QPC Security - Breakfast Bytes
Risk management
Episodes
Wednesday Jul 31, 2024
Wednesday Jul 31, 2024
Good morning and welcome to another episode of Breakfast Bytes. I'm your host, Felicia King, and today, I'm joined by my colleague, Jeff Birner, hailing from Florida. Our riveting discussion centers around the recent CrowdStrike incident that has sent shockwaves through the cybersecurity community and beyond. This episode promises to offer insights and perspectives you won't find in the typical news coverage.
As we delve into the conversation, Jeff and I explore the core issues surrounding CrowdStrike, including its lack of trustworthiness as a counterparty and the legal implications of delayed security updates. We discuss the broader impacts of the incident, such as the staggering $5.8 billion in losses faced by companies worldwide, and discuss how technology decisions could have eliminated the impact.
Through engaging storytelling, Jeff and I break down the complexities of cybersecurity, offering practical solutions and strategies for organizations to consider. From the importance of testing updates to the choice of operating systems for critical infrastructure, this episode is packed with valuable takeaways for IT professionals and business leaders alike.
Join us as we navigate the nuances of the CrowdStrike controversy, highlight the lessons learned, and provide actionable advice to help you safeguard your organization against similar pitfalls. Whether you're a seasoned cybersecurity veteran or just starting your journey, this episode of Breakfast Bytes is a must-listen.
Monday May 13, 2024
Monday May 13, 2024
Welcome to an insightful episode of Breakfast Bytes, featuring an in-depth discussion about Zero-Trust Cybersecurity, a vital approach to modern cybersecurity practices. Understand why this network layer protection strategy is essential to guard your business and residential networks against harmful threats.
From a reflective analysis of the cybersecurity landscape four years ago, Felicia highlights the repercussions of a weak cybersecurity posture, emphasizing the necessity of a resilient and efficient cybersecurity stack. She elaborates on the integration of various concepts like endpoint protection product (EPP), endpoint detection and response (EDR), and managed detection and response (MDR) into a single efficient agent, stressing the significance of regular patch management and advanced reporting.
Dive deeper into specific cybersecurity products that embrace the robust Zero-Trust model, like Panda Adaptive Defense 360 and ThreatLocker, and understand how they can suitably fit into varying scales of businesses and homes. Felicia additionally debunks a common misconception about technology by default ensuring security and clarifies the crucial need for actively adopting an apt security profile catering to specific contexts.
In this episode, we also discuss the importance of equitable administrative access, insist on local data collection and prevention of unauthorized data file collection, and delve into the need for stringent network security in the face of growing security breaches and ransomware attacks. Understand the comparison between different products, their cost differences, and the underlying need to harmonize cybersecurity mechanisms with operational structures, concluding with an open invitation for consultations on effective and budget-friendly cybersecurity solutions.
Monday May 13, 2024
Monday May 13, 2024
In this episode of Breakfast Bytes with Felicia King, we navigate the complex but crucial realm of cyber security. We explore the emerging menace of supply chain attacks and underscore the vital need for proactive incident response planning. Felicia reveals the staggering average cost of a cyber-attack, per employee and endpoint, and explains why smaller businesses might suffer even greater losses.
King sheds light on the often unnoticed aspect of incident response planning: the critical period between discovering a potential compromise and confirming a successful attack. She also scrutinizes the implications and expenses of in-house response strategies for sizable businesses and outlines how smaller establishments could face heftier costs.
Offering valuable advice, Felicia provides business-centric recommendations on methods of dealing with a reported incident. She addresses important issues such as identifying data breaches and managing downtime during a crisis, stressing the importance of having a contingency plan for extended recovery periods.
Moving on to supply chain risks, King critiques the increasing trend of outsourcing in the IT sector. She cautions against granting upstream providers unrestricted access to systems, noting counterparty risk as an area demanding heightened vigilance. Deeper discussions on access control, audit logs, automated compliance reporting, and other factors in selecting an efficient identity and access management system also unfold.
King further navigates the topic of APIs - the lifeblood of numerous industrial integrations - offering crucial insights into associated risks. She concludes with a call for a mindset shift required to tackle supply chain attacks effectively.
