RCR 021: Security Governance (Part II) - CISSP Study and Training!

Description:

Shon Gerber from Reduce Cyber Risk.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity training for individuals working on their CISSP as well as ways to better secure your business's daily activities.

In this show, Shon will go over key security news, business training, and finally the key aspects to implement an Information Security Governance program within your business.

These videos will go over what the hiring professionals should be looking for and what potential candidates should strive to achieve to meet the growing cybersecurity job demand. This broadcast is Part 2 of 2 in the ongoing series designed to better secure your company while also training security professionals to provide better capabilities to their employers.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

welcome to the Reduce Cyber Risk podcast where we give you the tools you need to meet your cybersecurity regulatory requirements while helping secure your business and keep the evil hacker horde at Bay I'm your host for this action-packed informative podcast each week and I provide the information you best protect your business and reduce your company's alright let's get going all right so we're going to start off with some great stuff that's happening on in the cyber-security news space and we kind of break these these broadcasts out into different aspects one is cyber security news and then also we roll into cyber security training the first aspect of cyber-security news what are some key things are going to go over in this this broadcast and it's going to be the largest email and password breach ever discovered and I mean it is a ton of emails and passwords that have been breached and and because of that we're going to especially as you were looking at ways to protect yourself from Packers and an attacker cell second one is a PCI SSC releases a brand new security standard for payment software and this is part of the payment card industry standards and they release some new stuff out there that is supposed to be designed to help you in if you're a vendor or if you are a consumer of the different payment card industry aspects is that they got a way to help protect your information Cypress shooting news those the big things and they will roll into some Cypress around information security governance Park get me to part one of the last episode and now we'll be doing part 2 is a follow-on alright let's get started that's this recent breaches an email and password breach and it's the largest emails and password breach that's ever been discovered in the guardian and up also if I sound like a little nasally I apologize I've got a cold and I'm fighting through so it's not the belt Guardian a guardian had a article from Alex Hern and he said there was one point or 1160253228 unique combinations of emails and passwords that were set up that piece that were basically confiscated and that is a lot of emails now I've got a lot of emails I do emails that I use so that doesn't mean that 1 billion different people but at the end of the day that is a lot of emails that have been collected all these things can be used in so many different ways and the purpose also is that they was 21222975 unique passwords kitties are unique passwords and not the same as they're different so with that comes down to is we call this credential stuffing and Troy hunt with had had also had to send this article as well there was an Alex Ernst article and talked about how these were the different passwords that are out there for all these people they call it credential stuffing down to is his most people the same username or combination of their email address and a similar username and then I use the same password it happens all the time Waltz what are they do they make a combination or a variation of their current password so let's just say you got QWERTY 1 2 3 4 5 6 or monkey monkeys probably easier your password and it's a capital m and an! At the end of Eeyore of the of the why can't you spell and maybe a zero for the oh so you got monkey well then you'll have monkey 1 in Monkey to MP3 what most people have to keep the same password but they'd make a derivation of the original and it added one or an! Or something else the end of it that that's not good so people will have all these email addresses will have these unique passwords that and then people will steal these unique usernames and then they will just use these passwords over and over and over again and because people rate randomly reuse the same password what happens when now instead of just having access to those just say I don't know your subscription to kitties are us you now have us access to your bank account and your credit cards and so forth so it's important it's imperative right that if you have any sort of credentials that you utilize a password manager of some kind I either a couple of an offer options 1password vs. LastPass I highly recommend something along those lines especially if you're a business you should have something in this area especially if you have people that are employees ever using passwords and having your employees use the same password or having them use the same Vault may not be the best choice depend on if they leave but at the minimum if you have a vault of some kind where all your passwords are stored that would be good the second thing you need to make sure you do is you use a strong password arator to help you with making your passwords hard to to guess right instead of just having monkey 1 2 3 4 through 10 you have monkey gazillion right monkey with 32 different letters behind it the whole point is is that and credential stuffing is a really big deal and now it's his big breach is more imperative than ever that you do not have use you do not reuse your same password you may not be have a choice when it comes to usernames but your passwords for sure you definitely don't want to reuse those at all alright what's wrong Lex 1 this area this is about pci-dss C releases a new security standard for payment software PCI is a payment card industry in the passing of data security they were put in place listen the SSC so this is around a secure software standard that is out and I have that got some developers that work for me and we work real hard to develop code based on a secure development lifecycle right or software development life cycle let's secure and the whole purpose of that though it is as you're developing these applications you want to make sure that they are most possibly secure they possibly can be in the past applications have not really been a priority to make sure that they're secure it's been you just get them out there well now that everything is gone mobile and everything is pretty much being used on a platform where you can use credit cards through Apple pay through any service