RCR 027: Business Impact Analysis (Part II) - CISSP Study and Training!

Description:

Shon Gerber from ShonGerber.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: Alarm System Vulnerabilities – 3 Million Affected; Equifax revisited by Congressional Investigators; 3 Steps for Cybersecurity Program

Our Cybersecurity Training for the Week is:  Data Classification – Part I

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com – https://reducecyberrisk.com/

Facebook – https://www.facebook.com/CyberRiskRed…

Transcript:

welcome to the reduce cyber risk podcast for we provide you the training and tools you need for your cybersecurity career hi my name is Shon Gerber and I’m your host of the action-packed informative podcast join me each week and I provide you the information you need to grow your cybersecurity knowledge while taking practical and actionable steps to protect your business from the evil hacker horn all right cyber risk and it’s the router cyber risk podcast episode 27 March 4th 2019 all right we got to come great stuff for you today and today’s podcast I’m going to get into a few key things around cyber-security news that I think are is great for cybersecurity professionals and Specialists and people working to catch their cissp and other cyber security certifications also will be having some training around cyber security training will be on business impact analysis part we had part one last week and roll into the second part of the business impact analysis and ongoing training that ties into your cissp if you’re working on that or if you’re a business owner looking for a great training tips on how you can potentially protect your company this is a great capability for you three things were talked about is the point-of-sale clients targeted with Cobalt strike and it’s basically a card scraping capability asking yourself what am I getting at cybersecurity you’ve been in the space for a little while POS can mean different things rethinking it means piece of junk yeah something like that no it’s not piece of junk it is a point-of-sale system in this is where it credit cards come into play and it’s your credit card system and what it’s saying is that point of sale system clients are Target with a Cobalt strike targeting software malware and basically what it’s doing is it’s the design is that it’s basically scripture cards and whatever you put in there it takes that the card information and then tunnels it out and shipped back to somebody else now again what we talked about hackers what are the main things that they look for different aspects of Fame and notoriety that’s one but in most cases that is a little bit and it’s not really so much that anymore because of the simple fact is that the FBI Interpol and other agencies and law enforcement agencies around the globe will be hunting you down so there you got it there’s a little bit of that probably little bragging rights but at the end of the day is a small piece of it the next thing comes down to is all about the money right and it’s all about the knowledge so if you are a state-sponsored hacker on your likes I do countries in all weathers China Russia United States Israel will you name it all major companies are doing this in one form shape or another your motivation is a little bit different and your motivation is more around while I’m going to steal the information I can and then Implement that within my organization or within my country to get a leading advantage on somebody else so that’s that well obviously I know who you’re selling it to mine is this looking around financial gain and what are the key Things Are most often will a lot of times he’s our point of sale systems that are actually targeted and so therefore why because their money comes in and when he goes out and in many cases the credit card companies will eat that $50 of the first fifty bucks that you have to deal with Lashley in many cases don’t eat it all but you they’ve always said that the the individual is up liable up to the first $50 but I’ve had my car taking a couple times and the credit card companies and just allow that to happen they didn’t take care of Burden bad and I sold the big line here is just that the credit these hackers are always going after point-of-sale systems or anyting tied to financial systems as well and if you’ve ever been looking into cyber-security news you seen this group around before and they’re they’re basically targeting United States Japan and India are some of the key places that they’re going after any interesting part is that they’re not going after the Chinese which kind of makes me scratch my head held up because in some cases the Chinese are using credit they don’t use credit cards like we do but they’re using Pay systems in like apple pencil for using WeChat in a much broader sense that we ever do in the United States so the bottom line is a framework POS for scraping actual mail malware and that’s a scraping noise when they put on the system and then its design it gives two attackers control over the infect the system and again that’s really what it’s after hours after it maintain positive control the system and then it can go ahead and then pitch out all of those credit card numbers through a DNS tunneling that set up within your network and because DNS has to be connect to the internet in many cases this is goes unchecked by many companies especially small and medium-sized businesses they have no idea what to even look for so therefore this is Indian s usually is open because it’s got to be able to recognize what is the DNS on the internet so what does Google actually the IP address for Google it’s you don’t want to I have DNS open so that I can resolve those names so therefore they just exfiltrate it out through DNS so there’s lots of ways out for them but this is one of the areas that they can probably get away with it many cases without ever getting caught just make sure you keep yourself updated look out in the news for Cobalt strike and the show notes will be in the news or in the back of the the show notes area you will have all that for you at the end of the podcast but the MLB in the show notes as far as in the website itself I reduce cyber risk so I really just butchered that pretty pretty badly. I’m working on it I’m getting better at it I saw it was kind of interesting because what it was is azure Microsoft is now getting into the cybersecurity space around security information and event management that’s a Sim cloud-native Sim that’s out there and available and I thought was