In contemporary threat landscapes, relying solely on the cybersecurity kill chain is a losing battle. This episode underscores the need for encompassing multiple defensive strategies for cybersecurity, such as multi-factor authentication, and conditional access for all accounts. Real-time analytics, endpoint protection strategies, and a zero-trust posture are championed as critical for preventing malicious activities and providing swift threat responses.
We delve into the pros and cons of network layer security, a powerful yet complex technique requiring specific expertise. When appropriately utilized, it presents a scalable solution managing traffic filtering and robust protection from supply chain attacks. The episode concludes with the importance of having a solid incident response plan as a vital proactivity measure in cybersecurity.
Thursday Feb 01, 2024
Thursday Feb 01, 2024
Felicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities.
the importance of vulnerability assessment and management requirements in contracts
It is imperative for resource owners to be designated and held accountable to outcomes.
Exit strategies must be established as part of the procurement process
Lack of right to audit clauses in cloud services contracts
How the lack of an effective paradigm leads to destructive decision-making
IT must not be seen as the dumping ground or janitor. Instead the business must be charged back for the real proportional costs for the cost of service.
True TCO calculations must be made as part of the procurement requirements definition.
Systems integration and interaction maps are incredibly valuable
IT must be seen as a business partner and involved in decision-making.
Just because IT wants to say yes to help the business does not mean the business gets to disrespect IT standards.
Talking to the CISO can lead to utilization of an already vetted, approved platform making the pace of business faster.
Why procurement justification statements are imperative
Why it is necessary to track TCO and actual costs for product and services associated with a business function
Why it is essential to use operationally mature processes in a paradigm focused on governance, accountability, and transparency
Why the CISO and CTO should sign off on procurement of anything for which there is not already an approved policy standard on.
Why your CISO needs to review the contracts for a service or product before an officer of the company signs the contract
Why business leaders must consider how their revenue is event driven
Why the shared responsibility model is imperative. Resource owners must be defined and made accountable.
Thursday Jan 18, 2024
Thursday Jan 18, 2024
Felicia shares insights on the pitfalls of changing IT service providers or MSPs for both clients and the IT service providers themselves. This content is based upon a number of questions that other MSPs have posed to Felicia asking for advice as well as numerous first hand experiences on the subject.
This podcast is primarily for IT service providers or MSPs, but business decisions makers who are considering making a change would also benefit from the content.
Wednesday Nov 29, 2023
Wednesday Nov 29, 2023
Part 2 of a series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Topics:
Apple find my network; useful feature, but privacy considerations
SSO risks where there are too many items that can be compromised if there is a single compromise of a single system
Out of band SMS
Problems with Twilio and 10DLC for VOIP SMS
Know your customer regulations, implications with SMS validation for ownership establishment
Synology came up with their own Synology MFA app and the problems with that
Do not call registry updates; Good news!
Thursday Oct 05, 2023
Thursday Oct 05, 2023
The process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.
Friday Jun 02, 2023
Friday Jun 02, 2023
Zero trust is not a product you buy.The problem that most organizations have is that they are still not doing the fundamentals well.CIS has a community defense model.I did a detailed webinar on it where I covered a lot of these fundamentals.https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/
Let's look at inventory management, asset management, change management, onboarding and offboarding.
You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught.
Fundamentally, the most effective thing in zero trust are the protections that are in an always on state.Like for example the recent revelation about flaws in UEFI and SecureBoot.These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!!
FUNDAMENTALS MUST BE MASTERED
When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems.Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy.
Procurement policy must include vetting and testing of cloud app integrations. Monitoring and technical controls must be in place to restrict or eliminate the ability of an end user to buy shadow IT and authorize it on their own. Azure AD has controls for this, but they are not on by default.
Friday Mar 03, 2023
Friday Mar 03, 2023
What is the number one thing you can do as a consumer to protect yourself when dealing with tax preparers?
Practical examples of what to ask for from your tax preparer and why.
What are the total number of people that would have access to my records if I do business with you? You want me to sign a contract with you, terms and conditions that I have to abide by. If you are going to prepare my taxes, show me your affirmation statement where you as a tax prep preparer have put it in writing that you are fully in compliance as a business with the IRS requirements for tax preparers. Put that in writing.
If the IRS is the authority that is providing the designation that an organization is an IRS authorized tax preparer, then the IRS is the entity who defines the standard for what is the requirement put upon that organization or that person in order to have that designation. Therefore, it is completely legitimate to be asking as a prospective customer of that organization, "show me your compliance statements". How do you comply with the IRS requirements for tax preparers? And if you get anything other than a fully prepared premade statement they provided to you in writing, then that's problematic because it means that they are not compliant.
