disparate sites with significant server, network, power infrastructure with automatic backup generator service and redundant internet Proficiency at managing SQL server replication over WAN links in an active/active SQL server configuration Proficiency at maintaining active/active application server configurations and automatic failover network configurations Absolute rigorous discipline to adhere to documented standards for vault creation, password management system administration, application updates, database system updates, OS updates, third party app updates, network layer security management across the entire internal and site-to-site connected networksAny laxity in the discipline of the IT personnel managing the system will cause it to fail to deliver the security profile required for critical assets. Minimum of two servers involved with the addition of more servers if internet facing roles such as mobile access are desired IT personnel’s ability to implement and maintain complex privileged access management systems Regular security compliance and audit report reviews. This will require a CISO and/or compliance officer with significant technical skill.

Friday Jun 03, 2022

I got a request to post this podcast from 12/1/2018 to podbean. Here it is.

Friday Jun 03, 2022

Originally aired: 11/1/2018. I had a request to post this older podcast to Podbean, so here it is. VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version. https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf

Friday Jun 03, 2022

I got a request to publish a podcast I did a few years back on podbean, so here it is. Originally this was from 10/19/2018.   Usually there is no substitute for real server hardware. Attempts to pay less for server hardware almost always end up costing you more in the long-run. Windows 10 as of Build 1809 10/2/2018 has an IPv6 requirement. There are a bunch problems with that. We cover the option of running an ACS Appliance instead of building your own ACS VMS using a real server. We will go into more detail about this in part 2. You must include the cost of labor over the life of the hardware as a consideration if you are going to come up with a viable cost comparison between solutions. We briefly touch on the option of running a VM on a Synology NAS. More about this on a later show.   VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version. https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf  

