QPC Security - Breakfast Bytes

Welcome to another eye-opening episode of Breakfast Bytes hosted by Felicia King. In this episode, we dissect prevalent misconceptions in the IT industry particularly regarding services like NOC, SOC, XDR, and SOAR. Explore the conundrum between cybersecurity checkbox exercises and the pivotal need for legitimate risk reduction efforts. Moreover, discover potential pitfalls of co-managed IT and strategies to sidestep them.
We delve extensively into co-managed IT services, illustrating their significance, pitfalls, financial risks associated with improper executions, and real-life challenges and liabilities. Emphasis is also laid on the involvement of the clients and their responsibilities in relevant scenarios.
Our host Felicia does not just spotlight the issues in the IT sector but equally provides insightful solutions and pragmatic advice. Crucial facets like service evaluation, defined requirements, discrepancies between 'theater' and real risk mitigation are discussed at length.
This episode includes a discussion about shared responsibility, a cornerstone to successful IT operations. Unravel the importance of clients understanding policies, embracing HR enforcement, and being proactive in managing potential IT and security risks. We further cover the vital part they play when ensuring efficient IT systems and cybersecurity.
We question the practice of delegating SOC to third parties due to its contribution to fragmented security operations and poor risk management. Instead, we advocate for a converged NOC and SOC model. Explore how greater comprehension and collaboration paired with user training, self-reliance, and policy adherence can prevent catastrophes like litigation.
Beyond outlining potential risks and solutions, this episode offers practical advice for managing complex escalations and ensuring secure configurations, all through the converged NOC and SOC model.

Felicia is joined by fellow CISO Dawn Montemayor, partner at PureCyber, which is a security minded business consulting firm. Learn from two CISOs about how vital it is to use operationally mature processes in requirements definitions in order to achieve effective outcomes while avoiding toxic behavior in complex entities.
the importance of vulnerability assessment and management requirements in contracts
It is imperative for resource owners to be designated and held accountable to outcomes.
Exit strategies must be established as part of the procurement process
Lack of right to audit clauses in cloud services contracts
How the lack of an effective paradigm leads to destructive decision-making
IT must not be seen as the dumping ground or janitor. Instead the business must be charged back for the real proportional costs for the cost of service.
True TCO calculations must be made as part of the procurement requirements definition.
Systems integration and interaction maps are incredibly valuable
IT must be seen as a business partner and involved in decision-making.
Just because IT wants to say yes to help the business does not mean the business gets to disrespect IT standards.
Talking to the CISO can lead to utilization of an already vetted, approved platform making the pace of business faster.
Why procurement justification statements are imperative
Why it is necessary to track TCO and actual costs for product and services associated with a business function
Why it is essential to use operationally mature processes in a paradigm focused on governance, accountability, and transparency
Why the CISO and CTO should sign off on procurement of anything for which there is not already an approved policy standard on.
Why your CISO needs to review the contracts for a service or product before an officer of the company signs the contract
Why business leaders must consider how their revenue is event driven
Why the shared responsibility model is imperative. Resource owners must be defined and made accountable.