What is one of the most important things that a business owner can do in order to make their business survive the next decade?
Information security risk management is everyone's problem.
Business leaders cannot delegate and abdicate involvement.
If you are not having regular meetings with your vCISO, how can you make informed risk decisions? Do you know what the gaps backlog is for your organization? Do you have a risk register? If you refuse to make the time to meet regularly with your vCISO, your business is going to be squeezed by cybersecurity insurance requirements, governmental regulations, and customer requirements.
The executive management team needs to understand that if they do not tell all of the managers in an organization that they need to take responsibility for the ownership over their resources, then what needs to happen is that the executive management team needs to make the CISO or the IT department have full total authoritarian control over those resources. But then that turns into a big can of shut the heck up to the people who've abdicated their responsibility to be involved in the process. Because you can't have it both ways. You can't say that IT is responsible for the security of those assets, but then refuse to be involved in the conversations about who should be having access to what and when. And claim that you don't have time to talk about it, that it is not important. Of course it's important. Are you the resource owner or not? So you can't make it somebody else's responsibility to define the policy around who has access to that resource that ultimately you're responsible for and then yet get grumpy. when your access or the people who you thought should have had access to that resource have their access denied because IT is trying to clean up the mess. You can't have it both ways.
Whose responsibility is information security risk management? Ultimately, it's the executive management team. But they can delegate that through the organization to the resource owners and at the end of the day, IS risk management really needs to be everybody in the entire organization's responsibility. Information security practices need to permeate throughout the entire organization. The end users of an organization are the largest attack surface that an organization has.
Suggestions for tax preparers
Tax preparers need to comply with the FTC Safeguard rule which is currently slated to be enforced starting in June 2023. As of May 2023, the expected plan is that private contractors will be the enforcement auditing arm for compliance.
In reality, any company that had taken cybersecurity insurance compliance preparedness and had engaged a vCISO proactively several years prior would likely have no issue in this area. But the vast majority of tax preparers were unwilling to invest in the kind of protections that should have been in place for decades.
Here are some resources.
https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan
https://www.irs.gov/pub/irs-pdf/p5293.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Page 13 of publication 4557 states that all tax preparers must comply with the FTC Safeguards rule. That means if you or your organization has an IRS tax preparer ID number, you must be in compliance and be able to prove that you are in compliance.
Tax preparers that are under $2mm in revenue should expect to spend 15% of revenue annually on all inclusive IT costs. If your spend is not that high, then your organization is likely not going to be competitive in the market and is bound to lose market share to players who have invested in becoming FTC Safeguard rule compliant.
Please also be aware that security theater is not compliance. I have seen some scams such as do-it-yourself kits through technical firms who specialize in servicing accountants (per their website).
https://www.irs.gov/pub/irs-pdf/p4557.pdf
More details from Joe Brunsman, cybersecurity insurance expert.
https://youtu.be/NOY249doJXg
Sunday Feb 19, 2023
Sunday Feb 19, 2023
I get a lot of questions about PSAs, ERPs, and overall paradigms related to core business software. This podcast summarizes things you should be thinking about in your software selection process.
After three years of investigating PSA and ERP options including spending a lot of money on software and payroll, the product we like is Odoo. Organizations using a PSA with add-ons approach are really missing the mark. There is no PSA that does project management well. None of them have accounting systems. Most of them are terrible at quoting. And they are all expensive. They also are all weak at analytics and business visualization or analysis.
So a company ends up paying for:
PSA
Quotewerks
Zomentum
eCommerce processor
Payment gateway provider
project management platform
QuickBooks or Xero
PowerBI
website hosting
Applicant tracking system
HR / people management system
email newsletter system
marketing automation platform
CRM
Social media marketing platform
and more
Whereas, a business could just get Odoo.
Let's look at a brief cost analysis.
Halo - $15,000/yr
Quotewerks or Zomentum $500/mo
QuickBooks or Xero $1300/yr
ConnectBooster $300/mo or more
Project management $300/mo or more
ATS $5000/yr
HR system $150/mo/employee
Infusionsoft or Hubspot $1200/yr at least
Social media marketing $200/mo
CRM - $300/mo
OR you could just stop all that nonsense.