can I use Starbucks card you can scan with that stuff is all integrated when now it's more important than ever that if you're accepting credit or your building applications based on credit card technology that you do and you do secure development of this and I was reading a book recently about artificial intelligence with the China and how they use WeChat now is pretty much taken over all of China and they have everything integrated into it well if you're up a third-party developer utilizing WeChat you need to make sure that you create a good product good application that secure well here's a good example of that so now what happened is PCI SSC came out with some standards around this a software security framework they said we talked about before us as a relates the cissp like guideposts or guidelines on what you should do rise the security requirements and assessment procedures that you need to follow especially default configurations don't use lies default configurations and if you do utilize default the configuration to make sure there's a certain level security built into that identification critical assets Assets Protection of sensitive data all the things we talked about is again you need to focus on these key things Access Control authentication big deal right because right now it's used to be where the perimeter was the the protection for the network will now everybody's devices connected to the network so there's Network everywhere threat detection know when the bad guys are actually after you and security guidance for vendors and it's a big one vendors that get access to your environment they need to have security built into this as well so get it's a really good standing out there I haven't had a chance to dig into a deeply but if you're an application developer you can expect that you'll be held to the stand around this stuff I was also a second page of Kanekalon put on this with the PCI CSS talked about organizations who sell good that's one of the security goals has if you're an organization that sells good and you have an application they want to make sure they provide a secure environment for these people that do that and also Benders creating products so if your building credit card applications do you have it properly secured and insulate a good example of that would be the Starbucks. that integrates with credit card systems so therefore he's a follower framework to ensure that that product is being created is secure are they had additional goal which was one of the main ones again around Security in this is we're going to see a lot with businesses as well as I can be forced to do this at some point is volatility detection of mitigation governance security testing threat detection again you saw these before but a lot of the stuff we talked about as a cissp if you're looking at this from a standpoint of a security professional these are all things you need to be considered if you're a business you need to be considering all of these aspects because yes what are responsible for software updates change management Communications and these are some of the additional goals they have around the application security came up with all this based on feedback from vendors assessors and payment Security Experts and the Guinness it's kind of come full circle where we're seeing more and more businesses that are being held to a higher standard and this is just another example of now the payment card industry is focusing on that as well and they also know that if they push this out it reduces the risk of them having to pay to offset losses due to errors that are set up right and it's just better for the community to come to some form of standard whether if the government comes up with it or they come with their own standard something needs to be done to help make that consistent across the board all right we're going to roll into some training this is part two of our information security program is the cissp cissp which is certified information security systems professional or systems security professional SSP supplement all right let's get off into that now you're trying to ask yourself what are my next steps for building an information security governance program we need to understand and communicate the purpose of the governor's okay so are you going to be Draconian have very strike strict education just kicked in yet very strict guidelines and areas that you can only limit people to there's a better word but I can't think of it and then cyber risk can be a business impacts you need to understand and communicate this governess situation to them you also need to understand what is your reputational damage if any in the case of a cyberattack I just was in a situation just recently were we're talking about the front end of our websites right and there was some licensing issues and Licensing came down to it was too expensive well that's an IT person making that decision is that the business making that decision early so what is a papitese will it says what's $10,000 too much or $50,000 too much is a hundred billion dollar company or that brand aside from getting hacked I don't know maybe maybe not maybe it's something you are concerned about maybe you're not really concerned about it just kind of board and Senior leaders. These people will provide the Strategic direction right and they're the ones that you need to get on board with this they'll have to help with the policy the strategy and helped Define the risk case you need to understand that on backup on the understanding part is your legal liability you need to really kind of get a good example of that and work with your lawyers to help you kind of put that into place senior leaders as well need to be able to resources you need to be successful the responsibilities as well on what who's responsible for what lights, are our enemies your roles responsibilities and expectations except those with you and they also help set what is the expectation for they also help set priorities what is a party for the organization now that would be your CIO in many cases will be your it leadership but the board may say yeah that's great but we really want you to focus on this because it's more valuable Borden the senior leaders they just must be involved in for this to work. Have a good program they've got to be humble next steps part do I need to in French I think alright your Senior Management action they must provide some level of oversight for you and they must lead their security policy creation to help guide where you're going to create your policies and what you're going to do with him and what's in them they're going to find the are our enemies again for what are your security roles responsibilities supposed to be in how should you be adequately measured against them they'll analyze and monitor threats and vulnerabilities that's where you want Senior Management to also