Felicia is joined by Laura Conrad, a Security Architect with 30 years of experience in enterprise environments. Laura currently reports directly to a CISO, and has been an integral part of the information security program at two large enterprises.
Felicia has consulted with 26 large enterprises and numerous SMB organizations in the last 30 years. She finds that the same problems occur in every organization that lacks operational maturity. 
Are you a person working in information security frustrated by the lack of progress of a security program in an organization because of the org's lack of operational maturity? Do you struggle in dealing with toxic, unproductive people? What approach could address these problems and more? Learn from two experts how they have seen companies engage in self-destructive and resource wasting approaches simply due to the lack of drive by executive leadership to install a structure for governance, accountability, and transparency in the organization. 
Org structure required for CISOs to be effective
This article and its impact are briefly covered as they are related to this topic.
https://www.darkreading.com/cybersecurity-operations/cisos-struggle-csuite-status-expectations-skyrocket
It is quite a good article, but it implies that if the CISO reports directly to the CEO, the problems in an organization will be reduced. While that is partially true, that by itself will absolutely not fix the problems. Felicia and Laura deep dive the decision-making failures that occur throughout an organization and what drives them. Also discussed are methods to truly and structurally correct the problems across an entire company.
95% of information security risk management issues are HR management issues
Executive management want to run the company, not manage people. This leads to toxicity and unproductivity being tolerated when personnel issues are not fully investigated and actioned. The desire to make an emotional problem go away cannot override the need to get to the core of the issue and put a system in place to prevent it from happening again. This is not about firing people. This is about instilling a culture where the facts matter, personnel issues will be investigated, and structural systems will provide the governance to drive productive staff behavior.
Org executives are unaware of the real costs of inputs
It seems to be a pervasive problem across most organizations that there is no financial management structure which facilitates the tracking of expenses as inputs to a service or product delivery to customers. Without this real understanding, leaders persistently price products and services incorrectly. This leads to one business division or a product line losing money and needing to be subsidized by another.
Executives rarely understand that by tolerating operational immaturity in their organization, they are actually failing in their duty to stakeholders to effectively manage the assets of an organization to maximize value.
Drive change and org-wide staff effort alignment with dashboards that drive transparency and healthy internal competition
Felicia and Laura discuss in detail the how and why of dynamically updating dashboards which help CTO, CIO, CISO manage upward to the CEO and board, while driving downward alignment to objectives.
Governance, Accountability, Transparency in IT Security
Felicia and Laura discussed the importance of governance, accountability, and transparency in IT security and business processes. They emphasized that these principles could help prevent problems caused by a lack of collaboration and understanding between IT and business units. Felicia cited instances where poor prior planning led to unnecessary expenses and internal toxicity, which she believes could be avoided with a more mature approach to operations. Laura added that these principles could also lead to cost savings and risk reduction. 
Harden the procurement policies
Felicia and Laura provide many examples of problems that could have or were avoided by having an enforced procurement policy which resulted in all technology purchases being signed off on by the CISO or security architect and often the enterprise architect. It is infinitely easier to rectify issues before an implementation and before signing a contract than to do so after a purchasing decision has already been made.

Felicia shares insights on the pitfalls of changing IT service providers or MSPs for both clients and the IT service providers themselves. This content is based upon a number of questions that other MSPs have posed to Felicia asking for advice as well as numerous first hand experiences on the subject.
This podcast is primarily for IT service providers or MSPs, but business decisions makers who are considering making a change would also benefit from the content.

Special guest Tobias Musser of MNS Group generously shares with the Breakfast Bytes audience his wisdom and insight into what is a challenging and nuanced regulatory landscape that has far reaching business implications.
https://mnsgroup.com/
A vigorous discussion of the implications of the latest DoD memo about DFARS 7012 FedRAMP or FedRAMP moderate.
FedRAMP Compliance Challenges and Hybrid Approach
Tobias and Felicia discussed the implications of a DOD memo mandating FedRAMP compliance for all products used by a DOD contractor or subcontractor. They explored the potential challenges, especially for small businesses, and the difficulties in achieving equivalence. They considered the idea of using on-premise solutions as an alternative, but noted the need for specific documentation and careful implementation. Tobias and Felicia also deliberated on the potential benefits of this approach, including the severability benefit of on-premise solutions. They discussed the challenges of finding cost-effective, user-friendly FedRAMP tools, noting their high cost and complexity. They also touched upon the implications of a recent memo that increased the requirements for FedRamp compliance and the potential security issues associated with it. Tobias emphasized the need for increased security to protect soldiers and the country. They concluded that a hybrid approach was necessary, but the current tools were not up to the task.