Odoo. $47/mo/user.
Remember that this includes your website hosting too. And it turns out to be much better than WordPress, Joomla, or other smaller CMS.
What I find really hilarious is when I ask other business owners how much they are spending on all the components they use that spackle over the deficiencies in their PSA, they rarely know. It's like it is a financial hole in their business that they don't want to look at.
As of 11/22/2023, our 1 year Zoho subscription that we tried has been set for non-renewal. The primary basis for that was four wasted months of payroll, wasted time working with Zoho support, and wasted time working with Zoho consultants to try to get integrations with other modules in Zoho to work. The modules in Zoho One are designed to work independently. In order to get data to flow between them, integrations between the modules is required. We consistently found that those integrations between the individual Zoho modules did not work properly. We had other problems with it as well, but it became quite clear that Zoho One was not really an ERP because it is not foundationally designed with the premise that all of the modules are fully integrated automatically.
I looked deeply into Manage Engine ServiceDeskPlus for MSP also. I spent about a year on that investigation. I encountered a plethora of challenges with that and it still is a PSA-like mindset where ServiceDeskPlus cannot be a comprehensive business tool.
I encounter MSPs that use an outsourced helpdesk that requires the use of a specific PSA. I don't and won't outsource helpdesk for quality control reasons.
Overall, Odoo does everything better than ZohoOne. Odoo integrations are all there from the very beginning automatically integrated because it was designed as an ERP from day one instead of individual modules.
You can see a demo of Odoo at https://demo.odoo.com. Be aware that there are more modules available than what is shown in the demo, but the demo will give you a good overview. Odoo training is online and free. The documentation is online and free. Support is included with paid subscriptions and we have found that support is effective. Conversely, we rarely had any success with Zoho support. Odoo is more intuitive with things just working and being able to be figured out oneself through the use of documentation, training videos, and just playing with the software.
We use the Maintenance module which is good for a facilities maintenance team. I wanted my team to be able to log time entries against particular maintenance tasks. In 2023, it is not possible for time entries to be applied directly on maintenance tasks that flow through to timesheets for payroll. When I put in a feature request, with Odoo, they responded very quickly stating that they were aware of the limitation and were also aware of the need and value. With Zoho, I would put in a feature request and get a response in 9 months.
I think that Zoho is so busy writing new modules that they have little to no developer time allocated to making the ZohoOne integrated ERP vision a reality.
We spent a LOT of time trying to use the recruiting module in ZohoOne and found it to be an exercise in frustration. We had a lot of success with the Odoo recruiting module with only a few limitations.
The bottom line is this. Find just one thing you can use Odoo for that can justify the monthly fee for one user. Get in there and start using it.
We have some clients who are using just one module for free. I got one client up and running on the project management module in a couple hours and got the client trained on it.
Another client, we put on the website module. The feedback we get from clients emphatically is that it is intuitive and easy to use.
Thursday Feb 09, 2023
Thursday Feb 09, 2023
Tech E&O and Cyber insurance with:
Joe Brunsman of The Brunsgroup – Expert on Tech E&O and Cyber Insurance
YouTube channel – Joseph Brunsman
https://www.youtube.com/@JosephBrunsman
https://www.thebrunsgroup.com/
Damage Control book
https://www.thebrunsgroup.com/book2
Tech E&O and cyber
MSP should have a tech E&O policy. They cover different things. What types of third-party claims will they cover? A guy on the Que recently said that he did not think that E&O was required because his customers have never asked for it. You must have a TECH E&O policy.
What is the biggest thing that you need to pay attention into the E&O policy?
Look at the definition of technology services in the policy. Everything past that point, it does not matter if the definition of technology services is correct.
Avoid the named peril policy. An all risks policy is better. These are becoming harder to come by.
Named peril: Technology services means: there is a list
You have to prove to the insurance company that what you did falls within that definition.
What do you need to look for? “Including but not limited to” contra proferentem = ambiguity is held against the draftsman. The onus is on the insurance company to prove that what you did was not covered under the definition.
How much coverage in the policy should they have?
How much cyber insurance do you need? Here are the variables that I think about. – See Youtube video
Brokers – There is no legal requirement that they understand or read the insurance policies.
