Quality Plus Consulting - Breakfast Bytes

Quality Plus Consulting - Breakfast Bytes header image 1
June 3, 2022  

Virtual Patching, Telecom Fraud, Running VM Server on NAS

I got a request to post this podcast from 12/1/2018 to podbean. Here it is.

June 3, 2022  

Video management system appliance analysis

Originally aired: 11/1/2018.

I had a request to post this older podcast to Podbean, so here it is.

VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version.

https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf

June 3, 2022  

Why real server hardware is usually the most cost-effective option

I got a request to publish a podcast I did a few years back on podbean, so here it is. Originally this was from 10/19/2018.

 

Usually there is no substitute for real server hardware. Attempts to pay less for server hardware almost always end up costing you more in the long-run.

Windows 10 as of Build 1809 10/2/2018 has an IPv6 requirement. There are a bunch problems with that.

We cover the option of running an ACS Appliance instead of building your own ACS VMS using a real server. We will go into more detail about this in part 2.

You must include the cost of labor over the life of the hardware as a consideration if you are going to come up with a viable cost comparison between solutions.

We briefly touch on the option of running a VM on a Synology NAS. More about this on a later show.

 

VMS Appliance cost analysis between the "appliance" version and the "you get a real server" version.

https://qualityplusconsulting.com/BBytes/QPCAnalysisOnAxisVideoRecorderServer.pdf

 

June 1, 2022  

Resources for job candidates in cybersecurity - What you need to do to be employable

Networking

  • Network layer security appliances

    • I recommend WatchGuard Fireboxes where you use the Firebox as the core router. It must have a full Total Security Suite active subscription with fully updated Fireware or you won’t be able to learn.
    • LAG a trunk between the Firebox and the switch
    • Must use a unit with an active subscription
  • Layer 3 network switches
    • Must be able to LAG and VLAN at a minimum
    • Recommend Extreme EXOS X440 G2 PoE switches. 12p, 24p, etc. But you must get modern firmware on the switch.
      These can be procured online used via eBay and other sources.
  • Enterprise grade wireless access point
    • At least two wireless SSIDs on different VLANs, supply chain risk management configuration on the management interface
    • Depending on the WAP model, it may be possible to use an older WAP that has no cloud controller. It may be configurable as the local controller. Cloud controller is acceptable also as long as you do supply chain risk management network configuration.

Virtualized switches and net sec appliances don’t work for learning.

Setup OOBM VLANs.

Lock it down. Hardcore microsegmentation, hardcore packet inspection. Massive supply chain risk management strategies at the network layer. Challenge yourself to always make it more locked down.

If you want to learn networking, I do not suggest Cisco's training material at all. HP Flex Net training is quite good in terms of teaching you the fundamentals that you need to know. Then from a network security model, you need to learn and master network layer security appliances. I can only recommend WatchGuard and Fortinet. Everything else has problems which I won't waste time here on why.

Servers

Dell PowerEdge servers can be purchased from outlet.dell.com very inexpensively. Get something you can run at least the hypervisor and a couple VMs on. Must have at least iDrac Enterprise.

Knowledge of HyperV, managing VMs, hypervisors, and sophisticated patching is mandatory.

Office 365 / Microsoft 365

You should run your own tenant and learn how to use this technology if you want to be employable.

Domain/DNS

You must understand domain and DNS hosting and DNS records especially for all services hosted through Office 365.

NAS

TFTP server is mandatory for working with switching equipment for configuration backups, restores, firmware upgrades. Running TFTP on Windows or Linux desktop OS are very problematic. A Synology NAS has TFTP capabilities as well as a ton of other features. The NAS has ActiveBackup, HyperBackup and that could be used to back up the VMs in your lab and your Office 365 tenant.

BCDR skills are mandatory.

I see no better way to learn BCDR other than by doing it. Do not shortcut the size of the hard drives you put in the NAS. It's not worth it. You need lots of space to be able to fully utilize the NAS as your learning zone.

Minimum NAS is DS218. https://www.synology.com/en-us/products/DS218

Suggest Seagate IronWolf Pro drives. Must use NAS rated hard drives. I suggest getting two of the 8 TB hard drives as that will give you plenty of space to play with and they are quite affordable.

Priority recommendation

  1. NAS
  2. Domain/DNS/Office 365 tenant
  3. Network layer security appliance
  4. Layer 3 switch
  5. PowerEdge server

Learning resources

TryHackMe

https://www.ultimatewindowssecurity.com/webinars/default.aspx

You must learn Tiered access control. MUST. And you must know how to implement it.

https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=3695

Learn privileged access management

Privileged admin workstations

https://docs.microsoft.com/en-us/security/compass/privileged-access-devices

https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

BHIS webinars and training

https://www.blackhillsinfosec.com/blog/

KnowBe4 excellent webinars and ebooks

https://www.knowbe4.com/webinar-library

Excellent article on supply chain risk and SBOM risk

https://www.darkreading.com/application-security/zero-click-zoom-bug-allows-remote-code-execution-by-sending-a-message

 

Learning server hardware notes:

Tower style PowerEdge is cheaper than rack mount. We nearly always buy rack mount so that it can be installed in a rack as that takes up less space and is easier to service.

