Quality Plus Consulting - Breakfast Bytes

Vulnerability management

Episodes

Thursday Feb 01, 2024

Felicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities.
the importance of vulnerability assessment and management requirements in contracts
It is imperative for resource owners to be designated and held accountable to outcomes.
Exit strategies must be established as part of the procurement process
Lack of right to audit clauses in cloud services contracts
How the lack of an effective paradigm leads to destructive decision-making
IT must not be seen as the dumping ground or janitor. Instead the business must be charged back for the real proportional costs for the cost of service.
True TCO calculations must be made as part of the procurement requirements definition.
Systems integration and interaction maps are incredibly valuable
IT must be seen as a business partner and involved in decision-making.
Just because IT wants to say yes to help the business does not mean the business gets to disrespect IT standards.
Talking to the CISO can lead to utilization of an already vetted, approved platform making the pace of business faster.
Why procurement justification statements are imperative
Why it is necessary to track TCO and actual costs for product and services associated with a business function
Why it is essential to use operationally mature processes in a paradigm focused on governance, accountability, and transparency
Why the CISO and CTO should sign off on procurement of anything for which there is not already an approved policy standard on.
Why your CISO needs to review the contracts for a service or product before an officer of the company signs the contract
Why business leaders must consider how their revenue is event driven
Why the shared responsibility model is imperative. Resource owners must be defined and made accountable.

Wednesday Nov 29, 2023

Part 2 of a series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Topics:
Apple find my network; useful feature, but privacy considerations
SSO risks where there are too many items that can be compromised if there is a single compromise of a single system
Out of band SMS
Problems with Twilio and 10DLC for VOIP SMS
Know your customer regulations, implications with SMS validation for ownership establishment
Synology came up with their own Synology MFA app and the problems with that
Do not call registry updates; Good news!

Zero trust fundamentals

Friday Jun 02, 2023

Friday Jun 02, 2023

Zero trust is not a product you buy.The problem that most organizations have is that they are still not doing the fundamentals well.CIS has a community defense model.I did a detailed webinar on it where I covered a lot of these fundamentals.https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/
Let's look at inventory management, asset management, change management, onboarding and offboarding.
You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught.
Fundamentally, the most effective thing in zero trust are the protections that are in an always on state.Like for example the recent revelation about flaws in UEFI and SecureBoot.These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!!
FUNDAMENTALS MUST BE MASTERED
When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems.Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy.
Procurement policy must include vetting and testing of cloud app integrations. Monitoring and technical controls must be in place to restrict or eliminate the ability of an end user to buy shadow IT and authorize it on their own. Azure AD has controls for this, but they are not on by default.

CISO Workflows

Friday Sep 30, 2022

Friday Sep 30, 2022

Frank Raimondi, VP of Channel Development at IGI Cyber Labs
IGI CyberLabs has a product called Nodeware which does continuous vulnerability assessment.
PenLogic – regular penetration test – once a quarter deep dive heavy one and a monthly light test.
CEO buyer’s journey
Security velocity
Risk scoring is part of security velocity
Improve your cyber-hygiene – all small businesses
Security 101 is inventory 101
Cysurance – warranty and liability company
It’s good that insurance companies are trying to be more objective about the real risk metrics. Get the scoring and get the data about how risky they are. This feeds into the evaluation data which is used for underwriting.
FTC Safeguards policy impact
Operational security issues – MSPs that post all their personnel information publicly.
The impact of customer contracts and compliance. Squeeze between cost and staying in business in terms of insurance and customer contract requirements.