Wednesday Jun 01, 2022

Overview Listen to the podcast or the list of these resources may not make sense to you. You cannot secure what you cannot engineer, implement, maintain, and support. Security was always infused into IT if you did IT correctly. I know. I've been doing IT since 1993 and was programming in third grade. Security was ALWAYS part of a proper strategy.  I'm always trying to add to the team. But I find that a lot of people are just wholly unqualified to do baseline prerequisites. They get misled and sold on the idea of getting a degree in IT/IS/Cybersecurity. Unless you have mastered the items on this list, it won't matter what degree you have. Here are some other helpful articles. https://www.qpcsecurity.com/careers/ Networking Network layer security appliances I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you won’t be able to learn. LAG a trunk between the Firebox and the switch Must use a unit with an active subscription Layer 3 network switches Must be able to LAG and VLAN at a minimum Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch.These can be procured online used via eBay and other sources. Enterprise grade wireless access point At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. Cloud controller is acceptable also as long as you do supply chain risk management network configuration. Virtualized switches and net sec appliances don’t work for learning. Setup OOBM VLANs. Lock it down. Hardcore microsegmentation, hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down. If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I won't waste time here on why. Servers Dell PowerEdge servers can be purchased from outlet.dell.com very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. Must have at least iDrac Enterprise. Knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory. Office 365 / Microsoft 365 You should run your own tenant and learn how to use this technology if you want to be employable. Domain/DNS You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365. NAS TFTP server is mandatory for working with switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS are very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant. BCDR skills are mandatory. I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It's not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone. Minimum NAS is DS218. https://www.synology.com/en-us/products/DS218 Suggest Seagate IronWolf Pro drives. Must use NAS rated hard drives. I suggest getting two of the 8 TB hard drives as that will give you plenty of space to play with and they are quite affordable. Priority recommendation NAS Domain/DNS/Office 365 tenant Network layer security appliance Layer 3 switch PowerEdge server Learning resources TryHackMe https://www.ultimatewindowssecurity.com/webinars/default.aspx You must learn Tiered access control. MUST. And you must know how to implement it. https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=3695 Learn privileged access management Privileged admin workstations https://docs.microsoft.com/en-us/security/compass/privileged-access-devices https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services BHIS webinars and training https://www.blackhillsinfosec.com/blog/ KnowBe4 excellent webinars and ebooks https://www.knowbe4.com/webinar-library Excellent article on supply chain risk and SBOM risk https://www.darkreading.com/application-security/zero-click-zoom-bug-allows-remote-code-execution-by-sending-a-message   Learning server hardware notes: Tower style PowerEdge is cheaper than rack mount. We nearly always buy rack mount so that it can be installed in a rack as that takes up less space and is easier to service. You should assume 4 processor core per server instance. So if you do two VMs and a HyperV host, that is 3 x 4 cores, so you would at least need a 12 core single processor server. RAM, assume at least 8 GB per and RAM cannot be over allocated. RAM must also be purchased in increments that work in that hardware. So 8x3 = 24 GB at least, I would round to 64GB. I would want to go with 2x 2 TB hard drives on a PERC in RAID1 at a minimum. Each C: drive (host and VMs) will be 200 GB. Then on the Host you need space on D: for the VMs, their cold copies, and other things like file services. Price diff between 1 TB hard drives and 2 TB hard drives is so minimal, that I would not limit it to 1 TB. I put 1 TB hard drives in all laptops now and my team has 2 TB hard drives in laptops typically. Then iDrac Enterprise. PowerShell learning https://www.sapien.com/blog/2020/05/25/free-training-videos-learn-windows-powershell/ Wireless learning Good wireless design says that if you do more than 4 SSIDs on a single AP, you are going to have problems. Frankly anything more than 2 is undesirable. There are wireless design reasons for this which I won’t write a book about here. There are plenty of wireless for dummies resources available. For security and management reasons, you need to have guest separate from chromebooks separate from trusted wireless Windows laptops, etc. So right there we are already at three SSID. Then you want to have different join policies for each. A guest network only works with captive portal or you give everyone the PSK. Chromebooks work best when they use certificate-based authentication to wireless. Windows laptops are most secure with RADIUS which is again certificate based authentication. You don’t have to have premise Active Directory to have RADIUS, so don’t get sucked into that misunderstanding. We now have Azure AD and other resources such as WatchGuard Fireboxes with WatchGuard Cloud which can be a much more cost effective and easy to use/manage MFA-enabled RADIUS server. PSK is considered insecure and problematic for a lot of reasons, which again, not going to write a book about here. I go for configs which do not push more than two SSIDs through a WAP. So that is 3 VLANs if you are doing static VLAN to SSID mapping. Only two of those are SSID related VLANs. The third is the WAP Management VLAN. Anything more simply results in bad wireless design. It is preferable to have a single SSID that