Pwned: The Information Security Podcast

Show Notes: https://justinfimlaid.com/the-cavalry-is-not-coming Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ I hear it all the time, security burn out is high. I wasn’t until this week that I realized that folks got the reason for burn out completely wrong.  After listening to someone tell me that a large tech company burns out their staff due to work volume and rotates the staff every 2 years I realized we have it twisted.  I don’t know about you, but most security folks I know love doing security and a 60 hour week hasn’t burnt anyone out when they do what they love.  If a 60 hour week does burn you out, then I'd recommend changing your work profession as a matter of mental health.  Go do something you love to do, then no one would have to pay you to work because you'd do for free because you love it. As a former CISO I can say first hand that the work never burnt me out.  The environment and people are what burned me out.  What I mean by that is that having accountability for security and no direct responsibility for security in a $6B organization was incredibly stressful. Most security folks I know are in this spot. They have accountability for enterprise security but the role and action of security is distributed across the organization.  Also - there should be some segregation of duties between IT and Security.   Since security is often monitoring an environment they often see mistakes make by peers in the company outside of security.  Those mistakes can make  security challenging, but those same peers often have little motivation to clean up those mistakes unless it directly impacts their job.  So, security having to feel like they are in the position of digital janitor and clean up can be exhausting.  There's only so many times you'll clean up the spilled milk before you just leave it spilled. Security leadership has become a political position, evangelizing for security, educating you work colleagues on security all so those same company peers when faced with a security decision will self-select the correct decision related to security when no one is looking. To amplify matters, you don’t have all the budget you need or want to do your job. Nor likely do you have all the actual authority to make that decision you want to.  The threat landscape is also shifting so tomorrow is always a new type of cyber attack. All this is to say that it's a tough job.  Not because of work load only, but the surrounding intangibles of working in organizations who probably are excited to pass off security can be draining. I've got news for you, the Cavalry is NOT Coming.  You are on your own. For those of you listening to this maybe not grasping the challenge, let me propose an analogy.  We’ve all been out to dinner at a restaurant. Let’s say being a CISO is like being the chef of the restaurant. In this analogy the chef is accountable for your meal, but not responsible for preparing it or delivering it.  The chef has a partial budget, and needs to convince other kitchen staff to pool their budget to buy the food needed to serve the menu.  The kitchen staff, however, also have other department chefs they work for that diverts their attention.  To make matters more complicated, the kitchen is consistently invaded by rodents and kitchen hygiene is ...

Show Notes: https://justinfimlaid.com/soc2-report-quickstart/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ Looking for information on SOC2, read more here: https://www.nuharborsecurity.com/do-i-need-a-soc2-report/

Show Notes: https://justinfimlaid.com/not-invented-here-syndrome-for-security Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ Have you ever had an idea to advance your company or another companies security posture?  And it's a really good idea.  Like really good.  You do you your homework and dot the "I's" and cross the "T's" and your propose a superior solution that sets your organization up for, what you think, is long term success?  When you propose your idea, someone passionately proposes an alternative weaker solution.  Or worse, people take shots at your idea trying to make it look like swiss cheese for the apparent purpose of making an alternate idea better? If yes, you might have seen and experienced the "Not Invented Here Syndrome". One of the more concise definitions of Not Invented Here Syndrome (NIHS) I've heard come from Techopedia: "Not invented here syndrome is a mindset or corporate culture that favors internally-developed products over externally-developed products, even when the external solution is superior. NIHS is frequently used in the context of software development, where a programmer will overlook all the attributes of an existing solution simply because it wasn't produced in-house." Another variant to NIHS is the micro variation comes when the security department or CISO is accountable for security but doesn't have responsibility for security.  So if you are security professional recommending products/solutions that are always "shot down" by those with budget authority there could be a few reasons and Not Invented Here might be the cause.  NIHS can take a couple forms (this list adapted from Techopedia): The other teams don't value the work of others.  They have pride in a negative way.They don't understand or unwilling to try to understand the benefits and lack confidence.Fear that their previous ideas aren't valued.Territorial battles, e.g. internal "turf wars".Fear of having to learn something new.Wanting to control the process.  Would rather "reinvent the wheel" to maintain control.Jealousy that they didn't think of the idea first.Belief that they can do a better job.The other teams don't value the work of others and believe they can do better.  They have pride in a positive way. There's always the counter argument that the Security team always makes sub-tier recommendations and IT rather keeps the proverbial security train on the tracks. Anyway, NIHS is a real thing and can really be barrier to completing an annual plan.  For organizations that don't foster innovation NIHS can really be present in the way the company operates day to day.  There's some great articles on Not Invented Here and how some of the worlds longest standing companies foster innovation and work with external ideas to make their business grow. Some interesting links you might check out... https://hbswk.hbs.edu/item/the-benefits-of-not-invented-here https://www.forbes.com/sites/haroldsirkin/2017/03/09/not-invented-here-not-at-the-most-innovative-companies/#1d85172c1e35