Tom Dean of Consulting Adventures joins Felicia for part three of the analysis on mobile devices and the problems with them.
OKTA breach, IT admin’s password getting stored in gmail password synced manager
Two-way problems. Personal on business and business on personal
Lack of clarity around device wipe, device use policies, apps running on devices
Compliance is easier when business owns the asset and delineation of ownership of asset and data is clear.
If the configurations are not managed, the cost profile to the company is a lot higher.
Credentials and MFA spill over in both directions
Data compliance issues
DLP and encryption issues
Lack of ability to define device security settings like PINs
How are you doing effective device configuration backups?
How do you prevent malicious apps from being installed on the devices?
How do you have leveraged support capabilities from the mobile devices?
Asset inventory is mandatory
Compliance costs can be drastically reduced by having company owned assets that only get approved applications. This is another reason why end users CANNOT have admin access.
No VPN access until someone has been part of the company for 30 days.
Onboarding and offboarding is crucial to information security
Information security is not a technical controls issue, it is a HR management issue.
 
Verizon fell for fake “search warrant,” gave victim’s phone data to stalker
https://arstechnica.com/tech-policy/2023/12/verizon-fell-for-fake-search-warrant-gave-victims-phone-data-to-stalker/
As if all that wasn't bad enough, if an employee of a company has issues in their personal life, it will spill over to business and especially in the context of allowed personal use of company assets.

Part 2 of a series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Topics:
Apple find my network; useful feature, but privacy considerations
SSO risks where there are too many items that can be compromised if there is a single compromise of a single system
Out of band SMS
Problems with Twilio and 10DLC for VOIP SMS
Know your customer regulations, implications with SMS validation for ownership establishment
Synology came up with their own Synology MFA app and the problems with that
Do not call registry updates; Good news!

Part 1 of a two-part series on threats to mobile devices and through mobile devices. Tactics and techniques to deal with those threats.
Cohost: Tom Dean – Consulting Ventures
Tom has decades in capital goods manufacturing industry (fortune 500 scale)
Years of experience in marketing, sales & interfacing with independent dealers/distributors (small/medium scale)
Current focus is strategy & risk management consulting
Lifelong learner and an interest in technology.
Strategy + risk management ---> mobile devices
Personal travel:
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"
Biometrics are convenient but quite dangerous
Biometrics are a proxy for a numeric passcode on a mobile device.
Physical compromise is a 5-alarm fire situation.
Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.
Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.
Avoid banking apps.
The first things that the baddies go after are Venmo, Apple Pay, Cash apps.
Out of band SMS for MFA
SIM swapping risk, or eSIM embedded in the phone
Put a PIN on your physical SIM.
MySudo – Can clone that instance to other phones.
Password manager on phone
Disaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.
Password manager helps you recover.
Segmentation strategies
They can see all the emails on your phone and change passwords or password reset is typically done via email
Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.
Need to have an out of band mechanism to receive alerts and ability to remove kill the device.
Microsoft Authenticator and Google Authenticator do not have a separate PIN.
Authy is free. It has its own separate PIN.
Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.
Diversification strategy with inventory.
MDM
Kill apps
Apple configurator – small scale
Apple Business Manager
Jamf – requires Apple Business account for security
Inexpensive “Jamf Now” for small businesses. Minimum is one device. The first 3 are free. Still affordable beyond that.
Don’t let anyone change the account on this device.
You have to figure out a lot on your own and block URLs that you don’t want accessed.
Apple devices need to be in supervised mode, so it matters how you buy them.
Intune
Risk examples
loss of device (resiliency e.g. MFA)
theft of device involving passcode surrender (loss mitigation)
SIM swap (cellular store employees)
SIM card theft (removal of SIM card from phone)
Risk reduction / resiliency
OS decision (iOS vs. android)
Note that one is not better than the other
Risk reduction is all about an individual's ability to manage the risks based upon platform selection
MDM (remote data wipe): small-scale co (Apple Configurator or JamfNow) vs. corporate MDM
MFA backup/diversification (SMS via cell or VOIP providers vs. TOTP vs. passkey/yubikey etc.)
App selection (OS-based or Independent)
App protection (‘independent’ PIN protection vs. face/touch ID)
‘Attack Surface’ – minimization of exposure (e.g. banking apps, cash apps, findmyfriends etc.)
Resources
https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/
 

The process of determining how workloads should be hosted is very complex and not a decision that should be abdicated to the IT service provider. Business decision-makers must be involved in those decisions as only they are able to define the key criteria that all other factors are dependent upon.
 