You should assume 4 processor core per server instance. So if you do two VMs and a HyperV host, that is 3 x 4 cores, so you would at least need a 12 core single processor server.

RAM, assume at least 8 GB per and RAM cannot be over allocated.

RAM must also be purchased in increments that work in that hardware. So 8x3 = 24 GB at least, I would round to 64GB.

I would want to go with 2x 2 TB hard drives on a PERC in RAID1 at a minimum.

Each C: drive (host and VMs) will be 200 GB.

Then on the Host you need space on D: for the VMs, their cold copies, and other things like file services.

Price diff between 1 TB hard drives and 2 TB hard drives is so minimal, that I would not limit it to 1 TB.

I put 1 TB hard drives in all laptops now and my team has 2 TB hard drives in laptops typically.

Then iDrac Enterprise.

PowerShell learning

https://www.sapien.com/blog/2020/05/25/free-training-videos-learn-windows-powershell/

Wireless learning

Good wireless design says that if you do more than 4 SSIDs on a single AP, you are going to have problems. Frankly anything more than 2 is undesirable.

There are wireless design reasons for this which I won’t write a book about here. There are plenty of wireless for dummies resources available.

For security and management reasons, you need to have guest separate from chromebooks separate from trusted wireless Windows laptops, etc.

So right there we are already at three SSID. Then you want to have different join policies for each. A guest network only works with captive portal or you give everyone the PSK.

Chromebooks work best when they use certificate-based authentication to wireless.

Windows laptops are most secure with RADIUS which is again certificate based authentication. You don’t have to have premise Active Directory to have RADIUS, so don’t get sucked into that misunderstanding. We now have Azure AD and other resources such as WatchGuard Fireboxes with WatchGuard Cloud which can be a much more cost effective and easy to use/manage MFA-enabled RADIUS server.

PSK is considered insecure and problematic for a lot of reasons, which again, not going to write a book about here.

I go for configs which do not push more than two SSIDs through a WAP. So that is 3 VLANs if you are doing static VLAN to SSID mapping. Only two of those are SSID related VLANs. The third is the WAP Management VLAN. Anything more simply results in bad wireless design.

It is preferable to have a single SSID that devices join and get automatically redirected based upon policy and captive portal with dynamic VLAN assignment. Captive portal VLAN would be addition of another VLAN and you would need very special security zone profile rules for that.

If you are doing dynamic VLAN assignment, you can push the required VLANs through to the AP, but you would never push management, OOBM, Tier0, Server, Printer, or similar VLANs through to an AP.

I would never do trunk all. Many security issues with that.

So doing more than 3 VLANs only makes sense if you are using dynamic VLAN assignment. You can only do that if you have captive portal and the policies to support that. And you can only cost effectively do that with an enterprise grade cloud controller.

On switches

https://qualityplusconsulting.com/res/network/SwitchingParadigms.pdf

People complain about the cost of real switching equipment. Even many people in the IT industry seem to like Meraki and Ubiquiti. I avoid those completely. I am interested in total cost of ownership. The hardware expense at acquisition is not a big deal. What really matters is that you don't have preventable limitations and your TCO is low comparably. Anything that wastes my time is very expensive. Anything that is not fast, reliable, and efficient to use, program, upgrade, troubleshoot, and maintain is expensive or a security risk.

Network infrastructure must be rock solid. Some next business day warranty or lack of a GTAC contract on critical infrastructure is a non-starter. 4 hour response time warranty and quality GTAC support is mandatory. The only time I need to call for support is when something ugly is happening, and I want high quality support to call and hardware with excellent diagnostics and visibility into what is going on.

This directly translates to value, lowered time to problem resolution, and lower cost to the client.

I recently heard from someone who was complaining about the price of a X440G2-12P-GE4 switch on eBay. It was $800. That is way below partner cost for a new switch by the way. Of course that does NOT include warranty, service contract, support, or access to firmware. But it is a high quality switch. An alternative Netgear switch with only 10 ports with about half the functionality was $700. So I don't see the contest here. Pay $100 more for something that is smoking good compared to something that you know you are going to find limitations in. And I don't believe a 4-hour response time warranty contract is available for the Netgear. I know it does not have the same kind of high end GTAC support that Extreme has, nor does it have the same kind of switch capabilities. So is my time differential over the life span of the switch worth more than $100? Obviously yes.