Show Notes: https://www.nuharborsecurity.com/red-teaming-vs-penetration-testing/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/

Show Notes: https://justinfimlaid.com/without-wax:-the-quest-for-perfection/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ I had an English Teacher in  High School that was big on Etymology.  If you aren't familiar with Etymology, its history of how certain words came to be. What I like about Etymology is the stories behind certain words.  This teacher was one the few teachers I actually liked in High School, and I hated English classes so I guess that says a lot.  One word, and one his lessons has always stuck with me.  That word in Sincere.  Sincere is from the Latin words Sin Cera.  In Latin Sin is “without” and Cera is “wax”. The story of Sin Cera dates back to ancient Roman times.  The artistry from that time period was seen in statues and ornate marble pillars.  What was significant about that time period is that artists were appreciated for their perfection.  An apprentice could work for most of their life in a specific craft, trade, or artistry…they’d only do that one thing.  An apprentice might spend years learning how to pick the right type of marble, or they'd spend years learning how to carve a specific type of statue, or spend years learning how to polish a statue.  The best artists were PERFECT. Whats interesting about the best artists from Roman Times and the ones that sculpted Marble is that they embodied perfection in their craft.  They would carve perfect sculptures or perfect marble pillars.  For All the other artists trying to make a name for themselves, who cut corners in their trade and lacked experience used wax to cover their mistakes.  They would use wax to fill holes, cracks and mistakes.  The nice thing about wax is it could be smoothed and polished to look like marble.  It could be plastered over and it could be painted over.  For most buyers they could not determine which was artificial Sin Cera or with out wax.  And in some cases they’d never know until the artist was long gone.  Today when we say we are Sincere, it generally means we’re honest.  But origins of Sincere also means you are without wax and perfect in your craft. The reason I bring this up, it seems to be relevant as of late.  I see more folks and companies trying to capitalize on the Security market.  I understand the push, it’s capitalism in full-swing.  However, I see folks working in the security space who are really confused and are granted trust because of a title, position, or certification.  If you are in Security as a buyer or supplier, whether inside your own company or a third party…and you claim to do security, you need to actually do it.  Let me clarify what I mean by that. What I mean by that is you have an obligation to continuously learn because the threat landscape is constantly shifting.  I realize every subject matter expert started with 0 experience.  But what makes someone sincere in their craft isn’t the fact they have a job in the field, it’s the fact they’re a student of the craft and continually strive to be perfect.  This means always learning and helping others bridge the security knowledge gap. This means you can’t just dabble in security, it’s not a bullet item on a website or on a resume.  We can do this, but we all have to put in the work and make everyone better.

Show Notes: https://justinfimlaid.com/quickstart-building-a-security-program-with-the-nist-cybersecurity-framework/h Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ Hey Everyone - I'm starting to feel a little bad that the Government has been shutdown for so long.  I've hit the NIST site at least 10-15 over the last couple weeks looking for a reference only to be met by a we're closed frowny face.  Anyway - as soon as I recorded this the government opened up…figures.   By the time this goes live NIST will be open again.  If you're looking to build or enhance your security program.  The NIST Cybersecurity Framework might be a good place to start. I see a lot of companies looking to build their security or compliance programs around PCI-DSS, HIPAA, or FFIEC guidance to name a few.  It's good guidance but these regulations fail to recognize an organized security capability.  Meaning - there's no categorization that exists that says if you do these group of security tasks you'll be better protected, or if you focus on these groups of tasks you'll be better positioned to recover from a cyber event. The NIST Cybersecurity framework is organized exactly that way.  In absence of any regulation or compliance requirement this framework might provide a nice step into budget conversations or even establishing a common way to talk about cybersecurity within your organization or institution. To read more about the NIST Cybersecurity Framework, check out my post at NuHarbor Security.