CTO Kyle Wentworth joins Felicia for a discussion about how businesses can avoid adverse financial impacts.
 
Lack of understanding of the language of technology
It changes so incredibly fast that it takes a sea of people who understand the pieces
Complete perspective of how the business of technology should be run
 
Understand what governance and compliance standards your business is held to
That dictates how you do business.
 
Some tangible examples of how things can and should be done:
Justification statement annually for expenses
How it is being used and how the costs were arrived at
Assignment of the resource owner
Misallocation of funds paying for items that should not be paid for takes resources from other needed items.
 
Walk through your business. Identify what you don't understand about the business?
Do you understand every function of the business?
You have to entire your entire business as a whole if you are the leader of the business.
Gaps in your understanding indicate where you need an auditor to identify that your people doing the processes are doing it properly.

Why it is critical to have an email security expert managing and monitoring email security configurations and delivery of email on an ongoing basis.
Instructions from marketing automation platforms are not adequate.
It matters A LOT what you are trying to do with email. Getting these items configured is an art form.
Vendors are continually failing vendor risk management analysis and losing business over their email not being properly configured.
 
New website resource:   https://kb.qpcsecurity.org

Kyle Wentworth of Wentworth Consulting Group joined Felicia to compare/contrast three C-suite level IT/IS related roles.
Kyle has 35 years of business experience and has been working on computers since 1976. He is a:
Fractional CTO
Business coach
Business process modeler
Kyle has a great resource on his website to help people understand the differences between these C-suite roles.
https://wentworthconsultinggroup.com/cto-cio-ciso-consulting/
Listen to the podcast for some Kyle truth bombs such as:
"Technology runs your business. You don't. We facilitate technology to run our business. IT is the most critical function of your business."
"Technology is harder to manage than brain surgery. Then why are you having conversations with technologists? Technology footprint is harder to identify and manage than brain surgery."
We talked about Felicia's hot button which is a lack of a quality, enforced procurement policy.
"The reason you give someone the ability to purchase the product is because you don’t understanding why they should NOT buy it."
 

Zero trust is not a product you buy.The problem that most organizations have is that they are still not doing the fundamentals well.CIS has a community defense model.I did a detailed webinar on it where I covered a lot of these fundamentals.https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/
Let's look at inventory management, asset management, change management, onboarding and offboarding.
You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught.
Fundamentally, the most effective thing in zero trust are the protections that are in an always on state.Like for example the recent revelation about flaws in UEFI and SecureBoot.These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!!
FUNDAMENTALS MUST BE MASTERED
When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems.Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy.
Procurement policy must include vetting and testing of cloud app integrations. Monitoring and technical controls must be in place to restrict or eliminate the ability of an end user to buy shadow IT and authorize it on their own. Azure AD has controls for this, but they are not on by default.

The IRS regulations for tax preparers being compliant with the FTC Safeguards rule is specified to be enforced starting in June 2023. It is doubtful that the majority of tax preparers are adequately compliant.
The IRS published information about this compliance requirement as far back as 2019.
https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan
All of it is common sense and things that orgs should have been doing for ages.
IRS publication 4557
https://www.irs.gov/pub/irs-pdf/p4557.pdf
Before you use a tax preparer, ask them for their compliance certification statement.
Practical examples of what to ask of your tax preparer and why
https://qpcsecurity.podbean.com/e/business-survival-over-the-next-decade/
More information on this topic from Joe Brunsman, cybersecurity insurance expert.
https://youtu.be/NOY249doJXg
 