Average IQ of an insurance broker is 104. They do not understand what they are selling. The onus is on the business owner to ask and to get the right things.
What is your major loss event? What are we worried about? Is that even possible to insure for those issues?
Step 1: Stop relying on the insurance broker.
Step 2: Fellow decision-makers in the business, what are you worried about? Talk to the broker about that. Then the broker finds “these are the options in the cyberinsurance market that address those concerns”.
Joe: Huge proponent of defense in depth over cyber insurance. Rank order the biggest bang for the buck. Felicia has been talking about that for years and is doing a webinar on 2/9/2023 on that very topic.
Insights from plaintiff’s attorney
Joe had a great convo with a plaintiff’s attorney and got his opinion on risk management.
Risk discovery question: What is the one thing that sinks the ship in the lawsuit?
There is an internal email. You knew you were supposed to do this. But they said it was too expensive. They were not going to do that. They understood the risk and just accepted it.
What could the business do in order to circumvent that email being a death blow in the lawsuit?
Plan of implementation.
No business has unlimited resources. No business is perfectly secure. You sit down the with business owners and MSP. We need to work on a plan to better your security. You don’t have unlimited money. I am a business owner too. You need a roadmap. Everyone signs off on it. We were trying, we were getting there.
Felicia: Wow this is astonishing because this is what we have been doing with clients for 20 years. It is the type of thing that a CISO knows how to do, but few others know how to do well.
Life hack tip from Joe:
Convo with the average business owner:
Obviously you are really good at what you do. You have built this business. Build a relationship with them. The MSP is not the subject matter expert on the client’s industry. Fluff their feathers. Transition that. I asked you a bunch of questions, thank you for hearing me. Now we are going to go through this. Can we just do the same thing in reverse? If you do not understand this yet, let me know and let’s break it down.
Joe and Felicia agree:
One way or another, those controls will be implemented. Read any breach notification letter. Magically we found more money to invest in cybersecurity.
Either work on your information security program monthly at a pace that your budget can absorb, or that decision of timing and magnitude will be taken away from you.
Wednesday Jan 11, 2023
Wednesday Jan 11, 2023
Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring
Scenario: FUD report from a competitor
Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.
Good: Customer told their current IT service provider about the report.
FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered:
The key aspects of FUD (and how it does not work)
What the Dark Web is, and the logistics of monitoring and combating it
Leadership training and best practices for helping a team best meet their security and regulation requirements
Identifying the key differences between commodified and relational partnerships, especially in the technological sphere
Shared responsibility between MSPs, their customers, and those customers’ clients
Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate?
What really is the risk and the mitigation?
Put the efforts into prevention.
Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands.
Resources
https://haveibeenpwned.com/
Perception of the proper allocation of the budget
Businesses must make time for training.
ITSP must include in service catalog what the client is getting in terms of services.
What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are.
Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all.
Common business objections to allocating time for training
Payroll costs, but avoiding training is not legally defensible anymore.
Policies
The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies.
Four pillars
Policies
Technical controls implemented
Automation of technical controls
Reported to the business – It’s YOUR report, your organization.Shared responsibility – some months the CFO does it, some months the CEO does it.Set a schedule and do it. 3 weeks any habit; trainer or partner
Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT.
An interesting lawyer opinion on the topic:
https://abovethelaw.com/2023/01/dark-web-monitoring-for-law-firms-is-it-worthwhile/
Wednesday Jan 04, 2023
Wednesday Jan 04, 2023
Those who listened to the November 19th, 2022 podcast I did with breach attorney Spencer Pollock know that he stated that 90% of the breaches he was involved in over the prior 12-month period would have been non-reportable had the data been properly encrypted.
https://qpcsecurity.podbean.com/e/what-you-must-do-in-order-to-prepare-for-a-breach/
(Review link above for attestation and regulatory enforcement proof.)
I have three major points for you in this show.
You need an IRP
You need a CvCISO
And you need to understand how data is being handled in your organization
Let’s first talk about CvCISO
Help you understand why you need a CvCISO working with you on a regular basis because even if you are a really large organization, the probability that all of your processes are clean, secured, compliant, and all your end user training is effective, well that probability is not high.
https://qpcsecurity.podbean.com/e/understanding-vciso-services-and-why-you-need-them/
Incident response plan
Virtually every organization is now required to have a written incident response plan. These are some examples of people that must be specifically listed in the IRP. What does your organization do when they don’t have these people as full-time internal staff? You need a CvCISO.
