Quality Plus Consulting - Breakfast Bytes

Amazing interview with Colin Ruskin, CEO of WorkOptima, on the topic of right-sized software.
Colin has an incredible talent at being able to distill the truth of something into a catchy and memorable tagline using spot on metaphors.
Some highlights:
Can I actually use the software and benefit from it?
Floors versus software that grows with you
All features all the time, but license it at the per-user
Enterprise drama and enterprise mindset which is not really trying to sell to the SMB market and is really trying to break into the SMB market because they ran out of customers in the enterprise market.
How to evaluate software
What do you need to do in order to make it work for your transaction?
Far too few product managers are on sales calls interacting directly with customers
Every software company is behind on features the customers are asking for. Iceberg situation. Millions lines of code that no one sees and does not appreciate. You need to really be on top of it and prioritize fixing the items below the water in addition to the above the water items which are the features the customers want.
A lot of companies have acquired software companies. They have failed to keep the software developers. They have lost the knowledgebase about how this thing does what it does. Huge resistance to changing, updating the code.
What is this vendors real story? Who is this vendor actually focused on taking care of?
Exit strategy from software. Who owns the data and how are you getting it out? When you say goodbye, how are you going to get out of that system? Will you ever want this thing 20 years in the future?
Who really OWNS the content?
Are they in it for the long game or are they in it for the transaction? They are very focused on the stock market, revenue recognition model. They are so focused on stock price manipulation. They have completely lost track of and lost focus on the actual goal. Try to understand the company and management is behind the product.
4/27/2022

Cybersecurity insurance requires MFA for all internal and external administrative access. How do you accomplish this?
Examples of things you might access:
switches
firewalls
servers
printers
workstations
DNS hosting
website hosting
cloud management portals
NAS
BCDR appliances
 
There are many ways to solve this problem and they are all too long to post about here, so this is what this podcast is about.- Passwordstate remote integrated proxy authentication- tiered access control- compensating controls as an alternate for MFA- access portals with MFA- privileged admin workstations- account logon restrictions- hardened network access control restrictions (microsegmentation strategies)- more
 
https://www.clickstudios.com.au/remotesitelocations/default.aspx
 

API Security is going to be the thing you need to be paying attention to in the next two years.
Partner with an information security officer like QPC Security to get an internal and external vulnerability scanning plan in place for your organization. A lot of vulnerability management is not possible to do with tools. It takes experience and expertise that comes from 29 years of hard work. 
 
A great API scanner https://www.wallarm.com/
 
RMM security topics/tactics
 
 
Either fund your IT security or decide to go out of business
Companies have some hard decisions to make. They are either going to continue to be in business and allocate budget to correcting gaps, or they are going to go out of business because they will find themselves uninsurable or unable to come up with the funds to rectify all their security gaps in the required allotted time.
 
Reviewing your last cybersecurity insurance application
My latest offer is to review your last completed cybersecurity insurance application. The offer is only open to business owners directly or the executive management team of an organization who would be a good fit to be a client of ours.
https://qpcsecurity.com
 
The truth about smart cities.
https://www.theguardian.com/cities/2014/dec/17/truth-smart-city-destroy-democracy-urban-thinkers-buzzphrase
 
There is an updated FAQ for the CAN-SPAM Act.
https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business
 

Cyberlaw podcast
What needs to be pre-documented for the breach attorney to be effective? And in what format?
What to do to protect yourself from outrageous fees?
What to do in order to get proper service from a breach attorney?
What are the advantages of having a pre-established relationship with a breach attorney?
What positive outcomes arise from having pre-breach meetings with a breach attorney?
3/24/2022
Spencer Pollock – Cybersecurity breach attorney
Felicia King – QPC Security, Security Architect and Information Security Officer
 
What needs to be pre-documented for the breach attorney to be effective?
Cybersecurity posture of the organization.
Compliance/legal and the technical / security
Security: identify the gaps and procedures
And in what format?
Data is everywhere.
Clients that have an IRP, data map and have a list.
Customers and data breach classification, impact / no impact
What to do to protect yourself from outrageous fees?
The more times you have to engage a breach coach in advance, the better off you are.
The more time you bake people into your team, the less time is spent on the phone when an issue occurs. This means it is less expensive and your organizational response is faster.
This is why it is critical to get the breach attorney written into the policy.
When to get the breach attorney written into the policy?
Business owner needs to be driving the breach attorney selection during the insurance application period.
Insurance policy, Beazley example. You should do a retainer with them.
Retainer: You get the benefit of cell phone, breach line.
Preparation meetings are going to be paid out of pocket. Prebreach stuff is a separate engagement, and it will usually be a lower fee.