back you on that and they may not be doing it probably are not doing it but they should support you and that's what you want them to do and they should also help support the fact that monitoring isn't enabled in periodic reviews of security are occurring all of these things are key pieces and then finally security awareness training and education program is in place that are some key steps that you need to look at so from all of those if you start Igloo mini framework on a where you need to go to Korea Governor's program for your company now we're getting the expectations strategic thinking for your business we talked about at the beginning of what is a strategic plan we need to consider your it security cost and your security policy creation what does out of those play in the Strategic vision for your company and where you're planning on going as an example if you say you know what we're selling off all of our company and you want to put in place a policy for you all year of your are they were selling off all of our European company business but yet you're focused on gdpr was that really a good use of your resources probably not thinking for your business you need to communicate your it strategy policies with the business themselves talk to them about what you're trying to accomplish and why you're trying to accomplish it Define security incidents and what is the business Act behind them so often I've seen or an incident will come up and people don't even really know what to do with it let alone try to convey that to the business and figure out what is the impact of it you know you have a situation where a hacker takes over a system and you have ransomware and it installs on a critical server critical service no longer available what do you do how's that going to impact your business could be substantial also establishment of business continuity plans about the cissp your business continuity plan operates and let you keep your business going and I might be a very specific business aspect that you have in place but that is your business continuity plan and you want to ensure that those are in place if needed now that comes down to expectations you set those around risk management you need to account and protect Ice-T assets based on risk not based on how you feel just based on the risk of the system is it the most critical is it not if it's not why I didn't spend a whole lot of time on it I need to limit that right if you can limit access to this Britain restricted and put protections on it you dramatically reduce the risk to your company vulnerabilities an incident planning plan for those you need to have a plan in place to deal with your incidence cuz they will come up it's a guarantees going to happen I guarantee you I pray that it's small but at the end of the day it will happen and you need to develop continuity plans that need to be executed and what is the plan in place for those to occur so those are some of the expectations management you need that help account for assets as you're looking to manage the resources within your organization you need to account for the assets and that's a key part in inventory petplan you need to do an inventory to understand what do you actually have within your company and what are the Assets in place and you also need to ensure that I T and their services and infrastructure whether it's internal or outsourced to a third party can recover from issue that they uncover you need to ensure the performance of the network and then that it's solid it's always working any looking understand what are the different types of events that are occurring within your environment and how to best alert on those from obsolete obsolete accounts malware elevated privileges etc etc so the more you can have those things in front of you the better off you are and the quicker you will resolve them if you're constantly looking at now what's the evolution of this well guess what security is it just like I was realistic into a commercial in some gentleman said that we came because he was swimming in the ocean to goes you know what I'm supposed to be in the ocean the coral our long-lost ancestors I'm like I did not come from what is evolving just like the coral is evolving into us and we are evolving from the coral security is evolving and organization assets become more valuable as this time goes on why cuz they're everywhere only have more sensitive data that's inside these things and they're like little vacuum machines that suck up all kinds of data all these assets do regulatory issues more and more companies are creating things that are going to be regulatory issues are going to fight through and it could be a competitive advantage or a disadvantage depending upon how well you handle it privacy and cyber crime is growing why it's all about the money baby show me the money and I'll show you the bad guys why cuz there's money there if there's money there there after it they want an easy Buck they want to make it happen so in some respects I don't blame them. it's also tentacles of various law enforcement agencies are everywhere so now you've got the issues of Interpol you've got FBI you've got all these other companies or company's all these other law enforcement agencies that are involved and they all talk to each other but they do talk and so that's that's becoming a bigger and bigger issue and then finally says critical infrastructure is increasingly targeted so you've got your power plants are being targeted why because they make a big impact I can shut down the power grid to New York City have no idea if you could even do that probably pain in the whole city goes Blackwell guess what I can stand up and say street cred I did it I did it I saw me and those things are becoming a bigger bigger issue with the sad part is that people unfortunately we get may get hurt seriously because of these things and potentially even die because that may get hacked in the future so that's where the evolution is going it's becoming much riskier and the date is becoming more valuable not this is a semi social research items out of them kind of interesting and the Aberdeen group research they talked about this 90% of risk can be reduced by implementing known and, use security practices boom boom boom boom boom and that's for sure I guarantee you if you can reduce your not going to laminate this guy's a bad guys getting into you but man you can dramatically reduce some person from getting your network if you would do the best practices and I can always do it but if you just did 90% or 80% that's 80% more than the most people do it's important to do that 90 governance Institute they had this and they said firms operating at best-in-class security levels are lowering Financial losses to less than 1% of Revenue whereas other organizations are experiencing loss rates that exceed 5% so the guy who's not a math major can barely