The CyberCast

With the release of NIST Cybersecurity Framework 2.0, CIS felt strongly that an update to The Controls was necessary to crossmap to CSF 2.0. Specifically the strongest driver, was the release of the Govern function.Co-hosts:Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Brian Blakely: https://www.linkedin.com/in/bblakley/Eric Woodard: https://www.linkedin.com/in/eric-woodard/Sponsored by Right of Boom cybersecurity conference: https://www.rightofboom.com/

Penetration testing is something that more companies and organizations should be considering a necessary expense. Pen Testing  is an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems. They provide a valuable insight on how your digital and human assets perform.In this episode we review the criticality of scoping a Pen Test, along with differences between Pen Testing, Red Teaming and Vulnerability Assessment. Why should you choose one over the other and when would one proceed the other.Sponsored by: Hacket Cyber and post game interview with Founder James Carroll.  Hacket Cyber is a security consulting firm specializing in penetration testing, ethical hacking, and industry-leading cybersecurity services. Our offerings are purpose-built for the MSP, MSSP, and VAR channels.  https://hacketcyber.com/partner/James Carroll LinkedIn: https://www.linkedin.com/in/jchax/Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

The biggest takeaway from CIS Control 17 is that planning and communication are critical when responding to an incident. The longer an intruder has access to your network, the more time they've had to embed themselves into your systems. Communicating with everyone involved can help limit the duration between attack and clean-up.Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.Our sponsor: Exigence (https://www.exigence.io) is a multi-tenant, Incident Readiness, Incident Response platform, built for MSP/MSSPs. Drive new revenue streams and meet cyber insurance & regulatory requirements for Incident Response plans and tabletops. The Exigence platform gives you full control of critical incidents by uniquely addressing every aspect of the incident – turning an unstructured situation into one that is structured and easy to manage. ​ It coordinates all stakeholders and systems all the time, orchestrates complex workflows from trigger to resolution, simplifies the post-mortem, and always leverages lessons learned for doing it even better next time.Contact Noam here: noam@exigence.io Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/'

CIS Control 16 - Application Software SecurityThe way in which we interact with applications has changed dramatically over years. Organizations use applications in day-to-day operations to manage their most sensitive data and control access to system resources. Instead of traversing a labyrinth of networks and systems, attackers today see an opening to turn an organizations applications against it to bypass network security controls and compromise sensitive data.  NOTE: Crowdstrike notes that Cloud based attacks and initial access via these systems has increased 112%, therefore SaaS applications, their potential vulnerabilities and misconfigurations along with initial access are all being focused on by threat actors.**Jim Manico at minute 52:40 - do not miss!!**Our sponsor: Jim Manico, Founder of Manicode is considered the "Godfather" of the OWASP Top 10 and trains software development teams around the globe. His firm helps organizations building secure code and creates programs to address the primary cause of insecurity, which is the lack of secure software development practices. Contact Jim here: https://manicode.com/Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/'

LastPass and the recent Rackspace Exchange incident are two prime examples of "why" this Control is Critical!!Develop a process to evaluate service providers who hold sensitive data, or are responsible for critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.Identify your business needs and create a set of standards that can be used to grade services providers that are being proposed. Organize and monitor all services providers that are associated with your business. Keeping an inventory of all services providers will enable you to monitor them in case they update their policies. Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

MSP/MSSPs should offer solutions to provide users with frequent security awareness training to increase its overall security posture. The information provided by the security awareness training should be relevant and provide insights into recent security incidents. Training should also reiterate the necessity of using strong passwords, spotting and reporting phishing attacks, as well as properly handling personal information. Security awareness training should include frequent phishing tests. Phishing tests allow users to learn from their mistakes and utilize their training to spot actual phishing attacks. These phishing tests should be specially crafted for different departments within an enterprise. Specially crafted phishing tests are harder to detect and demonstrate the value of security awareness training.

Network monitoring and defense is one of only two controls that does not contain any Implementation Group 1 Safeguards in Controls version 8.  This control is geared towards mature MSPs, MSSPs & organizations who have a mindset of  continuous improvement  that involves people, process, and technology.  Service providers  need a well-trained staff that executes on their network monitoring, detection, logging, correlation of events in order to thwart malicious attacks.

Abstract: Network Infrastructure Management - Establish, implement, and actively manage network devices, in order to prevent attackers from exploiting vulnerable network services and access points. Network infrastructure devices can be physical or virtual and include things such as routers, switches, firewalls, and wireless access points. Unfortunately, many devices are shipped from manufacturers with “default” configuration settings and passwords that, if deployed as-is, can significantly weaken an organization's network infrastructure.  Even if network devices are hardened with non-default configurations and strong passwords, over time these devices will be targeted by new vulnerabilities that are discovered by security researchers.MSPs should ensure that their teams implementing and operating the network infrastructure have processes and procedures in place that include capabilities for having a secure network infrastructure.

