Diana Initiative 2021-Cassandra Brunetto-Vulnerabilities from Venus, Management from Mars: How to...

00:32 - She’s also the founder of Gatebreachers this talk is managing success with programs.

00:48 - And then some question and answer afterwards.

00:51 - so, please put your questions in the talk. And a word of praise and thank you to our very generous sponsors.

00:58 - Thank you if you’ve explored the expo hall, if not, take a few moments to say hi.

01:04 - And without further ado, I will pass this over to Cassie Brunetto.

01:10 - CASSIE: Thank you. My name is Cassie.

01:15 - My talk is Vulnerabilities from Venus, Management from Mars: How to Navigate the Unknown.

01:27 - Before I get started, I would like to introduce myself.

01:30 - My name is Cassie. My pronouns are she/her.

01:33 - I’m the ID and compliance manager at Graylog.

01:38 - And dog owner of Astro, the lovely German shepherd on the right and many of you know from Twitter.

01:45 - I play a key role in identifying, managing and monitoring cybersecurity risk within more organization.

01:54 - I started in help desk and worked my way up.

01:58 - Got my bachelor’s degree in information security and assurance and got a master’s degree in my second position in security.

02:08 - And then in 2019, I founded Gatebreachers, and we work on inclusivity and look to see more underrepresented genders in the field.

02:23 - Shoutout to everyone trucking through and learning more while we have been in a pandemic.

02:30 - You’re awesome. And I got some certifications.

02:34 - Just to learn and, you know, I think that everyone can learn from them.

02:40 - And but not required in the field. So, I have the CISSP, the CISM and the Security+.

02:47 - And you are all joining me for my first GRC talk.

02:51 - So, thank you so much for joining me! So, why do we care about building effective security programs? Well, in 2013 Yahoo! suffered a security breach affecting 3 billion accounts.

03:07 - They were fined $85 million. And it took them 3 years to discover and disclose the breach.

03:14 - And almost 4 years to complete the investigation.

03:19 - In 2014 Home Depot credentials were stolen from a third party which led to a compromise of the point of sale system.

03:28 - This resulted in a $200 million fine. Threat actors likely completed the initial breach through a third party supplier workstation.

03:39 - Then they surveilled the cardholder data and then tested the attack to capture and expirate data.

03:47 - In 2016, Uber paid the criminal that hacked its driver and user accounts $100,000 which led to a $148 million fine.

04:00 - The chief security officer and one of his deputies were fired for their roles in concealing the attack.

04:10 - In 2017, Equifax lost personal and financial information of 150 million clients due to an unpatched database framework resulting in a $575 million fine.

04:25 - Threat actors were able to move from a consumer complaint portal to other servers because they weren’t segmented from each other.

04:33 - And they had usernames and passwords stored in plaintext.

04:39 - This year in 2021 the Colonial Pipeline proactively shut down its operations after a ransomware attack, resulting in fuel shortages along the East Coast.

04:50 - The company believes that attackers exploited a legacy virtual private network profile that did not have multifactor authentication configured.

05:01 - The Colonial Pipeline also paid a $5 million ransom to the Russian base criminal group, Dark Side.

05:08 - As you can see, it’s extremely important to build a program to protect, prevent, respond and recover from cybersecurity incidents.

05:19 - So, you have been hired to manage the information security program at a new company.

05:27 - How do you build a security strategy without becoming overwhelmed? How do you define the scope for security initiatives? Before we can create a security roadmap or strategy, we need to thoroughly understand the basics, so we’ll want to talk to employees and discover more about the new company and its culture.

05:50 - What does the company do? You want to talk with senior management about the current state of the organization.

05:57 - What product or service is being provided? What kind of data is being accessed, processed, transmitted or stored? Do you have any information security or regulatory requirements that have to be met? What are the company’s current initiatives? Is there a new functionality or service being implemented into a product? Does the organization plan on hiring new employees or building new teams? And what are the company’s goals for the future? You also want to consider scalability and cost efficiency when architecting security processes and controls.