People you are required to name explicitly as part of your incident response plan:
IT technical staff
Incident response manager (this better be a CvCISO or a certified incident response company)
IT director
CIO
Stakeholders such as board of directors and heads of business units
Finance director
Communications manager – this is either your internal PR person, your internal corporate counsel, or your breach attorney
Legal representative – either your internal corporate counsel or breach attorney
Human resource manager
Types of data
Let’s talk about some real-world examples of data insecurity. Let’s start by establishing what some categories of data are. PII, PHI, PCI data.
PHI is personal health information so think of that as drug screening results as well as medical records. So it’s not just healthcare organizations that have it. Anyone who does drug screening will have PHI.
PII is personally identifiable information such as your name, contact information, social security number, I-9 information, a copy of your passport or driver’s license, and non-public photos of you. This is also your direct deposit bank information. I would also include your salary at your job is PII. It is certainly non‑public. So who has that kind of information on you? Well anyone who does HR recruiting or has employees is typically going to have this kind of data.
I encourage small businesses to use a PEO and not store any of this data themselves. They should outsource that entirely. Some HR management firms have areas in their SaaS platform that their customers (your employer) can upload documents to and store them securely and NOT on the employer’s environment anywhere.
PCI is payment card information. If an organization processes credit cards in any way outside of a contained e-commerce and merchant processing platform, then they probably have PCI data that is on a system they control. Many retailers just use SaaS apps that directly integrate with merchant processing to avoid any storage or holding of PCI data. You should expect that larger organizations are retaining your credit card information.
Applicant tracking and employee onboarding systems
The security of these systems is only as good as the security of the company that is using them, their processes, how they handle the data throughout the flow, and how documents you complete for them are disposed of if they were submitted in paper format.
Good process
As you interact with the recruiter or prospective employer, all of the data goes directly into an applicant tracking system that is SaaS by the applicant themselves. The only thing that may be emailed would be a resume. Any assessment results or applicant data is all direct input into the ATS. The ATS is SaaS cloud hosted with a very secure company and all accounts which access the data are on a need to know, RBAC approach with MFA enforcement.
WOTC information is all submitted by you directly into the WOTC company website
All of your PII would be submitted by you directly into the HR enrollment/payroll system without intervention from anyone else. No one else needs to handle your data.
The data you submit is only being submitted to a high security SaaS HR management/payroll platform.
Your employer never needs to download and retain any of that information because it is stored in the HR management system. Nor did your employer ever need to have a copy of the information you submitted because you submitted it yourself. So you know it is not in their email or on their servers anywhere. They also did not print it and then not shred it.
Bad process
You are an applicant and the company you are applying to has you fill out paper forms. You do and then they scan those forms with a scanner and send those files somewhere. Let’s say they are scanned to an insecure location on the internal network. Then someone retrieves the scanned images of the paper you filled out and emails them to a distribution list.
So let’s go over what is in the scanned PDF file that got emailed to an internal company distribution list.
Direct deposit information – full banking account and routing number
Full name and address
I-9 verification which includes social security number, driver’s license number, and birth certificate
W-4 which contains PII and SSN again
Copies of your signature
Date of birth
Your offer letter including salary and benefits
Concerns
What happened to the physical paper copies of the forms you completed? Were these shredded same day?
Was the information in the email distribution list forwarded to anyone who did not have a complete need to know?
Was the information forwarded to a party external to the company?
Document management platforms
Premise databases often have a lack of encryption
Lack of data encrypted at rest and quite possibly the data is not encrypted in transit. If the system that the data is stored inside of is a premise-based thick client application such as an application that has SQL server as the back end, it is not likely that those communications between the thick client and the database server are encrypted in transit. The SQL server most assuredly is not encrypted because very few applications support SQL database encryption and even fewer IT people know how to set it up.
I have seen document management platforms with 500,000 records in them containing some of the most sensitive PII and this data was not only housed on servers that were unpatchable and fully deprecated, but the data being transmitted to/from the server was not encrypted, nor was the data in the database encrypted at rest.
If you put a dollar figure to the cost of a breach and it is associated with the number of unique records that contain reportable information, the cost of that old, insecure server just went through the roof.