spell my name s h o n the context of that is 1 billion dollar company so let's just say your revenue is 1 billion dollars and that's a good size medium size can I push a little bit on the large but more on the medium sized business well to put in perspective 1% okay so 1% of 1 billion dollars is 10 million dollars okay so if you can drop your loss with two less than 10 million dollars which I still think is like then versus your organization that can bring it to 5% which is that's a big difference just for putting in best-in-class security now I would argue that best-in-class security at what point you go too far and overspending to try to get the extra level of protection so that the sweet spot you got to try to figure out questions you need to ask a few questions to kind of get your juices going but does the Border simulators understand that company's dependence on information and the associated systems is there a sis or other Disney. Officer who specifically tasked with managing information security within your organization Chinese regulations that are coming out now you have to have somebody designated and I could be a third party but someone has to be designated are there appropriate training and awareness programs ensuring employees contractors are aware of the security responsibilities is there an answer response plan or process to deal with secure or situations this is just one more questions you can ask yourself but bottom line is is it's just going to get your thoughts going juices flowing as it would say now how do you compare your organization you look at some self-assessment goals and this helps provide a litmus test about your organization that how you're doing it provides also guidance on security targets for the future what are you trying to accomplish and these are how you yourself assessing am I good do I live or do I die per Caesar so you have to decide how is that you can also bring it inside you're not so awesome so those are things you got to really be honest with yourself and you got a hope that your leadership wants to be I want to be told the truth need to plan product to reach these targets okay so you figured out what your targets are and I got to plan projects to make it happen and you got to prioritize your work based on the risk and the impact analysis again it's all about the risk hence the name reduce cyber risk starting at 0.5 bass limit it don't exist you have nothing no security program at all you are totally reactionary and yeah you just there's nothing like going yeah I know this man is important but not going to do it always and the issue yet so my Mini cases this white in my experience again less than mini mini in regards to this but my experience is that usually a small businesses are kind of phone at 9 existent. they have no money to try to make things happen the last thing I want to do is talk about security they're going to eat all this just takes away time that I'm trying to make money so that's not all small businesses by any stretch of the imagination but I see this, lie within the small business world maturity models okay the other one is in number one is initial are ad hoc which basically means you get something on the books a little bit and you're kind of making it as it goes and you're totally reactive but you have something right you just kind of stuck your toe your big toe in the water kind of feel how is and then you go from there other very informal with limited Authority but that's the ad hoc model is repeated repetitive repeat repeat Audible intuitive which basically means it's important and we're still growing it's in the fertile stage it's in the paramecium stage wanting to evolve into the monkey that gets his tail ripped off as he stands up because he's in so much pain right so that the amoeba stage right or just growing immature assign individual as additional duties with no Management Authority and the responsibilities is signed but still fragmented this is not a bad place I know a lot of people that are in this place I'm in this place in some places where it is repeatable and it is but it's not that intuitive and there was a lot of hand Don's Hands-On stuff that has to occur which is a very good so I didn't get a company may have pieces where your number hopefully number number zero that would be bad just don't do that number three and it's a risk policies are in place than Define risk assessment a security awareness exists and is being promoted which is a good thing and management is involved big big big winner pull out the bells are banging on that gone what's a big thing the manager measured risk assessments are considered standard operating procedure on this happened so often where they're not well if you can get an O Level 4 that's a big win it really is and responsibilities for information security are clearly Define again you may have pieces of this that are in place and other pieces that are not so it doesn't mean that your overall you're a four or I want it means you just need to be realistic with how do you really see yourself and compare yourself to that things population standard are enforced now it comes to the granddaddy and Puba number five is optimized risk manager has developed to a structured organized process birds flying around a little butterflies information security is a joint responsibility the business and it leadership key thing they're big boys that's than girls that's huge and then business continuity and continuous service plans are integrated and aligned everybody's an alignment that they will have continuous business operation in the event of issues okay so what we just went over was information security governance and I'm what you need to do to put in place and some key things to think about as you are putting that in place here some of the training and we got a free I've got my information from his icy squares training Guide April 2018 Edition that's a really good book recommended if you're looking for the cissp awesome book really has lots of information information directors and how to talk to the executive a really good paper it's about seventy some pages long but it's it's a really good paper and I'd highly recommend checking it out alright hope you guys enjoy this again this is about the information security governance program and Creighton that tied into my cissp supplement available for purchase all right have a great day on catch you on the flip side thanks so much for joining me today on my podcast if you like what you heard please leave a review and as I was greatly appreciate any and all feedback also check out my videos that are on YouTube just search for Sean Gerber and you will find a plethora of content to help you secure your business lastly head on over to reduce cyber risk and looked at all the free stuff it's available for our email subscribers it's growing each and every day thanks again for listening