interesting because through working with the multinational and also as a hacker for the government. Simms in in real life and now it was a matter of time that they start moving these more out into the cloud and now that is yours doing that I think is a lot of value there especially as more companies moved to these Cloud platform what is your Amazon about a sure that makes it easier is that it’s more plug-and-play than Amazon you do have to have some good knowledge around Amazon and implementing that but bottom line is a fact that this is an interesting aspect that comes into Azure and and now they’re going to implement this within their environment and the reasoning behind it is and it’s also because some of the things that talk about here at reduce cyber risk available by the next by 2022 something along those lines like 1.7 million or 2.2 million and it’s at least a half a States alone that we’re going to go on field that those are job globally how do you get there where you can have the capability that you really need to protect your company and in many cases you have to have a SIM well if you have a Sim in place and that we’re at my experience you had a whole herd of people that aren’t taken care of that that system and if they’re taken care of that system that cost a lot of money well how do you leverage that the one of the pieces around that was Microsoft decided to leverage that as well and they leverage it from a cloud standpoint now you have the feeds directly to it and it’s it’s really a great option cuz it seems that the Sim The Sims Sims that I’ve worked with in the past we’ve all been in on-prem solution but as more of our the information and the systems are going out to the cloud it’s better to have it is closer to the actual data itself so the interesting part more threats also that they can handle it sits was coming down to his overwhelming is mounted threats that are coming as people get more more access to the internet and it’s just kind of cool so I think it’s a really good move on Microsoft part it’ll be interesting to see how this all plays out and just came from dark reading and another point that it said mention was that AI machine learning are going to be a big factor in all this they’re using data from users application servers and devices so as you get Office 365 is a good example and play with that pretty in-depth so now all these data feeds are going into Microsoft what a great way for you to be able to have this information available right into you’re seeing and it’s already inherent because of Office 365 data from Cisco checkpoint Palo Alto Symantec and so forth so there’s a lot more people that are plugging into it Sims you have an environment right now are your arcsight your Splunk and Crosstrek is even pushing out one there’s a couple others that are out there but bottom line is there’s lots of big players in this space and so what it comes down to is this is a really good way that they can utilize Ai and machine learning to help in those pieces around only have learned when I manage my own SIM for a company here with many years back is that the basic triage stuff you could definitely if you can get AI machine learning working you could do all of that with a bot with some level of automation now when you get into the more of the the deeper level to deeper dive stuff that goes with it now you’d be really need someone that has eyes on but at least when the initial triage standpoint could definitely have that done today I so see where this all goes they talked about is a thing called threat expert is it experts on demand other cool part about that is his now if you have a situation where you get breached was that they have that available the experts you need that are specifically designed to help your business and I’ve worked with other companies such as fishnet and and so forth that I think now is Optive and the point of it came down to is that they had these Services what will Microsoft not jumping into the space and they have people that are dedicated specifically for this capability so technical consultation why because there’s so much cyber-security they have to get into this incident response okay if you have an incident response process how do you manage that if you have already that in place and you have so maybe with Microsoft on retainer with their thread expert you you can now bridge that Gap and also has you deal with more and more of the the threats that are out there with us a more and more of the companies that are countries that are forcing you to do some level of incident response is a great way for you to bridge that Gap as well the podcast in coming months but Azure Sentinel and their threat expert this is all through dark reading another dark reading piece was around securing the cloud and I like to call this out because if you’re a cissp or you’re a security professional working for a company you probably have noticed it at this point where you’re putting more stuff out in the cloud also if you’re a business owner and you got a small medium sized business and your Cloud the one of the key points I thought was interesting was that it usually Falls to it instead of a security organization as far as how to manage the security of the cloud and I thought that was kind of interesting because you know the it is one aspect right so as a chief security officer myself I deal with it dramatically I mean clients and legal in all of these other aspects that go along with so interesting part about this those it if that’s a logical place where people think it should go is with it things that’s also stated that most companies have something in the cloud and I would totally agree with that what they took their little toe in or they took a big Cannonball off of the deep end there at least every company out there has something that they’re dealing with the cloud they said that 44% of it is managing Cloud security which that could or could not be a bad thing depends on the knowledge of the individuals and they said 40-plus percent of the respondents had a hybrid cloud of some sort that’s kind of just an interesting aspect I can see the hybrid Cloud many cases cuz of those a lot more but bottom line oil companies are starting to do it Johnson security one of the pieces as you’re getting into the cloud you realize that you have to have some level of development going on to keep all these applications running well if you have devops going you need to have some of those security built into it and you need to teach these people how to do that