Even if you say $1/record, that is $500k. Wowzers! And it’s not likely that was the only server compromised in the breach.
What data is stored in people’s emails when a company does not have solid policies, end user training, and technical enforcements to prevent the data from being improperly stored?
Wednesday Nov 30, 2022
Wednesday Nov 30, 2022
Recent question I got:
What are the major changes that you have seen from security auditors in recent years and/or where do you see the audit process heading?
Quick response:
For the sake of a high level, automation is and will continue to be used. The size of the IT service provider is NOT a conveyance of their capabilities or capacity.
Many 60 person MSPs are grossly incompetent. Some small teams of about 8 people are exceptionally skilled.
C-suite needs to drive it from the end in mind. The end is compliance attestation. Back into it from there and ONLY use a team which also has the technical capabilities to perform the remediations.
Do not use vCISO services from one company and remediation services from another. You get too many cooks in the kitchen and a disjointed and more expensive outcome will be the likely result.
The insurance companies are pushing the cost of the audit on the insured or applicant. This will involve eating tools and processes that connect with their assessment process.
Hence why it is crucial to work with a company like mine that has these workflows. Most don’t.
In this podcast, I provide an overview of the role of executives, managers, internal IT, and the CISO in business risk management. Until all parties understand that this is not information security risk or cybersecurity risk, it is business risk that they are responsible for managing, then it is not likely the situation will improve.
In order for business risk managers to make good risk decisions, they first have to engage and be involved. They cannot put their head in the sand and believe that "It's an IT problem." No it's not an IT problem. When the HVAC system is open for hacking to everyone on the planet because the facilities director refuses to collaborate with IT security to come up with a solution to maintain business functionality while managing risk, that is a business risk issue.
If the facilities director REALLY believes that it is an IT problem, then IT needs to be provided the authority to rectify the issues. And when the facilities director's access is interrupted, then they will be forced to engage and collaborate at that time. But executive management needs to have the intestinal fortitude to enforce policy. The policy that IT does have that authority and no IT will not be retaliated against. That is one approach. The other approach is that the facilities director needs to acknowledge that THEY are responsible for business risk management of the HVAC system. So if the facilities director wants the right to complain when their access is revoked, then they cannot abdicate their responsibility and accountability for the security of the HVAC system.
Friday Oct 28, 2022
Friday Oct 28, 2022
What is information security versus cybersecurity?
What are policies and why do we care?
Isn't that IT's problem?
Examples to learn from
Friday Sep 30, 2022
Friday Sep 30, 2022
Frank Raimondi, VP of Channel Development at IGI Cyber Labs
IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment.
PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test.
CEO buyer’s journey
Security velocity
Risk scoring is part of security velocity
Improve your cyber-hygiene – all small businesses
Security 101 is inventory 101
Cysurance – warranty and liability company
It’s good that insurance companies are trying to be more objective about the real risk metrics. Get the scoring and get the data about how risky they are. This feeds into the evaluation data which is used for underwriting.
FTC Safeguards policy impact
Operational security issues – MSPs that post all their personnel information publicly.
The impact of customer contracts and compliance. Squeeze between cost and staying in business in terms of insurance and customer contract requirements.
Tuesday Sep 13, 2022
Tuesday Sep 13, 2022
Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off.
Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap.
Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who:
fail to follow required cybersecurity standards
knowingly provide deficient cybersecurity products or services
misrepresent their cybersecurity practices or protocols
violate obligations to monitor and report cybersecurity incidents and breaches
Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it.
01:23 The difference between vulnerability management and patch management
Holistic vulnerability management includes, but is certainly not limited to:
Software bill of materials analysis
Supply chain risk management
Third-party risk management
End-of-life software
Asset inventory up to date
Lifecycle management
Continuous vulnerability assessment
Frequency penetration tests
Tabletop exercises
Procurement policy
04:38 Cybersecurity insurance applications aren’t asking JUST about patch management
When did you have your last penetration test?
Do you have continuous vulnerability assessment in place?
How long are you going to go without having the patches applied in the environment?
If you think adequate patch management can be done for $50/mo/server, you are hallucinating.
So, what’s included in patch and vulnerability management?
05:34 Patch management
Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.
How do you manage and protect those tools of your business from threat factors?
09:20 Third-party patches & vulnerabilities
IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down?