Show Notes: https://justinfimlaid.com/the-best-security-technology-you-probably-arent-using Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ With all the breaches in the news as of late there’s been a lot of chatter about the shifting threat landscape. I saw a post on social earlier in the week that got me thinking; if the threat landscape is shifting - why is it that and how does the collective industry slow things down so we can catch our breach and be proactive with security.  The one piece of security tech I rarely see folks using is deception technology, but maybe the value of the tech is overlooked. The idea of evolution and Darwinism is pretty established at this point. Whether you be believe in creation or evolution it doesn’t matter too much but what I want to dial into is the concept of natural selection, if you aren’t familiar with term it’s the process whereby organisms better adapted to their environment tend to survive and produce more offspring.   Charles Darwin’s idea of natural selection is generally created as an evolutionist  theory BUT the point I want to highlight is I think we can all agree is the common thread here whether you’re a evolutionist of creationist is…mutation.   As we, collectively, evolve as species and as all species we mutate we migrate and create a sense of genetic drift from the original DNA strains.   But at the most fundamental level genetic drift occurs from testing.   We test food, if it poisons us we die. We test our living environments, if it makes us sick we have a lower chance of procreation. If we’re dispositioned to reckless habits it could limit our ability to pass on our genetics and or lessons to the next generation if we’re dead. Foundationally speaking this is a very long term testing effort as a species but, what happens if we couldn’t test.  What happens if the test results were random.  I mean truly random.   What is something was gaming us all like something out of the Hunger Games?  Two people with the same genetic make up, eat the same berries - one gets poisoned and dies and the other doesn’t.  What happens those same two people with the same genetic make up live in an environment that makes one sick but not the other.  If this was the case, it would be incredibly hard to “test” and evolve.  Now, what happens if that same idea applied to castle defenses? The idea of attacking castles is well documented over time and there’s a long history or action and reaction. An attacker storms the front gate and gets in, the defenders react and build a moat if they have a next time.  The defenders build the walls higher, the attackers build a siege tower to easily get soldiers over the walls.   The defenders build defense in depth and attackers create the Trojan horse.  But what would happen if attack results were truly random, sometimes you go through the front gate…sometimes you didn’t.  Sometimes the moat was a problem, sometimes it wasn’t.  Sometimes you “thought” you got the Trojan horse in, but you actually didn’t.  What would have happened if the attackers thought they were exploiting castle defense but were just wasting time and were delayed until the point they were killed.  If this scenario was true - then it’s safe to assume that the evolution of attacker techniques would be slowed…because let’s be honest, they don’t know what does or doesn’t work.