well there’s some limitations that have come out of that and talking to they said some of these photos were saying that they have challenges with the relationship with their devops folks I can see that, Maxie my devops folks were supposed to more things I’ve learned is if you’d how to learn their language than yeah there is a relationship learning what their speak in all the devops speak is very good I will say though I know about to 3% of what these guys know but at least I know enough to be to really look like a fool but I know enough to do that at least so important that you do that to build a relationship especially if you have a devops team that works in your area which is the general data privacy regulation California Privacy Act which just recently came out and all of those are hampering the development of security around the cloud so I thought that was just kind of interesting and how this this whole world is changing so much and so drastically on a daily basis it’s just kind of interesting they said and I will Echo that is either pay now or you pay later now get the security for your Cloud that you really need that’s a good thing if you decide that you’re not doing that you will have to do it at some point and it may end up be where you’re dealing with a breach and then you have to go through it at that point too so you’re going to pay now or you going to pay later but at some point you’re going to have to focus on the security of your klout security week and dark reading’s out of all be posted on the SharePoint arrest.com going to check it out reduce the risk and before we roll indoor training also want to put that one little plug-in therefore go to reduce cyber risk in that there’s a place we got on the right hand side of some free training for you that you can get and if you subscribe to my newsletter if you do that you will get a plethora of information I was doing security snapshots on a weekly basis and he’s just got a little tidbits of information and I get during the week and then I just record something to throw him out there for people that sign up for my email s you get multiple things you also my for email subscribers basically domain will be available for all of them and it will focus on the rest of them later alright let’s move on that produce that’s for reduce cyber risk aren’t getting more training is part of the business impact analysis cissp sucked this is part 2 now who deal with a business impact analysis there’s some key aspects to consider a with what an impact analysis actually is and you’re probably there listening to this or watching this video going I know I get it but it’s important something that you need to consider if you’re a cybersecurity professional or you are a business owner who’s trying to basically protection and if you are looking at working on the cissp as far as a training certification this is a key aspect of the cissp training so there’s some important ask you to need to understand you need to Define what is critical and what is a non critical functions that occur within your organization and you need to consider what will disrupt the business unit in the event of an incident and if that disruption occurred how will that affect your overall company this also maybe a consider Dakota considered critical path by regulatory laws or requirements that are out there and it basically this from ffiec. Gov critical path represent the business process or systems that must receive the highest priority during the recovery phase during the recovery phase of a disaster so that’s or something you need to consider is it if you do have to have a critical path with your business and there’s a requirement around it you need to have this in place based on what ffiec is asking and ffiec is the government body that will regulate these things but it doesn’t matter which government you working with the United States each have a requirement around this and it’s very similar so it’ll happen is you create what they call it business impact questionnaire to have a copy of his own reduce cyber risk as well I’m still in the creation phase of that but that’ll be available here within the next couple weeks. I’ll be available for you to go check it out at reduce Severus. Com but it basically this questionnaire will help determine who’s responsible party and what should you do about it because you’re dealing we talked about earlier with a business continuity plan in part 1 and that will be the responsible for the specific system the Bia is onyx or application and you may have multiple Bia done to determine what your overall business continuity plan is this is not a small Endeavor I’m sorry to say it is not just an easy easy button now you can start off that way with the fact that there is delicious a you know for sure that there’s a specific system like we mentioned before an HR System which is your key system for your business you can start off with just that one and just cut your teeth on it but in reality there’s probably many systems that will rock will be a bit will need to be available to operate your business so this business impact questionnaire will help determine uniform inventory questions are inventory of question so these these questions are going to be your test bank or your question Bank we look at the cissp certification if you listen to podcast or you’re videos that focus on his how to teach people for the cissp certification what one of the aspects a rhombus you have a bunch of test questions that you have to go through same thing you’ll have a test Bank of questions that you need to give to people to help you understand what is the overall risk so that it’s not just you you can pass on these questions and different ways that could beat the save my much more seamless process but you get it maybe that must be Taylor for the business needs whether it’s Financial manufacturing chemical retail whatever it might be it will need to be tailored specifically for your business needs now here’s some sample questions then I’m just going to kind of talk about here but it will come to go to some background around them but there’s in them in a case of what you’re going to put off your questionnaire is just a very small subset of questions you may have again though I will couch this with no your organization did you give them a questionnaire of about 150 questions they’re going to go on doing that not going to work so you need to keep it small and concise and to the point but as you build a better relationship as a cybersecurity professional or as a business