10:27 Asset management
Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:
“You can’t secure what you don’t have an accurate inventory for.”
It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own.
18:48 Implementing proper procurement policies
Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements?
When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself.
You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so.
Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to
All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services.
20:24 Privileged access management and privileged password management
How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems.
Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen.
24:27 A procurement policy can keep a business' IT costs stable
The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed.
Does your procurement policy support your business strategy and needs?
34:22 Understanding the cost and time of device and software procurement
There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.
SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are:
counterparty risk
structural increase in cost of doing business risk
accessibility risk (redundant access is then required and cannot be fully mitigated)
external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs
takedown/contract risk
37:33 Cloud vs on-prem security
It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift.
46:48 IT/IS is not a utility
The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose.
Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.
An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.
This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/
This is another resource for vulnerability management information.
https://land.fortmesa.com/vulnerability-management-101
Thursday Aug 05, 2021
Thursday Aug 05, 2021
I have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape.
As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance frameworks are incomplete and horrifically confusing.
There is no compliance framework that will get you the fundamentals. There is no security control framework that tells you how to have effective network layer security. The gap between guidance and successful execution is wide.
It occurs to me that the only real defense for small and medium businesses are organizations like QPC which have virtual information security officers and full remediation services on offer backed by ongoing management. There are plenty of penetration testers or those that will sell you MDR services. Execution of fundamentals is where it is at. There is little value in pursuing the frameworks until you have addressed the fundamentals. After you have the fundamentals in place, then review your status against frameworks and you will probably find that many items have already been addressed.
Regardless, I'm always on the hunt for helping the SMB organization leader. It occurs to me that no matter what data you think you have a risk or don't at risk, there is one thing you don't have which is at risk. Listen to the show to find out the real reason you cannot afford to have a cybersecurity incident.
Updated on 8/8/2021I saw this great article today on this topic and decided to include it.
The Disturbing Facts About Small Businesses That Get Hacked
I will warn that their documented risk mitigations measures are H.S.
And check out this excellent article on more reasons why you cannot afford to be hacked.
10 Terrifying Cybersecurity Stats | Cybersecurity | CompTIA
Friday Apr 30, 2021
Friday Apr 30, 2021
Overview of the secure endpoint strategy
The CIA you care about – confidentiality, integrity, and availability of the data on and accessed by your technology systems
You need strategies effective a protecting against the efforts of nation state actors and large criminal enterprises
Your bank account, identity, business, and mental health are at stake
What security posture strategy works now?
Who do you partner with and vet or assess them?
It is not about simply selecting the technology. It is much more about the partner who services you.
Zero-trust posture coupled with the proper services
Welcome to "Breakfast Bytes," your go-to podcast for insightful discussions on hot tech topics. In this episode, hosted by Felicia King, we take a deep dive into the critical world of endpoint protection. With an increased shift of our lives online, protecting our data is more important than ever. But how much do we understand about endpoint protection and the steps needed to safeguard our data?
We kick off with a discussion about our technology usage and the assumptions behind it. We delve into concepts like the 'CIA Triad,' the backbone of all data security strategies representing Confidentiality, Integrity, and Availability. We also explore the daunting facets of cybersecurity, such as hack attempts, nation-state actors, criminal enterprises, and the lack of regulation, illuminating the challenges individuals or small businesses face in combating such overwhelming threats.
The episode then shifts gears to emphasize the significance of teaming up with a top-notch security architect to stay secure. We discuss the differences between a Security Operations Center (SOC) and a Network Operations Center (NOC), and why understanding these differences is vital when choosing an IT service provider. We further discuss why consumer-grade technologies may not be sufficient and why businesses should consider enterprise-level solutions. Special emphasis is put on endpoint protection platforms that maintain a zero-trust posture and the advantages they offer.
We also delve into the key components of Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) technologies, spending time exploring how your endpoint's data is monitored by a 24/7 staffed data center. In addition, we provide crucial questions you should ask your IT service provider, particularly about administrative access. The perils of vendor agnosticism and outsourcing to under-protected NOCs are highlighted, as is the crucial need to evaluate endpoint protection critically and the importance of timely system patching.
This episode aims to empower listeners with the knowledge they need to strengthen their data protection strategy and avoid leaving their data 'naked on the interstate'. Listen in and equip yourself with the information you need to protect your data more efficiently and effectively.