06:39 - Next you want to understand the company culture.

06:45 - Is this currently a managed security program? You’ll want to review policies, procedures, guidelines and standards.

06:53 - You can also interview employees about currently implemented security practices.

07:00 - And is there any framework that the security program is already aligned with such as national information, NIST cybersecurity framework? And how do employees feel about the security controls in place or the lack thereof? Are security controls hindering operational effectiveness? Are the security controls aligned with the mission and vision of what the organization? Are the security controls actually meeting their objectives? Is there a security awareness training program? What type of security awareness training program is provided? Is training tailored to the organization and its employees? And are metrics being used to measure the effectiveness of security awareness training program? Finally, are there documented security policies and are they disseminated to employees? Are new or updated policies communicated to employees? Is there a central repository where employees can review relevant policies? And how often are employees required to review these policies? You’ll also want to understand the data classification scheme being used, if there is one.

08:21 - So, we want to ask ourselves, is data being classified currently? If so, what are the data classifications currently being used? Is there a standardized classification? Are the data classifications clearly defined? Ideally, there should be an easily accessible data classification policy or standard that defines data classifications and provides clear examples.

08:48 - Next, you want to identify the crown jewels.

08:55 - What are the crown jewels? What does the company consider important to its mission, objectives and operations? The crown jewels can be source code, intellectual property, personally identifiable information, personal health information, and other proprietary data.

09:14 - Who owns the crown jewels? Who is accountable for the confidentiality, integrity and availability of the crown jewels? You’ll want to interview senior management and other business unit managers to identify the information owners.

09:30 - Then you want to understand where the crown jewels are located.

09:35 - Where the crown jewels being accessed, processed and stored? You’ll want to identify any applications, systems, and services.

09:44 - This information can be extremely helpful when you’re creating data flow diagrams.

09:52 - Next you’ll want to understand how the crown jewels are being accessed.

09:57 - How can I access the crown jewels? Is there multifactor authentication required? Are there shared accounts? Which brings us to who has access to the crown jewels? Who are the people responsible for using the crown jewels during their everyday tasks? It could be developers, engineers, sales, or marketing teams.

10:20 - And finally, who needs access to the crown jewels? We want to make sure that we’re removing any unnecessary access.

10:29 - We want to also ensure that we’re provisioning access according to the principle of least privilege and ensuring that we are reviewing all privileged access.

10:39 - We have to remove any accounts or any access.

10:43 - This could include service accounts and any type of things that are standardly configured in Active Directory.

10:52 - You’ll also want to take an inventory of the infrastructure.

10:58 - What does the infrastructure look like? Is there a network flow diagram or a data flow diagram? Are we using Linux or Windows on servers? Are we using a cloud hosting providers in are we using containerization or a container orchestration technology such as Kubernetes? Then we want to understand the technology stacking with used for product services offered.

11:23 - Apache? MySQL? Elastic search.

11:26 - And then who is managing the infrastructure? Is there an engineering team? Is there an operations team or is it information technology? We can also interview any employees about the current practices and processes.

11:50 - Third party vendor risk management. Is there actually a managed third party vendor risk management program? If yes, are there any established practices or procedures? Any templates or questionnaires that are currently being used? Or are we going to build program from scratch? If so, we want to consider the third party vendor life cycle and the processes that we’re going to develop to onboard and off board vendors.

12:21 - Who are the high and critical vendors? Have they been assessed? How frequently will high and critical vendors be assessed in the future? And is the right and ability to audit controls currently included in any vendor contracts? Which vendors are being assessed? You want to create an inventory of third party vendors, document the services that are being provided, the business unit being serviced and any third party vendor contacts.

12:52 - You’ll also want to determine the assessment requirements for third party vendors.

12:56 - For example, cloud hosting providers must provide type 2 reports.