Wednesday Sep 21, 2022

This episode of Breakfast Bytes is Part 2 of a series where Felicia King and Dan Moyer of QPC Security continue their conversation on Vulnerability Management. Listen to Part 1 at https://qpcsecurity.podbean.com/e/vulnerability-management-part-1/. 
In today’s episode, Felicia and Dan discuss vulnerability management workflows, supply chain risk management, starting with security on the front end rather than retrofitting, and proper patch management. 
Workflow management 
01:10 CISO-related (Chief Information Security Officer) workflows are at the core of what is today’s necessity, and we will only see it become more mandatory within the next couple of years. Organizations that do not have vulnerability management workflows in place in a comprehensive way are going to find they have too much technical debt, deferred maintenance, or deferred security to be able to dig themselves out. This won’t be from a lack of money either, but a lack of manpower and time in the day to rectify the issue. 
Supply chain risk management 
02:43 SaaS vendors have vulnerabilities and very few of them have in their contracts your rights and their obligations. What kind of questions should you be asking your SaaS vendors that in many cases you are responsible for as an organization? Here are just a few: 
Do they have continuous vulnerability management scanning going on with regards to their SaaS platform? 
How are they classifying vulnerabilities?  
How quickly are they going to resolve vulnerabilities?  
How are they communicating these issues to you?  
Do they use API security scanning?  
How do they adhere to OWASP API standards and best practices?  
What are they doing for you in terms of supply chain risk management or software bill of materials? 
Your organization’s CISO or vCISO should be in your court getting answers to these questions if they are not being addressed by your SaaS vendor or addressed in your contract. Having a proactive, highly functional, highly communicative, and open, honest working relationship with your CISO will ensure you have the protections your organization needs. 
Proper patch management 
04:51 Let's walk through an example of patch management in an environment with Hyper-V hosts, Dell PowerEdge server, domain controllers, business critical SQL servers with essential business applications, virtual machines, remote sites, on-site and offsite backups, hardware at different speeds, and then all these third-party software on these workloads – how do you patch all these things? 
06:11 It is exceptionally important to note that some patches will step on or over each other, be required to be put in place and rebooted first, and then other patches applied on top of it. The time it takes to patch a server can be exacerbated by trying to accomplish, say, five patches in one changewindow rather than one patch/reboot followed by another one patch/reboot, and so on. 
07:48 Watching the servers reboot is an important piece to verify the workload comes back up reiterating the point made in Part 1 of this series that adequate patch management of an entire server for $50/month cannot be done. 
Domain controllers 
09:19 There tends to be multiple domain controllers or, in the case of just one, it has been designed so that it can reboot whenever it needs to allow for patching. The domain controller is the brain of everything, and since it can reboot whenever needed to apply patches, it can facilitate that while staying available when everything else comes back up. 
Typically we will start with domain controllers as the first thing patched and verified. Now if there are multiple, and depending on how critical the environment is, a rolling out patch might be done so that these secondary domain controllers or ones that are not on the best hardware are patched and then they sit for a period. 
Backup plans and backstops 
11:29 Part of that patching methodology is your backup plans and backstops – having the tools and everything else in place to uninstall a patch if needed. When we set up our servers, we always have Command Prompt and PowerShell already queued up on those devices when we log in. Then we have the availability of pre-planned scripts that we can adjust as we go but most importantly, all the tools are there and available.  
Importance of roles on servers 
12:25 Part of your ability to have resiliency in the environment is the ability to reboot whenever you need, because you have redundancy and resiliency. Because it is a single role server, it gives you that agility to be able to resolve and prevent issues.  
Therefore, workload design is the name of the game. Whatever you think that cost is of that additional virtual machine, that is nothing compared to the problems that you cannot solve because you tried to shove a bunch of stuff together in workloads that did not meet because they were mismatched workloads. 
Many patch managers are not comprehensive and there is a lack of consistency in of what is getting patched on a well-designed domain controller versus a third-party party application server.  
Physical servers 
16:09 Watching a virtual machine reboot while maintaining efficiency and not biting off more than one can chew is crucial, but we are also finding is increasingly important to watch the physical servers and that can only be possible with the right hardware. 
How are you auditing and confirming that patches are being applied and which ones have not? At QPC Security, we bring all the virtual machines down and reboot the host as a prerequisite for patching because it gives you a clean slate to start your patches. Then we will use the patching methodology to push specific patches down to it. We use our patching piece to push specific ones because not everything is needed for hosts and other pieces that we have identified will cause an issue, is a multi-patch, or a multi-patch/multi-reboot process. 
Taking one step at a time, pull it down, apply patches, make sure everything is happy coming up. Go through that entire process again. While we are connected to iDRAC, we watch the server, reboot, apply patches, come back up, make sure all the VM's are checking in properly, we are making sure everything is available, then they go through that process two to three times. It depends on how many patches are available and what things got pushed out. 
Everything has patches 
20:39 If you have a hypervisor that is not giving you patches; you should not be using them. Likewise, if there is no product improvement then there is no security management from that vendor. There is no easy button or a set it and forget it. 
21:42 When IT is not confident in how a process is going to work, they do not want to touch it and that is exactly where a vulnerability arises. Say a consultant installs Cisco, but without a brand expert or budget in place keep the consultant to maintain it, it remains unpatched and therefore vulnerable. That is precisely why organizations need to have a business continuity and disaster recovery (BCDR) plan in place and a procurement policy that drives effective vulnerability management. 
Incremental patching 
25:26 When people are too afraid to patch the hardware, it does not get patch which accumulates over time in terms of technical debt and the technical issues it accumulates. Attempting to patch too many patches at once or jump too many versions results in the reboot cycle of death or a very time-consuming reboot because you are not running a vetted, tested, and supported configuration. The more time and versions you allow to pass between patches, the more divergent from manufacturer’s tested config those updates become. 
Buying the right hardware to begin with saves you money down the line 
33:20 A crucial piece to vulnerability management in your workstations is BIOS, drivers, firmware. If you buy the right hardware to begin with that has the automation engine built into it and when you deploy it you are configuring it accordingly, it becomes far less expensive than paying a human being to manually babysit your vulnerability management. 
Not all workloads are created equal 
34:59 A word of caution when an IT service provider quotes patch management for your organization. When it comes to patching business line apps that need high uptimes because it costs a business thousands of dollars per hour to be down, what patches does the ITSP apply and with what preparation for back out plan?  
In many cases, an ITSP is giving a client the perception of patch management, certainly not vulnerability management, but in reality they are simply doing a Windows update and only some third-party patching, which might only be five third party applications. At QPC Security, our catalog of patches of over 9500 software titles that we are patching and there is no automation. Visit https://www.ivanti.com/partners/ivanti-software-catalog to learn more about the normalization of software titles. 
Cybersecurity insurance applications require continuous vulnerability assessment and vulnerability management. However, most IT service providers do not offer comprehensive patch management. Their vulnerability management claims are grossly misrepresented to the point of malfeasance. 
Vendor documentation & software bill of materials 
37:43 You cannot keep your head in the sand – all these things must be considered when receiving a quote from an IT service provider.  
In cases when the software vendor is not offering competent documentation, your organization must rely on the legwork of your IT service provider to offer timely patches at opportune times. Do not forget that many ITSPs will charge you to run patches on the weekend or evenings when there will be minimal impact to your business.  
"Titrics"
43:02 Your ITSP should have vetted and tested procedures and protocols for implementing patches, yet all too many do not. So many times, we see the priority of IT companies are how quickly they can close a ticket and rely on the software companies to do it for them. This focus on first-call closures and ticket metrics (termed here as “titrics”) is grossly underserving their clients and their clients’ organizations. Proper documentation allows for better time management and to offer effective support to best serve the needs of the clients without requiring the assistance of the third-party software vendor. 
47:05 Gaps in change management, change control, and documentation for server workloads arise when an ITSP is focused on ticket-based productivity rather than quality of service. The original scope of the project by the ITSP requires evaluation from someone who can accurately evaluate the needs of the client’s organization. When the bid is too low, the needs of the client are not going to be met, the work will not be completed, and the organization is left vulnerable. 
50:03 Unfortunately, an incompetent ITSP will leave out what services they had to cut out on the race to the bottom of the pricing model and that leaves it up to you, as the business owner, to be aware of your organization’s cybersecurity insurance policy requirements and how they are being fulfilled. 
Questions? Reach out to us
QPC Security proudly serves businesses with virtual CISO services for our clients. If you are interested in learning more about how QPC Security can serve the needs of your organization please visit https://www.qpcsecurity.com/ or call one of our experts directly on (262) 553-6510.  
Stay up to date on the most recent episode of Breakfast Bytes by following the podcast on Podbean at https://qpcsecurity.podbean.com/. 
 