What is the number one thing you can do as a consumer to protect yourself when dealing with tax preparers?
Practical examples of what to ask for from your tax preparer and why.
What are the total number of people that would have access to my records if I do business with you? You want me to sign a contract with you, terms and conditions that I have to abide by. If you are going to prepare my taxes, show me your affirmation statement where you as a tax prep preparer have put it in writing that you are fully in compliance as a business with the IRS requirements for tax preparers. Put that in writing.
If the IRS is the authority that is providing the designation that an organization is an IRS authorized tax preparer, then the IRS is the entity who defines the standard for what is the requirement put upon that organization or that person in order to have that designation. Therefore, it is completely legitimate to be asking as a prospective customer of that organization, "show me your compliance statements". How do you comply with the IRS requirements for tax preparers? And if you get anything other than a fully prepared premade statement they provided to you in writing,  then that's problematic because it means that they are not compliant.
What is one of the most important things that a business owner can do in order to make their business survive the next decade?
Information security risk management is everyone's problem.
Business leaders cannot delegate and abdicate involvement. 
If you are not having regular meetings with your vCISO, how can you make informed risk decisions? Do you know what the gaps backlog is for your organization? Do you have a risk register? If you refuse to make the time to meet regularly with your vCISO, your business is going to be squeezed by cybersecurity insurance requirements, governmental regulations, and customer requirements.
 
The executive management team needs to understand that if they do not tell all of the managers in an organization that they need to take responsibility for the ownership over their resources, then what needs to happen is that the executive management team needs to make the CISO or the IT department have full total authoritarian control over those resources. But then that turns into a big can of shut the heck up to the people who've abdicated their responsibility to be involved in the process. Because you can't have it both ways. You can't say that IT is responsible for the security of those assets, but then refuse to be involved in the conversations about who should be having access to what and when. And claim that you don't have time to talk about it, that it is not important. Of course it's important. Are you the resource owner or not? So you can't make it somebody else's responsibility to define the policy around who has access to that resource that ultimately you're responsible for and then yet get grumpy. when your access or the people who you thought should have had access to that resource have their access denied because IT is trying to clean up the mess. You can't have it both ways.
Whose responsibility is information security risk management? Ultimately, it's the executive management team. But they can delegate that through the organization to the resource owners and at the end of the day, IS risk management really needs to be everybody in the entire organization's responsibility. Information security practices need to permeate throughout the entire organization. The end users of an organization are the largest attack surface that an organization has.
Suggestions for tax preparers
Tax preparers need to comply with the FTC Safeguard rule which is currently slated to be enforced starting in June 2023. As of May 2023, the expected plan is that private contractors will be the enforcement auditing arm for compliance. 
In reality, any company that had taken cybersecurity insurance compliance preparedness and had engaged a vCISO proactively several years prior would likely have no issue in this area. But the vast majority of tax preparers were unwilling to invest in the kind of protections that should have been in place for decades. 
Here are some resources.
https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security-plan
https://www.irs.gov/pub/irs-pdf/p5293.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Page 13 of publication 4557 states that all tax preparers must comply with the FTC Safeguards rule. That means if you or your organization has an IRS tax preparer ID number, you must be in compliance and be able to prove that you are in compliance. 
Tax preparers that are under $2mm in revenue should expect to spend 15% of revenue annually on all inclusive IT costs. If your spend is not that high, then your organization is likely not going to be competitive in the market and is bound to lose market share to players who have invested in becoming FTC Safeguard rule compliant.
Please also be aware that security theater is not compliance. I have seen some scams such as do-it-yourself kits through technical firms who specialize in servicing accountants (per their website). 
https://www.irs.gov/pub/irs-pdf/p4557.pdf
 
More details from Joe Brunsman, cybersecurity insurance expert.
https://youtu.be/NOY249doJXg
 
 

