Pwned: The Information Security Podcast

The Debt has Interest and the Interest MUST be Paid! Show Notes: https://justinfimlaid.com/a-lannister-always-pays-his-security-tech-debts Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/

Every industry has a regular type. Show Notes: https://justinfimlaid.com/3-parts-of-your-vendor-security-assessment-program/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/

3 Parts of your Vendor Security Assessment Program Show Notes: https://justinfimlaid.com/3-parts-of-your-vendor-security-assessment-program/ Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ 3 Parts of your Vendor (Third Party) Security Management Program Over the last few months that we've had a lot of questions about this topic. So to break it down I would actually break apart the topic or the idea of third party security management or vendor security management into three parts. The 3 Parts are: 1. Outside the firewall. 2. Inside the firewall. 3. Ongoing/Continuous Monitoring of your Vendors.  For outside the firewall, there are many software providers that exist within the marketplace that effectively do a vulnerability scan of your target vendors that measures their security posture based on information that's publicly available. Today when one of those software providers does a scan of your vendor they're effectively looking at whether you're vendors using deprecated SSL (or basically an older version of SSL) and therefore they they might be more susceptible to security weakness. They're looking at entries within a companies DNS record, things like whether your email has been configured for SPF or you have the appropriate DKIM records to ensure your email security. They're also looking for open ports. They're basically looking for anything that's publicly available on the web that might infer or suggest what their overall security posture could be inside the firewall. So there are some pros and cons to only looking outside the firewall. So the pro obviously is that this is a very quick way to get a measure of someone's perceived security posture or get an idea of what their security posture might be. Cons are that is only a look outside the firewall. The second type of vendor security assessment or third party security assessment is inside the firewall. So this would be examples of this would be sending a questionnaire to your vendor or your third party, and you have human interaction to ascertain whether the answer supplied in that questionnaire are are appropriate. In some cases it's even picking up the phone to talk to your your vendor.  In these cases you're asking whether they have you know policies and procedures in place around security whether they have a vulnerability management program in place whether they manage their vendors. You're trying to understand where they're storing your information with the security around their databases basically how they govern security and how they protect their technology with within their environment. Where I see folks really get tripped up is once you've either done an outside the firewall review or inside the firewall look and you find a vulnerability where you find a security weakness. What happens next? In some cases for some organizations it could be "hey, this this vulnerability is just too egregious. We're not going to do business with potential partner" or "let's work with our vendor or partner to help them rightsize their security posture so that we can continue to collect business value from this vendor". So this is we're really starting to see the rise of continuous vendor management saying if you're able to do the outside of the firewall look and or the inside the firewall look of this vendor and find a vulnerability. Let's create a partnership between your organization and the vendor or partner that's providing value to your business to ensure that everybody's security posture is what it should be and everybody's information is being protected. And so that back and forth that partnership is what's kind of evolving as continuous vendor se...

The Election Security Deception

Security Awareness – Make it Personal!

