Quality Plus Consulting - Breakfast Bytes

Risk management

Episodes

2 days ago

Recent question I got: What are the major changes that you have seen from security auditors in recent years and/or where do you see the audit process heading? Quick response: For the sake of a high level, automation is and will continue to be used. The size of the IT service provider is NOT a conveyance of their capabilities or capacity. Many 60 person MSPs are grossly incompetent. Some small teams of about 8 people are exceptionally skilled. C-suite needs to drive it from the end in mind. The end is compliance attestation. Back into it from there and ONLY use a team which also has the technical capabilities to perform the remediations. Do not use vCISO services from one company and remediation services from another. You get too many cooks in the kitchen and a disjointed and more expensive outcome will be the likely result.   The insurance companies are pushing the cost of the audit on the insured or applicant. This will involve eating tools and processes that connect with their assessment process. Hence why it is crucial to work with a company like mine that has these workflows. Most don’t.   In this podcast, I provide an overview of the role of executives, managers, internal IT, and the CISO in business risk management. Until all parties understand that this is not information security risk or cybersecurity risk, it is business risk that they are responsible for managing, then it is not likely the situation will improve. In order for business risk managers to make good risk decisions, they first have to engage and be involved. They cannot put their head in the sand and believe that "It's an IT problem." No it's not an IT problem. When the HVAC system is open for hacking to everyone on the planet because the facilities director refuses to collaborate with IT security to come up with a solution to maintain business functionality while managing risk, that is a business risk issue. If the facilities director REALLY believes that it is an IT problem, then IT needs to be provided the authority to rectify the issues. And when the facilities director's access is interrupted, then they will be forced to engage and collaborate at that time. But executive management needs to have the intestinal fortitude to enforce policy. The policy that IT does have that authority and no IT will not be retaliated against. That is one approach. The other approach is that the facilities director needs to acknowledge that THEY are responsible for business risk management of the HVAC system. So if the facilities director wants the right to complain when their access is revoked, then they cannot abdicate their responsibility and accountability for the security of the HVAC system.

Friday Oct 28, 2022

What is information security versus cybersecurity? What are policies and why do we care? Isn't that IT's problem? Examples to learn from

Friday Sep 30, 2022

Frank Raimondi, VP of Channel Development at IGI Cyber Labs IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment. PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test. CEO buyer’s journey Security velocity Risk scoring is part of security velocity Improve your cyber-hygiene – all small businesses Security 101 is inventory 101 Cysurance – warranty and liability company It’s good that insurance companies are trying to be more objective about the real risk metrics. Get the scoring and get the data about how risky they are. This feeds into the evaluation data which is used for underwriting. FTC Safeguards policy impact Operational security issues – MSPs that post all their personnel information publicly. The impact of customer contracts and compliance. Squeeze between cost and staying in business in terms of insurance and customer contract requirements.

Tuesday Sep 13, 2022

Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off. Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap.  Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who: fail to follow required cybersecurity standards knowingly provide deficient cybersecurity products or services misrepresent their cybersecurity practices or protocols violate obligations to monitor and report cybersecurity incidents and breaches Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it. 01:23 The difference between vulnerability management and patch management  Holistic vulnerability management includes, but is certainly not limited to:  Software bill of materials analysis  Supply chain risk management  Third-party risk management  End-of-life software  Asset inventory up to date  Lifecycle management  Continuous vulnerability assessment  Frequency penetration tests  Tabletop exercises  Procurement policy  04:38 Cybersecurity insurance applications aren’t asking JUST about patch management  When did you have your last penetration test?  Do you have continuous vulnerability assessment in place?  How long are you going to go without having the patches applied in the environment?  If you think adequate patch management can be done for $50/mo/server, you are hallucinating. So, what’s included in patch and vulnerability management?   05:34 Patch management  Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.   How do you manage and protect those tools of your business from threat factors?  09:20 Third-party patches & vulnerabilities  IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down? 10:27 Asset management  Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:   “You can’t secure what you don’t have an accurate inventory for.”  It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own. 18:48 Implementing proper procurement policies  Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements? When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself. You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so. Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to  All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services. 20:24 Privileged access management and privileged password management  How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems. Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen.  24:27 A procurement policy can keep a business' IT costs stable  The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed.  Does your procurement policy support your business strategy and needs?  34:22 Understanding the cost and time of device and software procurement  There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.   SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are: counterparty risk structural increase in cost of doing business risk accessibility risk (redundant access is then required and cannot be fully mitigated) external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs takedown/contract risk 37:33 Cloud vs on-prem security  It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift. 46:48 IT/IS is not a utility  The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose.  Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.   An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.     This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/ This is another resource for vulnerability management information. https://land.fortmesa.com/vulnerability-management-101  

Copyright 2022 All rights reserved.

Podcast Powered By Podbean

Version: 20221013