Check out dark patterns for scam awareness.
https://www.darkpatterns.org/
 
Avoid the new movers mailing list
Avoid putting real estate in your personal name
Use a service like Abine DeleteMe
Get a PO Box and stop having snail mail delivered as much as possible
Subscribe to paperless billing as much as possible
Harden your digital life
Get off social media and stop sharing your life in public digital media
Be aware of deed fraud and how to verify that no one has stolen your deed.
Be aware of how foreclosure rescue scams are perpetrated.
and more!
 

Joy Beland joins Felicia to discuss:
What Edwards Performance Solutions is doing in the CMMC training space
Joy's team created the CMMC assessor textbook
Many orgs have cybersecurity insurance enforcement for the first time ever
Joy's extremely wise metaphor and perspective on cybersecurity insurance (15 mins)
Transfer of risk and economic destruction
DMARC, DKIM, SPF tuning
What tools exist to help the SMB market with attestation, and establishing patterns of due care and due diligence?
IS policies and processes are required as part of the proof mechanism
Mechanisms to actually evaluate risk so that business leaders can make effective decisions
Control planes for infrastructure
Joy's sage advice: "Know what the crown jewels are."
Learn to identify wasteful practices with Gemba walks.
https://www.creativesafetysupply.com/content/PPC/gemba/index.html
CMMC 2.0 scoping analysis
https://www.linkedin.com/feed/update/urn:li:activity:6889627454466469888/
Future Feed for CMMC orgs
https://futurefeed.co/
https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/
 
Special guest:
Joy Beland, a CMMC Provisional Assessor and CMMC Provisional Instructor, who works with Edwards Performance Solutions as a Senior Cybersecurity Consultant.  Joy owned an MSP for twenty-one years in Los Angeles.  She has a CISM and Security+ certification.

Identity theft via insecure credit APIsIntegrated IT risk management part 2

Problems with and limitations in many assessments
Many assessment report results from automated tools can be incomplete, incorrect, or pretzel talk
What realistic expectations should you have from a paid and unpaid assessment
There are certain security baselines simply so your organization can be insurable.
There are certain security baselines in order for your organization to be serviceable by an IT service provider.
Small organizations can easily find themselves spending $50,000 that they don't have in order to recover from a cybersecurity event.
It's not just about money. Are you sure that you can get access to all the personnel in order to get your organization back up and running in the designated time?
You need to mitigate risk proactively in order to make sure the cybersecurity event never happens.
Do not evaluate your risk based upon what you think the value of your data is. Evaluate your risk based upon whether or not you want to stay in business.