devices join and get automatically redirected based upon policy and captive portal with dynamic VLAN assignment. Captive portal VLAN would be addition of another VLAN and you would need very special security zone profile rules for that. If you are doing dynamic VLAN assignment, you can push the required VLANs through to the AP, but you would never push management, OOBM, Tier0, Server, Printer, or similar VLANs through to an AP. I would never do trunk all. Many security issues with that. So doing more than 3 VLANs only makes sense if you are using dynamic VLAN assignment. You can only do that if you have captive portal and the policies to support that. And you can only cost effectively do that with an enterprise grade cloud controller. On switches https://qualityplusconsulting.com/res/network/SwitchingParadigms.pdf People complain about the cost of real switching equipment. Even many people in the IT industry seem to like Meraki and Ubiquiti. I avoid those completely. I am interested in total cost of ownership. The hardware expense at acquisition is not a big deal. What really matters is that you don't have preventable limitations and your TCO is low comparably. Anything that wastes my time is very expensive. Anything that is not fast, reliable, and efficient to use, program, upgrade, troubleshoot, and maintain is expensive or a security risk. Network infrastructure must be rock solid. Some next business day warranty or lack of a GTAC contract on critical infrastructure is a non-starter. 4 hour response time warranty and quality GTAC support is mandatory. The only time I need to call for support is when something ugly is happening, and I want high quality support to call and hardware with excellent diagnostics and visibility into what is going on. This directly translates to value, lowered time to problem resolution, and lower cost to the client. I recently heard from someone who was complaining about the price of a X440G2-12P-GE4 switch on eBay. It was $800. That is way below partner cost for a new switch by the way. Of course that does NOT include warranty, service contract, support, or access to firmware. But it is a high quality switch. An alternative Netgear switch with only 10 ports with about half the functionality was $700. So I don't see the contest here. Pay $100 more for something that is smoking good compared to something that you know you are going to find limitations in. And I don't believe a 4-hour response time warranty contract is available for the Netgear. I know it does not have the same kind of high end GTAC support that Extreme has, nor does it have the same kind of switch capabilities. So is my time differential over the life span of the switch worth more than $100? Obviously yes. The biggest and most expensive errors I have seen people make in IT over the last 29 years is in procurement. They procure the wrong things. They have no procurement policy and likely no standards. Usually no strategy. Instead, IT just buys whatever IT thinks is cheapest at that time. If you are a CFO, be aware that your IT director may be bringing you things that have a high TCO only because they are selecting things that look cheap in terms of acquisition cost. This is quite common as a lot of IT directors in the SMB space have no enterprise experience and lack the ability to articulate the value proposition for something that looks more expensive at acquisition time, but has a lower TCO. The best way to protect yourself against these problems is to have a outsourced CISO like QPC Security who can work with your team to design standards and who should be part of the procurement approval process BEFORE purchases are made. The single most effective thing you can do to control costs is to have a procurement policy. On cloud controllers for wireless I really like wireless cloud controller because you can economically get super high grade functionality on even a single AP. If you were to try to do captive portal, WIPS, dynamic VLAN assignment on a local controller scenario, you are looking at a floor of about $30,000 hardware, licensing, implementation. That is not a SMB price. A lot of hospitals will choke at that price tag, and school districts. So it does not get done. But I can get that level of functionality with cloud controller in a single premise AP. Cloud controllers have better, more accessible diagnostics. Less stuff to maintain. And when implemented properly with a proper technology selection, they can be just as secure as premise controllers. Role based access control with a cloud controller and enforced MFA for PAM is easier. Trying to do that with a local controller is very difficult. High security, high functionality WAPs are not inexpensive. The MSRP on a WatchGuard AP325 with total wifi for 3 years is $900. That would probably turn into the $780 range to purchase from a partner. And you would want a wall plate for it also for mounting. That is $15. Total Wifi is the only thing I use in my environments. The AP325 is tied to the Arista Cloud , and the WIPS is excellent. Another advantage to the cloud controller is the ability to setup templates and then deploy them to different tenants. For example, I can engineer a master template for all clients, and then can display that template into a subtenant which makes onboarding faster. I can control settings higher up, or let them be managed at the subtenant or even per group basis in a tenant. So if you had two buildings where you wanted different settings used, you can easily do that in cloud controller same tenant, different groups. Or you can use same settings two different buildings. That way as your user base moves from one building to the other, they have a seamless experience. If you were to try to do that with a local controller, that’s a lot harder. I do not like WatchGuard's wifi 6 technology and won't use it. We are switching to Extreme Cloud IQ wifi. Hard drive technology - important things to know https://hddscan.com/doc/HDD_Tracks_and_Zones.html Scripting https://www.robvanderwoude.com/ Certification resources https://www.professormesser.com/ Messer has a lot of free Youtube video training  