13:06 - Who are the organization’s key players? It’s important to identify the owner of risks.

13:13 - Who are the risk owners? Is it the chief technology officer? The Vice President of a business line? It’s important to establish and document any type of risk ownership.

13:26 - Next you’ll want to identify key players. Who are the information security program’s stakeholders? It could be the marketing, sales, or engineering departments.

13:37 - Who are the subject matter experts? You’ll want to identify information technology and information security subject matter experts throughout the organization.

13:49 - And keep in mind, they might not necessarily work in the security department.

13:53 - There may be employees in other departments that have security knowledge.

13:58 - Who do other employees trust? Is there somebody that can assist you with implementing security initiatives that other employees trust? You’ll want to build relationships with these key players.

14:11 - It is crucial to build relationships with the key players in your organization to gain trust and credibility with other employees.

14:20 - Key player are the vehicle that will drive your security program.

14:24 - They will have insight and tribal knowledge that will be overlooked if you try to establish processes on your own and it’s integral to include them in important conservations and discussions.

14:37 - Defining the scope of your security program.

14:43 - First, you’ll want to identify gaps. What is the current state versus what is the desired state? You can use the NIST National Institute of Technology Strategies of framework implementation tiers.

14:59 - There are three tiers. Partial, risk informed and repeatable.

15:04 - So, for example, your current tier might be risk informed and your desired state would be repeatable.

15:12 - Then you’ll want to identify risks. You can use threat modeling and perform a risk assessment.

15:19 - Then you want to consider the risks presented by identified gaps.

15:23 - Does the risk of an ineffective security control surpass the organization’s risk appetite? Then you’ll want to prioritize these risks.

15:32 - What risks need to be mitigated based on the identified impacts? We want to mitigate the risk with the greatest adverse impact and the likelihood of occurrence.

15:45 - It’s important to develop realistic security program goals and I’m going provide you with some advice that I wish I had when I first started creating security risk and roadmaps.

15:57 - First off, set yourself up for success. Develop SM ART which stands for specific, measurable, attainable, relevant, time based goals for performance and project management.

16:15 - Your goals should align with the mission of the organization.

16:19 - For example, one of your goals could be to decrease security risk by developing a vulnerability and patch management process.

16:27 - Or increase security awareness by providing interactive security training to employees on a periodic basis.

16:36 - Don’t be too ambitious. There may be dozens of fires to put out, but you only have so much time and energy.

16:43 - You’ll want to prioritize critical and high risks and develop a project plan.

16:50 - Do not be a jack of all trades and a master of none.

16:55 - There may be many opportunities for improvement in areas such as network security, application security, logical access security, or third party vender risk management.

17:07 - But you should target significant gaps that have been identified during the scoping phase.

17:13 - Focus on one area and be exceptional. Improve one area with significant gaps.

17:20 - For example, if you don’t currently have an identity and access management program, one of your initiatives can be focusing on standardizing roles and access and then integrating single sign on or multifactor authentication with critical applications and privileged user accounts.

17:39 - Communicate your boundaries with your manager and other teams.

17:43 - Don’t be afraid to say no just because you think you’ll disappoint your manager or your team.

17:49 - You want to define you and/or your security team’s job scope.

17:54 - And establish open lines of communication between other teams and the information security department.

18:02 - Do not take on an overwhelming amount of projects.

18:06 - Avoid burnout and avoid stress by managing less projects.

18:11 - Create a project plan including a timeline.

18:13 - You can create a Gantt chart or use free online tools.

18:17 - And consider using other resources. This brings us to leveraging third parties.

18:23 - You can hire third parties for larger projects like incident response or disaster recovery capabilities.

18:30 - Third parties can also help you build and house teams.

18:34 - Third parties can be more cost efficient than building capabilities in house.

18:40 - You can also consider hiring consultants for short term projects like creating policies or hiring employees.

18:49 - Consider outsourcing short term projects that require experienced subject matter experts.