The biggest and most expensive errors I have seen people make in IT over the last 29 years is in procurement. They procure the wrong things. They have no procurement policy and likely no standards. Usually no strategy. Instead, IT just buys whatever IT thinks is cheapest at that time.

If you are a CFO, be aware that your IT director may be bringing you things that have a high TCO only because they are selecting things that look cheap in terms of acquisition cost. This is quite common as a lot of IT directors in the SMB space have no enterprise experience and lack the ability to articulate the value proposition for something that looks more expensive at acquisition time, but has a lower TCO.

The best way to protect yourself against these problems is to have a outsourced CISO like QPC Security who can work with your team to design standards and who should be part of the procurement approval process BEFORE purchases are made. The single most effective thing you can do to control costs is to have a procurement policy.

On cloud controllers for wireless

I really like wireless cloud controller because you can economically get super high grade functionality on even a single AP.

If you were to try to do captive portal, WIPS, dynamic VLAN assignment on a local controller scenario, you are looking at a floor of about $30,000 hardware, licensing, implementation.

That is not a SMB price. A lot of hospitals will choke at that price tag, and school districts. So it does not get done. But I can get that level of functionality with cloud controller in a single premise AP.

Cloud controllers have better, more accessible diagnostics. Less stuff to maintain. And when implemented properly with a proper technology selection, they can be just as secure as premise controllers.

Role based access control with a cloud controller and enforced MFA for PAM is easier. Trying to do that with a local controller is very difficult. High security, high functionality WAPs are not inexpensive.

The MSRP on a WatchGuard AP325 with total wifi for 3 years is $900. That would probably turn into the $780 range to purchase from a partner. And you would want a wall plate for it also for mounting. That is $15. Total Wifi is the only thing I use in my environments. The AP325 is tied to the Arista Cloud , and the WIPS is excellent.

Another advantage to the cloud controller is the ability to setup templates and then deploy them to different tenants.

For example, I can engineer a master template for all clients, and then can display that template into a subtenant which makes onboarding faster.

I can control settings higher up, or let them be managed at the subtenant or even per group basis in a tenant.

So if you had two buildings where you wanted different settings used, you can easily do that in cloud controller same tenant, different groups.

Or you can use same settings two different buildings. That way as your user base moves from one building to the other, they have a seamless experience.

If you were to try to do that with a local controller, that’s a lot harder.

I do not like WatchGuard's wifi 6 technology and won't use it. We are switching to Extreme Cloud IQ wifi.

Hard drive technology - important things to know

https://hddscan.com/doc/HDD_Tracks_and_Zones.html

Scripting

https://www.robvanderwoude.com/

Certification resources

https://www.professormesser.com/

Messer has a lot of free Youtube video training

 

May 17, 2022  

Right-sized software

Amazing interview with Colin Ruskin, CEO of WorkOptima, on the topic of right-sized software.

Colin has an incredible talent at being able to distill the truth of something into a catchy and memorable tagline using spot on metaphors.

Some highlights:

  • Can I actually use the software and benefit from it?
  • Floors versus software that grows with you
  • All features all the time, but license it at the per-user
  • Enterprise drama and enterprise mindset which is not really trying to sell to the SMB market and is really trying to break into the SMB market because they ran out of customers in the enterprise market.
  • How to evaluate software
  • What do you need to do in order to make it work for your transaction?
  • Far too few product managers are on sales calls interacting directly with customers
  • Every software company is behind on features the customers are asking for. Iceberg situation. Millions lines of code that no one sees and does not appreciate. You need to really be on top of it and prioritize fixing the items below the water in addition to the above the water items which are the features the customers want.

  • A lot of companies have acquired software companies. They have failed to keep the software developers. They have lost the knowledgebase about how this thing does what it does. Huge resistance to changing, updating the code.
  • What is this vendors real story? Who is this vendor actually focused on taking care of?
  • Exit strategy from software. Who owns the data and how are you getting it out? When you say goodbye, how are you going to get out of that system? Will you ever want this thing 20 years in the future?

  • Who really OWNS the content?

Are they in it for the long game or are they in it for the transaction? They are very focused on the stock market, revenue recognition model. They are so focused on stock price manipulation. They have completely lost track of and lost focus on the actual goal. Try to understand the company and management is behind the product.

4/27/2022

May 3, 2022  

How to achieve compliance for privileged account management

Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this?

Examples of things you might access:

  • switches
  • firewalls
  • servers
  • printers
  • workstations
  • DNS hosting
  • website hosting
  • cloud management portals
  • NAS
  • BCDR appliances

 

There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.
- Passwordstate remote integrated proxy authentication
- tiered access control
- compensating controls as an alternate for MFA
- access portals with MFA
- privileged admin workstations
- account logon restrictions
- hardened network access control restrictions (microsegmentation strategies)
- more

 

https://www.clickstudios.com.au/remotesitelocations/default.aspx

 

April 1, 2022  

API Security and external vulnerability scanning

API Security is going to be the thing you need to be paying attention to in the next two years.

Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work. 

 

A great API scanner https://www.wallarm.com/

 

RMM security topics/tactics

 

 

Either fund your IT security or decide to go out of business

Companies have some hard decisions to make. They are either going to continue to be in business and allocate budget to correcting gaps, or they are going to go out of business because they will find themselves uninsurable or unable to come up with the funds to rectify all their security gaps in the required allotted time.

 

Reviewing your last cybersecurity insurance application

My latest offer is to review your last completed cybersecurity insurance application. The offer is only open to business owners directly or the executive management team of an organization who would be a good fit to be a client of ours.

https://qpcsecurity.com

 

The truth about smart cities.

https://www.theguardian.com/cities/2014/dec/17/truth-smart-city-destroy-democracy-urban-thinkers-buzzphrase

 

There is an updated FAQ for the CAN-SPAM Act.

https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

 

March 29, 2022  

Working with a Breach Coach/Attorney - A Primer

Cyberlaw podcast

  • What needs to be pre-documented for the breach attorney to be effective? And in what format?
  • What to do to protect yourself from outrageous fees?
  • What to do in order to get proper service from a breach attorney?
  • What are the advantages of having a pre-established relationship with a breach attorney?
  • What positive outcomes arise from having pre-breach meetings with a breach attorney?

3/24/2022

Spencer Pollock – Cybersecurity breach attorney

Felicia King – QPC Security, Security Architect and Information Security Officer

 

What needs to be pre-documented for the breach attorney to be effective?

Cybersecurity posture of the organization.

Compliance/legal and the technical / security

Security: identify the gaps and procedures

And in what format?

Data is everywhere.

Clients that have an IRP, data map and have a list.

Customers and data breach classification, impact / no impact

What to do to protect yourself from outrageous fees?

The more times you have to engage a breach coach in advance, the better off you are.

The more time you bake people into your team, the less time is spent on the phone when an issue occurs. This means it is less expensive and your organizational response is faster.

This is why it is critical to get the breach attorney written into the policy.

When to get the breach attorney written into the policy?

Business owner needs to be driving the breach attorney selection during the insurance application period.

Insurance policy, Beazley example. You should do a retainer with them.

Retainer: You get the benefit of cell phone, breach line.

Preparation meetings are going to be paid out of pocket. Prebreach stuff is a separate engagement, and it will usually be a lower fee.

March 3, 2022  

Avoiding real estate theft, deed theft, and related scams

Check out dark patterns for scam awareness.

https://www.darkpatterns.org/

 

  • Avoid the new movers mailing list
  • Avoid putting real estate in your personal name
  • Use a service like Abine DeleteMe
  • Get a PO Box and stop having snail mail delivered as much as possible
  • Subscribe to paperless billing as much as possible
  • Harden your digital life
  • Get off social media and stop sharing your life in public digital media
  • Be aware of deed fraud and how to verify that no one has stolen your deed.
  • Be aware of how foreclosure rescue scams are perpetrated.
  • and more!

 

January 24, 2022  

Attestation, scoring, evaluation, and business process in achieving improved cybersecurity posture and compliance

Joy Beland joins Felicia to discuss:

  • What Edwards Performance Solutions is doing in the CMMC training space
  • Joy's team created the CMMC assessor textbook
  • Many orgs have cybersecurity insurance enforcement for the first time ever
  • Joy's extremely wise metaphor and perspective on cybersecurity insurance (15 mins)
  • Transfer of risk and economic destruction
  • DMARC, DKIM, SPF tuning
  • What tools exist to help the SMB market with attestation, and establishing patterns of due care and due diligence?
  • IS policies and processes are required as part of the proof mechanism
  • Mechanisms to actually evaluate risk so that business leaders can make effective decisions
  • Control planes for infrastructure

Joy's sage advice: "Know what the crown jewels are."

Learn to identify wasteful practices with Gemba walks.

https://www.creativesafetysupply.com/content/PPC/gemba/index.html

CMMC 2.0 scoping analysis

https://www.linkedin.com/feed/update/urn:li:activity:6889627454466469888/

Future Feed for CMMC orgs

https://futurefeed.co/

https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/

 

Special guest:

Joy Beland, a CMMC Provisional Assessor and CMMC Provisional Instructor, who works with Edwards Performance Solutions as a Senior Cybersecurity Consultant.  Joy owned an MSP for twenty-one years in Los Angeles.  She has a CISM and Security+ certification.

Podbean App

Play this podcast on Podbean App