Abstract: Data loss can be a consequence of a variety of factors from malicious ransomware, threat actors using "Double Extortion" and exfiltration, human error and natural disasters like hurricanes.  Regardless of the reason for data loss, we need to have a process established (RPO/RTO) to recover our data. Key Takeaways for Control 11Prioritize your data and come up with a data recovery plan.Protect your backed up data. (See Control 3: Data Protection.)Practice and Test restoring your data.Restore your data after any compromise. 

Abstract: With the continuing rise of ransomware, malware defenses are more critical than ever before with regard to securing your MSP and clients.   Malware defenses must be able to operate in a dynamic environment through automation, timely and rapid updating, and integrate with other processes like vulnerability management and incident response.  Anti-Malware technologies have become an after thought in many organizations, a technology that they've always had, always used, and never really thought about.  Effective malware protection includes traditional endpoint malware prevention and detection suites, along with enrichment from vendor, vulnerability or threat data. 

Abstract: Web browsers and email clients are very common points of entry for attackers because of their direct interaction with users inside an organization.  Content can be crafted to entice or spoof users into disclosing credentials, providing sensitive data, or providing an open channel to allow attackers to gain access, thus increasing risk to your MSP or client's business.  Since email and web are the main means that users interact with external and untrusted users and environments, these are prime targets for both malicious code and social engineering.

Abstract: Log collection and analysis is critical for an organization's ability to detect malicious activity quickly.  Sometimes audit logs are the only evidence of a successful attack.  Attackers know that many organizations keep audit logs for compliance purposes, but rarely analyze them.   Due to poor log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing.  In this episode, learn about using logs in incident management, analyzing what to log and the numerous factors to establish a successful audit log management process.Sponsor: Blackpoint Cyber interview with Travis Brittain, Director of Product Enablement. Logging & Compliance: https://blackpointcyber.com/logic/Travis Brittain: https://www.linkedin.com/in/tbrittain/Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

Note we discuss Log4j as this is a very timely topic to this control. Abstract: Cyber defenders are constantly being challenged from attackers who are looking for vulnerabilities within their infrastructure to exploit and gain access. Defenders must have timely threat information available to them about: software updates, patches, security advisories, threat bulletins, etc., and they should regularly review their environment to identify these vulnerabilities before the attackers do. Understanding and managing vulnerabilities is a continuous activity, requiring focus of time, attention, and resources. Sponsor: CyberCNS interview with Shiva Shankar, CTO & Founder at minute 45:22.Learn more here: https://www.cybercns.com/ (free trial)Shiva Shankar: https://www.linkedin.com/in/shivashankarj/Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

Abstract: It is easier for an external or internal threat actor to gain unauthorized access to assets or data through using valid user credentials than through "hacking" the environment.  There are many ways to covertly obtain access to user accounts, including: week passwords, accounts still valid after a user leaves the organization, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as the one they use for an online account which was compromised in a public password dump.  Listen as our hosts break down the people, process and technology to implement effective and secure account management.Sponsor: Appgate interview with Tina Gravel, SVP Channels and Alliances at minute 37:20. Learn more here: https://www.appgate.com/ Tina Gravel: https://www.linkedin.com/in/tinagravel/Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

Abstract: There are many ways to covertly obtain access to user accounts, including: week passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded  in applications for scripts, a user having the same password  as one they used for an online account.  Learn how CIS Control 5 can mitigate some of the most common ways  credentials are compromised.Sponsor: Keeper Security interview with Marcia Dempster, Sr. Director of Channel Sales at minute 48:21.  Learn more here: https://www.keepersecurity.com/Marcia Dempster: https://www.linkedin.com/in/marcia-dempster-03280914/Sponsor: CIS CIS-CAT (https://learn.cisecurity.org/cis-cat-lite)Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

Abstract:  Learn why the number one thing organizations can do to defend their networks against top attacks, is to implement secure configurations! Azure Breach (8/26/2021): According To Wiz who found the CosmosDB Vulnerability, they quote: "Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer's environment."   https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databasesSponsor: ThreatLocker interview with CEO, Danny Jenkins at minute 31:58.  Learn more here: https://www.threatlocker.com/Sponsor: CIS CIS-CAT (https://learn.cisecurity.org/cis-cat-lite)Co-hosts:Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/