10/28/2021
Cyber Matt Lee joins Felicia on Breakfast Bytes to talk about massive issues with technical debt.
Senior Director of Security and Compliance at Pax8.
You have to start with the right definitions. It’s not patch management, it is vulnerability management. You have to ZOOM in. Is your TPM up to date? Is your firmware up to date? Drivers, configurations, remove unpatchable software. Are you still susceptible to spectre and meltdown? What about SMB1, PowerShell 2.0, LLMNR, etc.? “That doesn’t have a patch, and you have to get rid of it.”
Where there is technical debt with a software code base, on a 5-year journey, you need to move to different software because the software vendors are literally incapable of updating the code base of their software. They are not actually doing the work to update the software. Their paradigms for software development lifecycle and codebase are crippling them from being able to correct issues.
Matt recommends finding SaaS platforms that suck over premise applications that suck because at least you are in the shared responsibility model.
Modern dev sec op practices are what is needed. You can build software that has a good paradigm.
We still acknowledge that there are issues with resources in the cloud as well unless an organization is willing to accept the risk of data sovereignty and the third-party risk of being disconnected from their services and data. Being disconnected from your data or being disconnected from your application because the SaaS vendor disagrees with your business model even though what you are doing is legal, this needs to be regulated out of existence. SaaS vendors are playing God.
And some things are just not cost effective in the cloud or are financially unobtainable in a SaaS format. Are you comfortable with the government accessing your data through backdoors? This is a very personal decision to each organization and individual.
15:30 mins - Matt talks about paradigm challenges that impede the ability to ever create bug free software. True SaaS should be able to iterate an outcome regardless of the hardware and OS that is accessing the system, so the software vendor does not have to plan for all the variables in their testing. This allows them to have a CICD development pipeline for their software.
Get to the nugget of what is required. An information security officer can get to what is really the intent of what the compliance requirements are asking for and translate that into what is required to fulfill that and protect the organization. Interpretation is required because too frequently the questions asked or requirements specified are not as specific or accurate as what is required.
26 mins – Vendor software development and vulnerability disclosure programs. The vendors need to tie revenue lost to the vulnerabilities. Software vendors are often setup for failure. Monolithic apps start at the top and run to the bottom of the code. Better models are where apps have microservices and each microservice can be corrected individually without a massive ordeal. A different software codebase paradigm allows for sprint teams to correct software bugs easier.
28 mins – There is no real effective possible way for many of these software vendors to fix their apps.
30 mins - It is in the C-Suite and the board to fix this. You are either going to die at the hands of threat actors, in an escalating war that we cannot win. Or you are going to start having practices that understand that this is a football game. There is no one right way to run a football play, but you cannot play with 9 players. You have no defensibility in your actions if you put only 9 players on the field when 11 are required. There are requirements and boundaries to any strategy or solution. If you don’t do the things you need to do, you don’t have defensibility.
If you are already fighting with all this massive technical debt, you are not going to ever win.
Go to tryhackme.com and find out how easy the threat actor side of this is.
 
https://tryhackme.com/

How to avoid cybersecurity insurance fraud. If this happens to you, your claim will be denied and you will likely be uninsurable in the future including by other insurance providers.
You have to be working with an extremely operationally mature ITSP with ISOs on staff or you probably will not be able to navigate this complexity.
Great article showing a claims denial and then accompanying lawsuit for a perceived insurance fraud indicent.
https://www.insurancejournal.com/news/national/2022/07/12/675516.htm
 

Joining Felicia is Rui Lopes, Senior Technical Evangelist at WatchGuard Technologies. Rui was with Panda Security prior to the WatchGuard acquisition and has spent many years merging the technical with customer enablement at a level rarely seen. His efforts at WatchGuard are projects, partner support, and overall customer enablement of using the endpoint protection technology effectively.
When I listened to an interview with Fortinet's CISO regarding converged NOC/SOC, I had to reach to Rui to formalize several conversations we have had over the last 1+ years because we both have seen the need for this strategy for a very long time. 
At QPC, we have been doing converged NOC/SOC since around 2009.
Listen in to hear our breakdown about why this is such a critical strategy in today's threat landscape.
_________________________________________________________________

NDAA 2021 legislation is forcing a gaps closure in SPF, DKIM, and DMARC.
This stuff is really complicated. Get some seriously competent help. I don't think most ITSPs (IT service providers) have enough experience in managing this especially in light of the inclusions of marketing automation platforms on root domains.
You cannot be driving a hole with a 20 lb sledgehammer through your email ingress filtration policies in order to accommodate for incompetently configured sender framework on behalf of your senders.
It's time to push back on their incompetence. Get your VISO involved and get policies in place such as ones that IT will not be requested to put holes in security in order to accommodate senders with bad email systems. Instead, letters will go to bad senders to tell them to get their house in order.
You need to get your own house in order in order to make sure that your emails are deliverable. Cybersecurity insurance providers are assessing this information as part of your risk profile.
Salesforce Email Service Used for Phishing Campaign | eSecurityPlanet
For more information on this topic: Email Deliverability- The Titanic Problem Headed Your Way