I get a lot of questions about PSAs, ERPs, and overall paradigms related to core business software. This podcast summarizes things you should be thinking about in your software selection process.
After three years of investigating PSA and ERP options including spending a lot of money on software and payroll, the product we like is Odoo. Organizations using a PSA with add-ons approach are really missing the mark. There is no PSA that does project management well. None of them have accounting systems. Most of them are terrible at quoting. And they are all expensive. They also are all weak at analytics and business visualization or analysis.
So a company ends up paying for:
PSA
Quotewerks
Zomentum
eCommerce processor
Payment gateway provider
project management platform
QuickBooks or Xero
PowerBI
website hosting
Applicant tracking system
HR / people management system
email newsletter system
marketing automation platform
CRM
Social media marketing platform
and more
Whereas, a business could just get Odoo.
Let's look at a brief cost analysis.
Halo - $15,000/yr
Quotewerks or Zomentum $500/mo
QuickBooks or Xero $1300/yr
ConnectBooster $300/mo or more
Project management  $300/mo or more
ATS $5000/yr
HR system $150/mo/employee
Infusionsoft or Hubspot $1200/yr at least
Social media marketing  $200/mo
CRM - $300/mo
 
OR you could just stop all that nonsense.
 
Odoo. $47/mo/user.
Remember that this includes your website hosting too. And it turns out to be much better than WordPress, Joomla, or other smaller CMS.
What I find really hilarious is when I ask other business owners how much they are spending on all the components they use that spackle over the deficiencies in their PSA, they rarely know. It's like it is a financial hole in their business that they don't want to look at.
 
As of 11/22/2023, our 1 year Zoho subscription that we tried has been set for non-renewal. The primary basis for that was four wasted months of payroll, wasted time working with Zoho support, and wasted time working with Zoho consultants to try to get integrations with other modules in Zoho to work. The modules in Zoho One are designed to work independently. In order to get data to flow between them, integrations between the modules is required. We consistently found that those integrations between the individual Zoho modules did not work properly. We had other problems with it as well, but it became quite clear that Zoho One was not really an ERP because it is not foundationally designed with the premise that all of the modules are fully integrated automatically.
I looked deeply into Manage Engine ServiceDeskPlus for MSP also. I spent about a year on that investigation. I encountered a plethora of challenges with that and it still is a PSA-like mindset where ServiceDeskPlus cannot be a comprehensive business tool.
I encounter MSPs that use an outsourced helpdesk that requires the use of a specific PSA. I don't and won't outsource helpdesk for quality control reasons.
Overall, Odoo does everything better than ZohoOne. Odoo integrations are all there from the very beginning automatically integrated because it was designed as an ERP from day one instead of individual modules.
You can see a demo of Odoo at https://demo.odoo.com. Be aware that there are more modules available than what is shown in the demo, but the demo will give you a good overview. Odoo training is online and free. The documentation is online and free. Support is included with paid subscriptions and we have found that support is effective. Conversely, we rarely had any success with Zoho support. Odoo is more intuitive with things just working and being able to be figured out oneself through the use of documentation, training videos, and just playing with the software.
We use the Maintenance module which is good for a facilities maintenance team. I wanted my team to be able to log time entries against particular maintenance tasks. In 2023, it is not possible for time entries to be applied directly on maintenance tasks that flow through to timesheets for payroll. When I put in a feature request, with Odoo, they responded very quickly stating that they were aware of the limitation and were also aware of the need and value. With Zoho, I would put in a feature request and get a response in 9 months. 
I think that Zoho is so busy writing new modules that they have little to no developer time allocated to making the ZohoOne integrated ERP vision a reality.
We spent a LOT of time trying to use the recruiting module in ZohoOne and found it to be an exercise in frustration. We had a lot of success with the Odoo recruiting module with only a few limitations.
 
The bottom line is this. Find just one thing you can use Odoo for that can justify the monthly fee for one user. Get in there and start using it.
We have some clients who are using just one module for free. I got one client up and running on the project management module in a couple hours and got the client trained on it.
Another client, we put on the website module. The feedback we get from clients emphatically is that it is intuitive and easy to use.