Tuesday May 17, 2022

Amazing interview with Colin Ruskin, CEO of WorkOptima, on the topic of right-sized software. Colin has an incredible talent at being able to distill the truth of something into a catchy and memorable tagline using spot on metaphors. Some highlights: Can I actually use the software and benefit from it? Floors versus software that grows with you All features all the time, but license it at the per-user Enterprise drama and enterprise mindset which is not really trying to sell to the SMB market and is really trying to break into the SMB market because they ran out of customers in the enterprise market. How to evaluate software What do you need to do in order to make it work for your transaction? Far too few product managers are on sales calls interacting directly with customers Every software company is behind on features the customers are asking for. Iceberg situation. Millions lines of code that no one sees and does not appreciate. You need to really be on top of it and prioritize fixing the items below the water in addition to the above the water items which are the features the customers want. A lot of companies have acquired software companies. They have failed to keep the software developers. They have lost the knowledgebase about how this thing does what it does. Huge resistance to changing, updating the code. What is this vendors real story? Who is this vendor actually focused on taking care of? Exit strategy from software. Who owns the data and how are you getting it out? When you say goodbye, how are you going to get out of that system? Will you ever want this thing 20 years in the future? Who really OWNS the content? Are they in it for the long game or are they in it for the transaction? They are very focused on the stock market, revenue recognition model. They are so focused on stock price manipulation. They have completely lost track of and lost focus on the actual goal. Try to understand the company and management is behind the product. 4/27/2022

Tuesday May 03, 2022

Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this? Examples of things you might access: switches firewalls servers printers workstations DNS hosting website hosting cloud management portals NAS BCDR appliances   There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.- Passwordstate remote integrated proxy authentication- tiered access control- compensating controls as an alternate for MFA- access portals with MFA- privileged admin workstations- account logon restrictions- hardened network access control restrictions (microsegmentation strategies)- more   https://www.clickstudios.com.au/remotesitelocations/default.aspx  

Friday Apr 01, 2022

API Security is going to be the thing you need to be paying attention to in the next two years. Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work.    A great API scanner https://www.wallarm.com/   RMM security topics/tactics     Either fund your IT security or decide to go out of business Companies have some hard decisions to make. They are either going to continue to be in business and allocate budget to correcting gaps, or they are going to go out of business because they will find themselves uninsurable or unable to come up with the funds to rectify all their security gaps in the required allotted time.   Reviewing your last cybersecurity insurance application My latest offer is to review your last completed cybersecurity insurance application. The offer is only open to business owners directly or the executive management team of an organization who would be a good fit to be a client of ours. https://qpcsecurity.com   The truth about smart cities. https://www.theguardian.com/cities/2014/dec/17/truth-smart-city-destroy-democracy-urban-thinkers-buzzphrase   There is an updated FAQ for the CAN-SPAM Act. https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business  

Tuesday Mar 29, 2022

Cyberlaw podcast What needs to be pre-documented for the breach attorney to be effective? And in what format? What to do to protect yourself from outrageous fees? What to do in order to get proper service from a breach attorney? What are the advantages of having a pre-established relationship with a breach attorney? What positive outcomes arise from having pre-breach meetings with a breach attorney? 3/24/2022 Spencer Pollock – Cybersecurity breach attorney Felicia King – QPC Security, Security Architect and Information Security Officer   What needs to be pre-documented for the breach attorney to be effective? Cybersecurity posture of the organization. Compliance/legal and the technical / security Security: identify the gaps and procedures And in what format? Data is everywhere. Clients that have an IRP, data map and have a list. Customers and data breach classification, impact / no impact What to do to protect yourself from outrageous fees? The more times you have to engage a breach coach in advance, the better off you are. The more time you bake people into your team, the less time is spent on the phone when an issue occurs. This means it is less expensive and your organizational response is faster. This is why it is critical to get the breach attorney written into the policy. When to get the breach attorney written into the policy? Business owner needs to be driving the breach attorney selection during the insurance application period. Insurance policy, Beazley example. You should do a retainer with them. Retainer: You get the benefit of cell phone, breach line. Preparation meetings are going to be paid out of pocket. Prebreach stuff is a separate engagement, and it will usually be a lower fee.

Copyright 2022 All rights reserved.

Podcast Powered By Podbean

Version: 20221013