Excellent and invigorating discussion on the gaps in EDR/EPP and what to do about them with Maxime Lamothe-Brassard, founder of LimaCharlie.io and Refraction Point.
LimaCharlie
avoiding tool proliferation
avoiding the jedi mind trick of EPP
identify gaps in a lot of EDR/EPPs
challenges with outsourced SOC
supply chain risk in toolset vendors
paradigms around security tools and training

Why the breach happened and what people could have done to prevent it.
What Kaseya could have done differently.
How to manage supply chain risk when your software vendor is not.
Smart vendors use the experts in their customer base.
People really need to have a major paradigm shift and look seriously at an RMM as being nearly the same as a nuclear launch code.
Kaseya VSA Limited Disclosure | DIVD CSIRT
 

Improper use of cloud and the problems caused by improper pre-planning and risk assessment of improper use of cloud.
Kim Nielsen, founder and President of Computer Technologies, Inc. cti-mi.com joins Felicia to discuss dangers and risk of improper use of cloud hosted technologies.
Business risk vs security risk, must have an exit plan. Dangers of subscriptions.
 
Huge databases don't belong in the cloud because it is not more secure.
https://www.infosecurity-magazine.com/news/over-60-million-americans

I have been thinking for months about the latest challenges faced by organizations with regards to the increased cybersecurity risks, what is at stake, how unprepared they are, and how the cyber insurance companies are responding to the changing landscape.
As I have had conversations with business decisions makers, they often think that they have little to risk. Many businesses feel that they are not under much if any regulatory framework that requires them to take action. It seems that each week I see another cybersecurity insurance risk assessment questionnaire that nearly every organization will fail. Compliance frameworks are incomplete and horrifically confusing.
There is no compliance framework that will get you the fundamentals. There is no security control framework that tells you how to have effective network layer security. The gap between guidance and successful execution is wide.
It occurs to me that the only real defense for small and medium businesses are organizations like QPC which have virtual information security officers and full remediation services on offer backed by ongoing management. There are plenty of penetration testers or those that will sell you MDR services. Execution of fundamentals is where it is at. There is little value in pursuing the frameworks until you have addressed the fundamentals. After you have the fundamentals in place, then review your status against frameworks and you will probably find that many items have already been addressed.
Regardless, I'm always on the hunt for helping the SMB organization leader. It occurs to me that no matter what data you think you have a risk or don't at risk, there is one thing you don't have which is at risk. Listen to the show to find out the real reason you cannot afford to have a cybersecurity incident.
Updated on 8/8/2021I saw this great article today on this topic and decided to include it.
The Disturbing Facts About Small Businesses That Get Hacked
I will warn that their documented risk mitigations measures are H.S.
 
And check out this excellent article on more reasons why you cannot afford to be hacked.
10 Terrifying Cybersecurity Stats | Cybersecurity | CompTIA

Topics:
facial recognition
Systems with Windows Defender compromised
11 recent security vulnerabilities highlight the necessity of viable network layer security strategy
https://www.msn.com/en-us/news/us/fbi-ice-find-state-driver-s-license-photos-are-a-gold-mine-for-facial-recognition-searches/ar-AADZk0d?li=BBnb7Kw
https://www.newstarget.com/2019-07-29-americans-already-in-fbi-facial-recognition-database.html
https://www.forbes.com/sites/daveywinder/2019/07/31/windows-10-warning-250m-account-takeover-trojan-disables-windows-defender/#325add6f6fef
Why network layer security and microsegmentation is critical
Also why to use a good quality security appliance
https://armis.com/urgent11/#foobox-4/0/bG6VDK_0RzU
URGENT11 - Takeover of a Xerox Printer
Originally aired: 8/2/2019

Real world examples of small business security compliance problems
Originally aired 5/1/2020

Evaluate your purchases to see if they have UPnP and understand why you should not buy devices that use UPnP technology
Update on the Capital one data breach
Adverse business impact and higher fees associated with subscription based software licensing versus perpetual
Originally aired: 7/3/2020

How easy is it to not get hacked?
Originally aired 9/4/2020