Show Notes: https://justinfimlaid.com/benefits-of-a-security-certification-&-equifax-security-breach/h Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ A lot of companies or agency executives are looking for a security certification or some kind of assurance they can sleep well at night.  Truth of the matter is no security firm would assert that their clients are bullet proof from a cyber security breach.  The threat landscape is shifting intraday and anything a security firm would attest to today might be outdated by the time the team walks out of the building.  In our industry today - there is no certification that offers this level of warranty.  HITRUST, PCI-DSS, ISO27001, SOC Reports all ensure that a process is in place not necessarily the rigor of the security control in place and value of said control in the long run. The Knox Security Certification, is the lone technical security certification but that also has bounds to the warranty and very much requires that the company continue to maintain the hygiene of their security posture as nothing in security is set it and forget it. Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept.  Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first.  Equifax is a large credit reporting bureau that holds credit and personal information for millions of people.  The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US. Here’s the thing, Equifax has an ISO27001 certification. The certification was delivered by Ernst and Young and their EY CertifyPoint division. Some folks, including those at Equifax, seemed to think this certification shielded them from breach.  If you ever listened to any of my podcasts or read anything I’ve written related to ISO27001, you know that ISO27001 simply certifies you’ve followed a framework and methodology to choose security controls—not whether those controls are right and complete security controls for your environment.  To add one more, scope is a big component of ISO27001 and just because someone has an ISO 27001 certification doesn’t mean it for the environment they say it is.  For example, some companies have an ISO27001 certification on their broom closet and say it’s for the whole company.  The issue with this Equifax situation is that E&Y, according to MarketWatch, issued an attest opinion that all security controls were complete and in place, which later could not be supported.  Aside from this not being possible because it fails to acknowledge existance of the crystal ball that predicts any and all zero day attacks, it’s also a conflict of interest and violation of any accreditation rules. To me this indicates a huge lack of understanding OR purposeful negligence. Further, commentary from former SEC Chiefs…I’m withholding names since I don’t know if quotes are taken out of context BUT one head scratching quote, I’m paraphrasing, “there’s  question concerning how much reliance should be placed on the ISO certification when assessing internal controls over financial reporting.” Uhh…you think? I can help out there…none.  There should be no reliance.

Show Notes: https://justinfimlaid.com/5-security-predictions-for-2019/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ Most companies put together a "top predictions" for FY19.  Most are garbage.  There's a couple I think are decent but they are few. Here's my top 5 predictions for FY19. People will realize that SOAR (Security Orchestration and Automation Response) is not the security savior.  In fact, I'd be so bold to say it hinders the security industry by forcing security professionals to become distracted from doing the core and foundational security work.  Security takes work…plain and simple.  You have to eat some shit and grind it out.  That's the job.  There's no easy button for this.  While people are spending the year trying to figure out what to automate, they'll only get to December with little to show and year wasted. I often see SOAR being sold as the end all be all to the security talent short-comings…"no staff, no problems…just buy this solution and we'll solve it for you." BS.  In my experience, most companies don't have good security practices, and what happens when you automate broken processes…you break the process more times and faster.  Additionally, the fundamental thing that SOAR is missing is that security is often distributed within an organization, meaning…it's not one team rather a bunch of teams/departments doing their part of security.  The issue in corporate is that those departments DO NOT allow another group to dictate automatic configuration of technology they are responsible for. Lastly, folks are still trying to figure out security…never mind automate it.  Security teams still need to fundamentally understand the tedious parts of security before they can automate anything…and unfortunately, most people don't know what they don't knowNetwork visibility becomes an important thing. Yeah - this one has been around for a while but I think this is the year it picks up momentum. With distributed networks and IOT blowing up, I think folks will finally start to realize that you can't secure what you can't see and will finally own up to needing a solution that provides central visibility to all devices with an internet connection.  To date, I think this has been a bit of a luxury to have this level of visibilty but I think must folks have tried to cobble together make-shift or home grown solutions to get this level of visibility, so this year I think we'll see folks start to own it.Blockchain will become commoditized.  C'mon let's face it…there is ton of folks trying to tout how smart they are with innovative blockchain solutions.  Honestly…there's so many people trying to do this, and if someone can find useful use-cases then I foresee this becoming as commoditized as asymmetric and symmetric encryption for data protection late this year.  Other words, if someone can do something worthwhile, it become table stakes and no one will care anymore.  Scan-jockeys will be identified.  Contrary to what I hear every week - a vulnerability scan is not a Penetration Test. In the industry we call these folks who run a vulnerability scan and pass it off as a penetration test as Scan Jockey.  These are folks that don't really know how to pen test, so they choose a vulnerability scanner, run a scan and hope no one knows the difference.  Now, don't get me wrong, a vulnerability scan has a VERY valid use in security; in fact I think every organization should be doing vulnerability scans.  My issue is people faking to be a penetration tester.  I do see folks in industry becoming more educated in the difference between the two...