Learn more: https://www.complianceforge.com/faq/word-crimes/policy-vs-standard-vs-control-vs-procedure
 

Tuesday Sep 13, 2022

Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off.
Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap. 
Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who:
fail to follow required cybersecurity standards
knowingly provide deficient cybersecurity products or services
misrepresent their cybersecurity practices or protocols
violate obligations to monitor and report cybersecurity incidents and breaches
Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it.
01:23 The difference between vulnerability management and patch management 
Holistic vulnerability management includes, but is certainly not limited to: 
Software bill of materials analysis 
Supply chain risk management 
Third-party risk management 
End-of-life software 
Asset inventory up to date 
Lifecycle management 
Continuous vulnerability assessment 
Frequency penetration tests 
Tabletop exercises 
Procurement policy 
04:38 Cybersecurity insurance applications aren’t asking JUST about patch management 
When did you have your last penetration test? 
Do you have continuous vulnerability assessment in place? 
How long are you going to go without having the patches applied in the environment? 
If you think adequate patch management can be done for $50/mo/server, you are hallucinating.
So, what’s included in patch and vulnerability management?  
05:34 Patch management 
Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.  
How do you manage and protect those tools of your business from threat factors? 
09:20 Third-party patches & vulnerabilities 
IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down?
10:27 Asset management 
Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:  
“You can’t secure what you don’t have an accurate inventory for.” 
It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own.
18:48 Implementing proper procurement policies 
Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements?
When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself.
You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so.
Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to 
All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services.
20:24 Privileged access management and privileged password management 
How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems.
Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen. 
24:27 A procurement policy can keep a business' IT costs stable 
The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed. 
Does your procurement policy support your business strategy and needs? 
34:22 Understanding the cost and time of device and software procurement 
There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.  
SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are:
counterparty risk
structural increase in cost of doing business risk
accessibility risk (redundant access is then required and cannot be fully mitigated)
external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs
takedown/contract risk
37:33 Cloud vs on-prem security 
It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift.
46:48 IT/IS is not a utility 
The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose. 
Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.  
An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.  
 
This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/
This is another resource for vulnerability management information.
https://land.fortmesa.com/vulnerability-management-101
 

Copyright QPC Security All rights reserved.

Podcast Powered By Podbean

Version: 20230822