ISO 27001 isn't a security benchmark. Show Notes: https://justinfimlaid.com/do-you-iso-27001/ Sponsor: https://www.nuharborsecurity.com and https://iso27001certifications.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ ISO 27001 Background ISO 27001 is increasing in popularity mostly stemming from the exposure created by assessing the security posture of vendors and vendors trying to prove they are good data custodians.  The problem, at least in the US, is most people confuse ISO 27001 as a compliance standard when in fact it's a mechanism to build your security program. I met with a my buddy Todd last week whom is a security analyst at mid-size manufacturing company. While none of their information is considered “regulated” or “industry sensitive”, it would still suck if they lost it. So his organization choose ISO 27001 as their security framework.  We chatted about why he's struggling with ISO 27001 adoption within their organization.  Here's his deal - he was trying to use the ISO 27001 Annex A controls and trying to implement all the ISO 27002 controls and was getting frustrated with the process. Here’s the deal ISO 27001 is not intended to be a compliance framework like PCI or HIPAA, rather it’s an information security management system - hence why ISO 27001 is commonly referred to as an ISMS.  In the simplistic terms ISO 27001 is a management framework that guides you through designing a custom built security program with custom security controls right sized for your organization. So here’s how ISO 27001 breaks down, ISO 27001 has 10 clauses, plus an Annex -- Annex A.  Annex A holds the core ISO 27001 security controls.  The 10 clauses include the body of ISO 27001 mechanics, mostly how to construct the ISMS. ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover: 1. Scope of the standard 2. How the document is referenced 3. Reuse of the terms and definitions in ISO/IEC 27000 4. Organizational context and stakeholders 5. Information security leadership and high-level support for policy 6. Planning an information security management system; risk assessment; risk treatment 7. Supporting an information security management system 8. Making an information security management system operational 9. Reviewing the system's performance 10. Corrective action Annex A: List of controls and their objectives Within those 10 Clauses - there is mandatory things that need to be completed: From Advisera, Dejan Kosutic seems to do a nice job with ISO 27001. Here are the documents you need to produce if you want to be compliant with ISO 27001.  Annex A documents are only required if there's a risk that requires their implementation. Scope of the ISMS (clause 4.3) Information security policy and objectives (clauses 5.2 and 6.2) Risk assessment and risk treatment methodology (clause 6.1.2) Statement of Applicability (clause 6.1.3 d) Risk treatment plan (clauses 6.1.3 e and 6.2) Risk assessment report (clause 8.2) Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4) Inventory of assets (clause A.8.1.1) Acceptable use of assets (clause A.8.1.3) Access control policy (clause A.9.1.1) Operating procedures for IT management (clause A.12.1.1) Secure system engineering principles (clause A.14.2.5) Supplier security policy (clause A.15.1.1) Incident management procedure (clause A.16.1.5) Business continuity procedures (clause A.17.1.2) Statutory, regulatory, and contractual requirements (clause A.18.1.

This episode is sponsored by NuHarbor Security. What is GDPR? The General Data Protection Regulation was passed in 2016 and went into affect as of May 2018.  I saw many organizations scrambling to achieve compliance the months preceding and following this past May. This new regulation Brought some additional changes Beyond the 1995 EU data protection directive. This regulation flipped a lot of organizations on their head, and for some security professionals inherited GDPR compliance obligations. GDPR specifically focuses on reinforcing individual's rights, strengthening the EU internal market, ensuring stronger enforcement rules, and streamlining international transfers of personal data and setting global data protection standards. The changes will give people more control over their personal data making it easier to access their information. GDPR is also designed to make sure that people's personal information is protected no matter where it is sent process for stored even outside of the EU As may be the case On the Internet. This regulation flipped a lot of organization on their head and for some security professionals they inherited GDPR compliance obligations. I've seen more security leaders pulling the short straw for GDPR responsibilities and are struggling to wade through the legal obligations.  So what exactly is the security obligation with GDPR? How is GDPR different than the 95 EU Data Protection Directive? First off - what's the changes?  It builds on the 95 EU directive. Some background on the directive. In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data".[2] The seven principles governing the OECD’s recommendations for protection of personal data were: Notice—data subjects should be given notice when their data is being collected; Purpose—data should only be used for the purpose stated and not for any other purposes; Consent—data should not be disclosed without the data subject’s consent; Security—collected data should be kept secure from any potential abuses; Disclosure—data subjects should be informed as to who is collecting their data; Access—data subjects should be allowed to access their data and make corrections to any inaccurate data Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.[3] However - there was no enforcement to the directive. What's the Difference between Privacy and Security Data privacy in data security Are 2 very different disciplines What data privacy Primarily focuses on the governance of the data It ensures that an organization is doing what they say there doing with that information. A core privacy Tenant Is that you will only Use the data in a way that you say you're going to use the data The intersection with security Comes when You have lost the data Or data was manipulated Through A security weakness or security breach. At that point you have Use the data in a way that You have not informed the consumer as part of your purpose obligations.  In otherwords, because of a security weakness or breach you've done something with the data you didn't disclose such as sharing it with people you didn't intend to and allowed use of the data you didn't receive permission for. GDPR brings a lot of benefits for consumers including a right to be forgotten. It allows for easier access to one's data And gives a right to data portability. It gives a right to know when one's data has been hacked. In that data protection has been implemented by design and...