Tech E&O and Cyber insurance with:
Joe Brunsman of The Brunsgroup – Expert on Tech E&O and Cyber Insurance
YouTube channel – Joseph Brunsman
https://www.youtube.com/@JosephBrunsman
https://www.thebrunsgroup.com/
Damage Control book
https://www.thebrunsgroup.com/book2
Tech E&O and cyber
MSP should have a tech E&O policy. They cover different things. What types of third-party claims will they cover? A guy on the Que recently said that he did not think that E&O was required because his customers have never asked for it. You must have a TECH E&O policy.
What is the biggest thing that you need to pay attention into the E&O policy?
Look at the definition of technology services in the policy. Everything past that point, it does not matter if the definition of technology services is correct.
Avoid the named peril policy. An all risks policy is better. These are becoming harder to come by.
Named peril:  Technology services means:   there is a list
You have to prove to the insurance company that what you did falls within that definition.
What do you need to look for? “Including but not limited to”  contra proferentem = ambiguity is held against the draftsman. The onus is on the insurance company to prove that what you did was not covered under the definition.
How much coverage in the policy should they have?
How much cyber insurance do you need? Here are the variables that I think about. – See Youtube video
Brokers – There is no legal requirement that they understand or read the insurance policies.
Average IQ of an insurance broker is 104. They do not understand what they are selling. The onus is on the business owner to ask and to get the right things.
What is your major loss event? What are we worried about? Is that even possible to insure for those issues?
Step 1: Stop relying on the insurance broker.
Step 2: Fellow decision-makers in the business, what are you worried about? Talk to the broker about that. Then the broker finds “these are the options in the cyberinsurance market that address those concerns”.
Joe: Huge proponent of defense in depth over cyber insurance. Rank order the biggest bang for the buck. Felicia has been talking about that for years and is doing a webinar on 2/9/2023 on that very topic.
Insights from plaintiff’s attorney
Joe had a great convo with a plaintiff’s attorney and got his opinion on risk management.
Risk discovery question: What is the one thing that sinks the ship in the lawsuit?
There is an internal email. You knew you were supposed to do this. But they said it was too expensive. They were not going to do that. They understood the risk and just accepted it.
What could the business do in order to circumvent that email being a death blow in the lawsuit?
Plan of implementation.
No business has unlimited resources. No business is perfectly secure. You sit down the with business owners and MSP. We need to work on a plan to better your security. You don’t have unlimited money. I am a business owner too. You need a roadmap. Everyone signs off on it. We were trying, we were getting there.
Felicia: Wow this is astonishing because this is what we have been doing with clients for 20 years. It is the type of thing that a CISO knows how to do, but few others know how to do well.
 
 
Life hack tip from Joe:
Convo with the average business owner:
Obviously you are really good at what you do. You have built this business. Build a relationship with them. The MSP is not the subject matter expert on the client’s industry. Fluff their feathers. Transition that. I asked you a bunch of questions, thank you for hearing me. Now we are going to go through this. Can we just do the same thing in reverse? If you do not understand this yet, let me know and let’s break it down.
 
Joe and Felicia agree:
One way or another, those controls will be implemented. Read any breach notification letter. Magically we found more money to invest in cybersecurity.
Either work on your information security program monthly at a pace that your budget can absorb, or that decision of timing and magnitude will be taken away from you.

Google and how they do their technology
Things that make security hard.
This is not an exhaustive list of the implications of poor design on security. Covering that topic adequately would likely rival the size of War and Peace. This is a discussion of a tangible example to convey understanding of how technology selection directly correlates to an organizations’ ability to secure or secure their overall environment. In order to accommodate something poorly designed, larger than necessary holes through security may need to be carved. Please get your CISO and security architect to perform a risk assessment technology BEFORE procurement.
Recent security news alerts discussed again why advertisements must be blocked. Google’s own ad network has been used for hosting and serving malware to victims.
Google and their netblocks
Their guidance to you is to whitelist their entire network blocks which is beyond insane. Just like the insanity of whitelisting *.windows.net which is what is advocated by some SaaS providers who host their resources on Azure.
Azure hosted customer resources are on windows.net. That means that a hacker can dial up a hosted VM and that’s on a windows.net FQDN and IP space.
You cannot just whitelist all of Azure either.
https://ipinfo.io/AS15169
Beware that software companies will put out idiotic statements in their support documentation that tell IT professionals to “open ports [range of ports] to all IP addresses contained in the IP blocks listed in Googles ASN.
Let’s be clear. Those are IP addresses not just for Google’s company internal resources. That is customer hosted resources that they don’t control, manage, or secure the content. So the Google netblocks represent 73.5 million domains.
There is NO legal defensibility in creating a hole that massive through any security system. Yet this is likely what 99% of IT professionals are doing because they are not network security architects. Business decision-makers must understand that there is a lot of bad advice that comes out of even major companies as it relates to information security risk management. They put out insane statements such as whitelisting the IP space representing 73.5 million domains.
Even if you look up a separate Google ASN, it is still 18,933,082 domains. That is clearly a massive amount more than just the small amount of resources that you legitimately need to access for something like Google reCAPTCHA to work. But because of the way that Google has designed their infrastructure, your ability to have network security is hampered.
 