owner you build that relationship with your with people in your organization then you could probably add more to it but again that’s just something that can I consider as your building relationships in this space so it’s some sample questions for you to consider in the event of an outage so you have an outage which basically means destroy a backhoe with goes in and cut the line and takes out your entire Datacenter do you have a requirement to keep your business operational is there a physical requirement around that from a regulatory standpoint if so how long are the amounts that are available at what was that look like provide the necessary information to make this work people say white he’s got it well it’s not just it has it you have to have the right decision makers to help you through this process I’m so who are these people and that they can provide you the necessary information that you need is your business willing to pay for systems not being used are they willing to have an insurance policy do you have an insurance policy in place most businesses in today’s world have an insurance policy of some kind of right now there are companies out there that can afford to not having insurance policy but in reality because they’re self-funded but in reality most people have insurance now this case here you would decide do you have to have a insurance policy for your company that would be to allow systems be up and operational in the event that are not even being used so those are things you need to consider that’s if it’s business will do that that’s great if not then that will help understand what do you want to build out for abcp is that how how was your department of function if the Mainframe Network or internet access was not available if you lose connectivity how you operate and and those are key questions to ask yourself many people just don’t like they don’t have a plan in place they will not survive and I Don’t Care What statistic is but it’s basically if you don’t have a a good backup Recovery Solution in place that’s just one aspect most companies like any of the numbers like 60% will fail within the first year because of this playing around that what are your critical Outsourcing relationships and dependencies so do you have relationships are dependencies with third parties that you have to have in place in the event of a disaster or an event that you have to keep your business operational here that get big one that I think people don’t think about a lot is what are the critical cash management and liquidity issues that you may have okay so your business smoke but so then the question is I got I got a new computer monitors got to have my new applications ready to go but nobody has cash who gets credit card don’t know I don’t know I don’t know what the CFO or is he at enjoying being a CFO you don’t know right so you got to have those plans in place of who’s going to pay for stuff that you got to turn it on and there’s there’s lots many many more questions that kind of coming to this place but you got to ask what are the key things that that are going to affect your business and then as you did to these questions more questions will arise I guarantee you but it’s a great place to start but again start small don’t get real big don’t try to bite off more than you can chew in the space because if every time I bite off more than I can chew like a chipmunk and then I end up having a price but my food back out that’s the impact questionnaire no way to get into RPO and RTO rpos recovery Point objective to this earlier as it relates to you should do in your overall business continuity planning rpos recovery Point objective and is the max terrible data loss for each activity so how much data can you lose so in the event of a tornado rolls into town I mean Kansas so we have tornadoes Town Center the day was being updated everything’s good with smoking hot now you can you want to bring it back up there is the point of the wood data loss you willing to accept so the state takes two weeks to bring this thing back up just hypothetically are you willing to accept two weeks of data loss probably not so are you willing to accept a 5 minutes a day lost that means from the time that it was last updated to win the tornado hit it that might be acceptable so you got to decide is a weeks days hours minutes or nanoseconds if it’s like both to be infant instantaneous almost then you got to have a different solution in place for that is the Guinness the date of the the data is actually physically lost what’s the part that you have to consider is your recovery point and what point you will recover from the time that it was operating recovery time objective is the max amount of time allowed to restore the functionality this is weeks days hours or never and what that means is that what time of time do you need to get it bring it back up and operational so my previous example of two weeks maybe your business is okay with being down for two weeks while it’s trying to get this system backup that’s probably not the case it’s probably less than a week you want to have your business down because what ends up happening is when your business isn’t there people will customers are going to somebody else so I would suggest that you probably want your business up and operational within a day or two at least the key aspects of that and then the key aspects Illusionist key aspects cannabusiness run without systems up and operational so can you just take orders with the old-fashioned paper method ransomware that rolled into some hot they had to do they headed basically do stuff because all the systems were basis or turn into bricks those are keep pizzas that you need to ask yourself what is shop floor systems that cannot connect to the network will be at the shop floor system in a manufacturing space and it can’t connect to the network what’s not producing whatever widget you want to produce is that good or is that bad can you do that can operate without being connected to network maybe it’s really old for sure if it’s newer probably not is your manufacturing affected so then this comes down to is how much how long can you be affected 1 Day 2 days a week I don’t know only you can make that decision as a security professional working with your business because they’re the one I honestly can’t make it to your business I’ll help you but you as a group considers using technology now and there’s various technology that can be available for you that the first thing I bought I talked about it Disaster Recovery