MSSP is dead. Long live MSSP! There was once a time when we had to go to an arcade to play video games. However, technologies like the Xbox and PlayStation have made it possible to access those same video games from the comfort of our own home. The managed security service provider industry referred to as an MSSP, is experiencing a similar technology shift today. I spent some time last week visiting with a large organization in New York City.  The question is, how many organizations do you see building their own Security monitoring capability and MSSP?  This conversation started on the 17th floor In the conference room And ended up In a Starbucks in midtown on 42nd street. When it’s not raining, we’ve had some great fall temperatures so why not play a little Frogger in New York traffic while chatting MSSP on the way to Starbucks. What is an MSSP? Let's start by what we mean by an MSSP. The definition is a Managed Security Service provider. What's the history of MSSPs? Roots of an MSSP Originally started By Internet service providers in the late 1990s. Those ISPs would sell customers a firewall appliance and for an additional fee would manage the customer owned firewall over Internet connection.  Today in 2018 the idea of an MSSP has become a lot of different things and an MSSP is encompassing of log monitoring, end point monitoring, firewall management…I would go out on a limb to say there's an MSSP offering for almost any major security technology in the market today. There are many different categories of MSSPs including the 5 common ones on site, perimeter management, Managed security monitoring, and penetration testing and vulnerability assessments, and compliance monitoring. For the purposes of the conversation in NY we focused on security monitoring category. To understand where we are today it would help to understand where we’ve been. In the legacy model, which is still widely used today, a company sends their log files off premise to an MSSP in a blackbox arrangement. By black box I mean once you send you log files you don’t see those files anymore unless you’ve made a copy locally.   With the historical technology MSSPs are limited to the types of log files that could be monitored due to the format of the log file. For example common log files such as Cisco and Juniper are very common, are often seen, and subsequently easier to enrich with threat Intel data or advanced correlations. Other less common log file formats can be a little more challenging to correlate or enrich if they have a non standard log format. So from a legacy MSSPs standpoint it really makes a strong business sense to invest into common log types and only support those log types only. Most often times MSSP's will support a non common log file format but often results in a custom development effort. Pain points of the legacy MSSP model: As a former customer of a legacy MSSP I can honestly say one of my more significant pain points of the legacy model was the black box model where that I would forward my logs off premise and never see them again. If I was alerted to an issue and needed to do an investigation I did not have the tools or platforms in order to do a proper investigation and rarely could see the data points, correlations, or threat intel enrichment that validated the security event.  The black box model was truly black box. So where are we today? In the late 2000 the security industry so rise of new security technologies that allowed organizations are to ingest their own log streams in data sources for the purposes of performing their own in-house security analysis. Over the last 10 years those security technology providers have only improved on that technology making it better faster and easier to perform security investigations in house. These technologies have made it possible to create a white box MSSP in house for any organization....

This is the Origin of Pwned. My background includes many different security positions over the years working for a variety of different organizations. I have held a variety different security positions from security auditor, to a security engineer, all the way to being the chief information security officer for a fortune 750 company. Today I spend a large part of my day talking with security professionals from all over the country in many different industries. Over the years I have talked to folks at hundreds of different companies and a little over 1000 security professionals at those organizations. In order to be the best advisor to those companies and those security professionals I have become a voracious consumer of content. Some of the most common ways that I consume content is through audio. With the biggest audio collection being podcasts and audiobooks. However, I had almost no Information Security podcasts in my subscription list. So true to my entrepreneurial form I decided to produce my own weekly information security podcast. The podcast is intended to be short in duration and try to right size the security information that I provide to fit within your busy schedule. Each week I will share questions and  conversations that I have with companies and security professionals from all over the country in many different industries. Some questions and comments are related to security framework and best practices, some are related to security technologies available to us today, and some are  discussion of general industry challenges.