Happy Holidays! ISO 27001 Implementations can be harder than you think. This is a quick how-to walkthrough to get you jump started implementing your ISO 27001 ISMS. Show Notes: https://justinfimlaid.com/implementing-an-iso-27001-isms/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/

There is a ton of information in this episode - all questions are listed on the NuHarbor Security website. Show Notes: https://www.nuharborsecurity.com/4-questions-to-determine-which-pci-dss-self-assessment-questionnaire-saq-to-complete/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/

Show Notes: https://www.nuharborsecurity.com/9-considerations-find-right-cybersecurity-insurance-policy-organization/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/

Show Notes: https://justinfimlaid.com/1-thing-i've-learned-about-successful-security-leaders/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ I traveled to 7 cities this week.  It was a little intense to say the least.  Luckily I had some awesome company with me which made the trip a little easier. While in Austin I was listening to the cover band the Spazmatics and I was talking to a friend about the Pwned Podcast.  We were kicking around ideas for content, so out of Austin Texas, this weeks question - what is single commonality I see amongst successful security leaders. One commonality I see among successful security leaders. It's their ability to build relationships within a security organization.  They are able to get their peers and other folks in the organization to pick up the security gauntlet to enable the security program.  They are also able to get their organizational cohorts to self select the correct security decisions when no one else is looking.  I was pretty fortunate early in my career that someone much smarter than me taught me about the "Not invented here" stance by many people.  The idea of Not Invented Here is someone's general resistance to an idea because it wasn't their own, and they no matter what believe their ideas are better.  From Wikipedia "The reasons for not wanting to use the work of others are varied, but some can include a desire to support a local economy instead of paying royalties to a foreign license-holder, fear of patent infringement, lack of understanding of the foreign work, an unwillingness to acknowledge or value the work of others,jealousy, or forming part of a wider turf war. As a social phenomenon, this philosophy can manifest as an unwillingness to adopt an idea or product because it originates from [somewhere else]." From

5 Considerations to make when choosing to outsource your security program Show Notes: https://justinfimlaid.com/5-considerations-when-outsourcing-security/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ 5 Considerations When Outsourcing Security I bumped into a couple folks struggling to find security talent and are looking to outsource part of their security program.  The question this week is, we need to find a trusted security partner - how do I decide what to outsource? First things first, when deciding what to outsource its important to understand your security program and what you're trying to achieve by outsourcing. Now - if your desire is to outsource everything, and you know the goals of outsourcing then this part is easy and the hard part is finding the right security outsourcing partner. If your desire is to outsource part of your program - then your security outsourcing objective should follow your strategic plan and look to mitigate the risk hard to staff functions.  For example, some security disciplines take a long time to train, such as penetration testing. It's real easy to run a scan but actually conduct penetration testing is an art. It's a challenge to train a penetration tester or penetration testing team in house most organizations do not have this need to and can't justify the human expenditure of a full-time tester with part-time penetration needs.  If this is your case, whether penetration testing or other hard to train or specialty functions it might make sense to outsource this. My Take When I was industry, and I thought about outsourcing my security program, I always broke it down to two components - what I need to control and what saves me time. I would identify what parts of my program I need to tightly control quality or I have tight time deadlines.  I would then look to develop in house talent to fulfill this need so I could tightly control timelines and quality. Any part of my program that was part-time, required a very specialized skill set, or I could relinquish control and still be successful I would outsource. Here's 5 other things to consider when outsourcing: Do you need to control a core competency?  One example might be, If you're leading security in a software development shop it makes a lot of sense to in source code scans and web app testing, but you can probably outsource your need for forensics. Does you program have intellectual property.  I would tread carefully if this is the case and keep control your security architecture.  In some countries 90% of software is pirated and  lifting IP is an expectation. Does you program require dedicated knowledge of a specific technology? If so, Don’t count on outsourcing. Are you trying to reduce costs? If you're program requires travel, extra project management, bench capacity of one security function, it might make sense to outsource part of your security program. Does your program require a lot of creativity?  Don't outsource the thinking, outsource the operational and execution part that make the creative pieces successful.

Intelligence gathering is normal security work.  Intelligence gathering for the purposes of revealing someone's identity when they intend to keep it private is called Doxxing, or "Doc dropping". Show Notes: https://justinfimlaid.com/what-is-doxxing/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/