or deer Dr might be built into it depend on the application you may have a a level of Disaster Recovery built into the application itself versus like safersys a solution so software-as-a-service it’s in the cloud it’s already got it is replicated in multiple zones if it goes down it’s already there it’s already available you don’t have to mess with it how capable she may have an application that is really good but but so little and it doesn’t work well with the cloud because it’s on newer systems seem to find out well Kate at my my business continuity plan is that I’m going to take this software I’m going to upload to the cloud on operate out of Amazon AWS with this application well is that application compatible with doing that it might not be licensing wise is it compatible with doing that maybe not so there’s things you need to consider remote capability so do you want to utilize like Citrix or a Amazon workspaces to allow you some level of giving your desktop in the cloud so Amazon allows you to remote in you have desktops that are operating in the cloud ready to go you can have that all predefined pre-configured setup ready for your organization with all the software needed and set upgrade ago and you just turn them off and the moment that you need of you turn it back on but now that would take some training with your people to understand how do they login what are they do you have to keep the software updated but those things can be can set up ahead of time depending upon your organization’s need storage if you’re dealing with keeping your data one thing you consider as you as your work through new build out your impact analysis from your questionnaire that data along with your business plan and your Dr plants need to be stored somewhere like to be stored in the cloud at these locations you need to have that define an already pre-configured so that way or you need to go to get it your PCP in your Bia your DRS an acronym soup the all those bbbw all of those. somewhere and your call Tree CO making phone calls for people any temples you had or any other documentation that you have can be stored in this location as well however now from a security point of view all the stuff is wonderful but you better protect it because that’s just say you’re a bad guy and the bad guy now knows all these different things about your organization you’ll have labeled in your critical systems to your company that is now potentially telling somebody who’s the bad guy was what’s going on so you need to think about that as well what are the systems and and are you protecting them if it’s on a SharePoint like SharePoint online through Office 365 who has access you don’t want everybody have access you want to limit that to specific people also other things to consider run technology what are your mobile capabilities do you want it available on mobile phone do you want to bail bond tablets you wanted to Outsource the entire process or capability to a third-party just have somebody else worry about it and deal with this problem for you so different things you can consider with technology and how to handle it now completing your Bia to the product should be evaluated with a risk assessment someone should be is done so you went to the questionnaire you filled that thing out which again we’ll have overdue cyber risk we’ll have some stuff for you to look at from a template standpoint then what you should do is you should then do a risk assessment of that specific system and what it does it then prioritize the potential business disruption do you know the system is critical step one step two then would be to identify the severity and likelihood that something actually bad’s going to happen to it if this is an HR System that is triple redundant in multiple locations it’s updated to everybody and everything and it’s in the cloud and it’s super critical for my business however I got all kinds of plans in place that it’s ready to go okay and will someone take it out nobody’s really interested in or it’s your secret sauce and it’s in one location and nobody backs it up and if it was compromised that would be bad so that would be a different scenario those are all of those risk assessment need to be done of what is the overall risk to the company if it’s your secret sauce and everybody’s after it and it’s only one location is not backed up and be high risk what’s the likelihood of somebody going after it will potentially pretty high because if it’s your secret sauce but if it’s some generic system that really nobody cares about the people will poking anything right let me know whatever they want to it just to do it but in reality if it’s not really on the radar if it doesn’t have money if it’s not tied to somewhere they can monetize it they’re not really going to mess with it I mean what do they know they don’t know anything but if it’s money that they can monetize Subway or reputationally shwack you then they will do that or impact your financial systems products and processes these are various aspects you to consider when you’re dealing with completing your Bia again that swirls in the risk assessment are y’all move on to do different aspects around risk management so that’s completing the Bia last thing is you talk about reviewing this with your bored or Senior Management you need to get this done and you need to periodically do this and update your Senior Management around these things so they need to be involved with what’s going on a business operations cuz it also has your operations will change any auto requirements me to come up or any lessons learned that you did during your testing your your your small medium or large those are or complex into your Bia so all those aspects living breathing document need to be adjusted he also talked about where former technology standpoint where do you store this recommend storing it off site having at least one copy off-site reason is because in the event of a disaster you have the ability to go out and get it and then started off right away so off-site storage is really a big part of this was Russia’s you’re dealing with these critical systems store correctly minttu from as it relates to the business impact analysis where. Organ or training manuals 2018 ffiec Target Media has got some great stuff out there on disaster recovery and then Wikipedia drug business continuity planning as well I hope you enjoyed this training again checking everything out at reduce cyber risk my name is Shon Gerber and you can check me out there have a great day see you on the flip side