18:54 - Consultants can also be more efficient than hiring full time employees.

18:59 - Last but not least, make incremental changes throughout time instead of attempting to remediate all gaps within a short amount of time.

19:08 - Patience is key. It takes time to implement processes, change or build a security culture, and create key performance or risk indicators.

19:20 - But you want to make sure that you’re documenting, tracking, and measuring and reporting all of your progress.

19:28 - You can easily show your impact on the organization’s security posture.

19:33 - Don’t forget to celebrate small wins. It’s like a 10 mile hike.

19:38 - Don’t focus on getting all the way to the top of the mountain.

19:42 - Be enthusiastic about reaching small milestones throughout your journey.

19:48 - Well, that was my talk on starting a security program.

19:55 - I can be reached on Twitter. My handle is loquaciousloka and I’m on LinkedIn.

20:01 - I have included in my slides the implementation tiers.

20:07 - So, feel free to take a look at that once I have shared my slides.

20:11 - Thank you! CHERYL: Congratulations! That was a great talk.

20:18 - I like how you walked us through the steps.

20:21 - But you just really simplified, but called out the important things.

20:25 - We have some good questions from people in the chat.

20:30 - I’ll start with the first one. This is from Duane Dunston, and he wanted to know how many organizations you have consulted with that identified the crown jewels and now where they were located? CASSIE: I would say that the amount of organizations that had that before I was there would probably be zero.

20:51 - Maybe one in the financial industry. But I would say that this is a process that not many people do, in my opinion.

21:00 - And creating an asset management program or inventory or configuration database is like something that’s I’ve rarely seen.

21:11 - So, getting this, you know, obviously you build upon asset management into vulnerability management and patch management.

21:18 - So, it’s really important to know what you have before you can protect it, of course.

21:24 - CHERYL: Absolutely. We have another question.

21:29 - This is from a volunteer, and he wanted to know, how do we make some of this work in a small business environment? CASSIE: A small business environment.

21:40 - I would definitely recommend thoroughly doing your research.

21:45 - Your due diligence. And preparing any type of evidence that you can provide to whoever writes the checks.

21:54 - And just really getting intimate with your fellow coworkers and you’re gonna be building relationships and having to work with them.

22:03 - And just really understanding what role everyone plays in the organization.

22:08 - And architecting security controls that make sense financially.

22:14 - That play nice with any type of legacy technology.

22:19 - All of these factors you really have to take into consideration.

22:23 - But I would definitely put an emphasis on the cost benefit analysis because small SMBs are gonna want to go with the least costly controls or processes to implement.

22:35 - So, you want to make sure that you have, you know, evidence and proof of a benefit and return on investment.

22:43 - CHERYL: Great point. I love that you highlighted the importance of knowing who does what, so you know whom to ask when things come up.

22:52 - As sort of a not what you know, but who you know approach to things.

22:57 - CASSIE: For sure. CHERYL: We’ve also got a fabulous question from Edmund here.

23:05 - What’s the strangest thing you have discovered on a network during an asset inventory? CASSIE: Totally Windows XP.

23:15 - Default admin privileges. Just really just scary, scary things like that.

23:23 - And seeing people that use privileged user accounts all day for like their daily tasks I think has been like one of my nightmares of my life.

23:31 - So, please don’t do that! CHERYL: Oh, real stories.

23:36 - I’ll see if there’s anything else. No, I think that we are good for questions here in the chat.

23:45 - And again, you’re gonna make your slides available.

23:47 - We’ve got the links to the NIST framework which is a very helpful tool, and you want to have that to work alongside, and this was a terrific presentation.

23:57 - CASSIE: Thank you very much. It was a pleasure to meet you.

24:00 - Thank you for having me. CHERYL: Thank you for being part of Diana Initiative 2021.

24:04 - Thank you everyone for attending. CASSIE: Bye! CHERYL: Bye!.