Abstract: CIS Control 3 is Data Protection and data is pretty much what's at stake for a high percentage of cyber attacks.  Data is more valuable than oil and it fuels many organizations.   Many of the baseline security recommendations from all of the security frameworks out there now recommend, or REQUIRE if you're in a regulated industry such as healthcare, that certain things like full disk encryption are simply put into place no matter your risk profile.  Much of what's in the Data Protection Control represents the modern reality of cybersecurity.Note: we split up Data Protection into two shorter podcasts (about 20 minutes each) and therefore, you will see a "part 1 & part 2". Part 2 focuses in depth into CIS Control 3 and the Safeguards 3 - 7 (formerly called sub controls).Co-hosts in part 2 are: Ryan Weeks, CISO of Datto and Wes Spencer, CISO of Perch Security.Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Wes Spencer: https://www.linkedin.com/in/wesspencer/Sponsor: Datto - https://www.datto.com/Rob Rae, SVP of Business Development: https://www.linkedin.com/in/robtrae/DattoCon: https://seattle.dattocon.com/

Abstract: CIS Control 3 is Data Protection and data is pretty much what's at stake for a high percentage of cyber attacks.  Data is more valuable than oil and it fuels many organizations. Many of the baseline security recommendations from all of the security frameworks out there now recommend, or REQUIRE if you're in a regulated industry such as healthcare, that certain things like full disk encryption are simply put into place no matter your risk profile.  Much of what's in the Data Protection Control represents the modern reality of cybersecurity. Note: we split up Data Protection into two shorter podcasts (about 20 minutes each) and therefore, you will see a "part 1 & part 2". Part 1 focuses in depth into CIS Control 3 and the Safeguards 1 -3 (formerly called sub controls) .Co-hosts in part 1 are: Josh Franklin, Sr. Cybersecurity Engineer at Center for Internet Security (CIS) and Brian Blakely, who leads a team of fractional CISOs, where they focus on building security programs for small to medium businesses.Josh Franklin: https://www.linkedin.com/in/joshuamichaelfranklin/Brian Blakely: https://www.linkedin.com/in/bblakley/Sponsor: https://www.netwrix.com/Ken Tripp: https://www.linkedin.com/in/kentripp/

Abstract: There is a cybersecurity saying; “you can't protect what you don't know about.”  Without visibility into your information assets, their value, where they live, how they relate to each other and who has access to them, any strategy for protection would be inherently incomplete and ineffective.Note sponsors are at the end at minute 28:30 The Why might an MSP want to listen?  Most MSPs only capture 50% of the assets on a client's network.Min 2:30 - 8:46 (Ryan Weeks, CISO of Datto discusses)Importance of asset management.What defines an asset.What defines good asset management.What are common assets missed in an MSPs inventory.Min 8:47 - 16:06  (Wes Spencer, CISO of Perch Security)The repercussions of poor asset management.Importance of Asset Management, as it pertains to Incident Response.How asset management help with IR plans & Tabletops.Min 16:08 - 23:05 (Brian Blakely, Fractional CISO of Cosant Cybersecurity)What your policy statement should include.Learn the importance of Data Flow Diagrams (DFDs).Control objectives and standards MSPs need to consider.Asset considerations on the Right & Left side of "Boom".Min 23:06 - 28:30 (Phyllis Lee, Sr. Director of Controls for CIS)Why CIS and most frameworks start with asset management.The progression of sub-controls as an organization moves from IG1 - IG3 in CIS.What actionable steps should MSPs take to successfully implement Control 1 & 2.Sponsors:Center for Internet Security:  Phyllis Lee (28:30 - 30:58)CSAT Pro - learn more here: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/Netalytics Security:Shiva Shankar (31:00 - 38:50)CyberCNS: https://www.cybercns.com/

Google reports that Multifactor Authentication (MFA) prevents more than 96% of bulk phishing attempts and more than 76% of targeted attacks that are credential based.In this episode, learn how MFA maps to the different security frameworks, the impact it has, building a policy around it, how the threat actors exploit it - via MITRE ATT&CK - what you can do to defend against it - MITRE Shield, common mistakes or oversights made when implementing into their tech stack and trends.Note: Sponsors Cisco Duo and Center for Internet Security (CIS) are at the end of the episode starting at minute 26:00.msp@duo.com to sign up for Duo NFR.https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/andrew@thecybernation.com - Andrew Morgan (host)Co-hosts: Ryan Weeks: https://www.linkedin.com/in/ryanweeks/Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/Wes Spencer: https://www.linkedin.com/in/wesspencer/ Brian Blakely: https://www.linkedin.com/in/bblakley/Consant Cybersecurity: https://cosant.com/