https://chronicler.tech/firewall-considerations-for-google-recaptcha/
 
Autoblocking and DNS latency.
One of the major problems with using anything on Google’s infrastructure is that their entire system was never designed for compatibility with selective controls.
It was not mail.google.com. It was google.com/mail.
It was not drive.google.com, it was really google.com/drive. The real infrastructure was hosted as a subdomain of Google.
And then so many web developers have made google analytics a mandatory component of how their website infrastructure works that you have to allow it. It just allows google to be a data vampire.
 
Microsoft in contrast
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
 
There is a strong tendency to among IT support personnel to engage in over-troubleshooting. They follow software vendor’s recommendations and end up driving holes the size of North America through your security configuration. Please ensure that the personnel who are managing network security for your organization are actually qualified to do it.

Kathy Durfee – CEO & Founder of Tech House joined Felicia to discuss dark web breach monitoring
Scenario: FUD report from a competitor
Perceived: Multiple users in their environment were breached. Perceived proof was report with the listing of the users and the passwords and columns that the customers did not know what that data was.
Good: Customer told their current IT service provider about the report.
FUD – Fear, Uncertainty, and Doubt – is, in the wrong hands, a powerful tool to drive snap decisions within a company. However, it is not a viable or valid sales tactic: for all it could potentially do well, causing unnecessary stress and suffering is what it does best. Speaking with Kathy Durfee, CEO and Founder of TechHouse, a managed services and solutions provider based in Florida, we walk through a recent case of FUD with a customer of hers that received a worrisome report from a potential competitor. During our chat, we covered:
The key aspects of FUD (and how it does not work)
What the Dark Web is, and the logistics of monitoring and combating it
Leadership training and best practices for helping a team best meet their security and regulation requirements
Identifying the key differences between commodified and relational partnerships, especially in the technological sphere
Shared responsibility between MSPs, their customers, and those customers’ clients
Where does dark web monitoring and dark web data risk reside on the continuum of risk? How best to mitigate?
What really is the risk and the mitigation?
Put the efforts into prevention.
Put the individual in the driver’s seat of managing the risk that is best managed by them by putting the right tools in their hands.
Resources
https://haveibeenpwned.com/
Perception of the proper allocation of the budget
Businesses must make time for training.
ITSP must include in service catalog what the client is getting in terms of services.
What do we need to do? Cross reference on tools that accomplish outcomes and cover risk mitigation and ensure that the client understands what those are.
Training is how you squeeze the juice out of the orange. Without it you may not get all the juice out of the orange or get any juice out of it at all.
Common business objections to allocating time for training
Payroll costs, but avoiding training is not legally defensible anymore.
Policies
The IT Service provider CANNOT alone write policies for you, and they CANNOT approve and enforce your organizational policies.
Four pillars
Policies
Technical controls implemented
Automation of technical controls
Reported to the business – It’s YOUR report, your organization.Shared responsibility – some months the CFO does it, some months the CEO does it.Set a schedule and do it. 3 weeks any habit; trainer or partner
Do you look at your P&L and balance sheet every month? You should be understanding the reports from IT.
 
An interesting lawyer opinion on the topic:
https://abovethelaw.com/2023/01/dark-web-monitoring-for-law-firms-is-it-worthwhile/