00:01
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:10
Welcome to CyberSound. I’m your host, Jason Pufahl, joined in studio today by Steve Maresca. Steve always loves what I think he loves, emphasis and virtually or remotely, by Michael Grande,
Michael Grande 00:24
Hello, hey, afternoon everybody.
Jason Pufahl 00:27
Steve doesn’t go like I don’t even want to talk.
Steven Maresca 00:31
I’m the quiet one.
Jason Pufahl 00:32
So, we are. So we’ve done a couple of, a couple of rewinds, and this is different than that. Though we recorded, I think our very first episode was actually security fundamentals, and then we re-recorded that maybe a couple of years later. I think it was June of 22 where, I mean, candidly, I think the information was largely the same. Our production capabilities were better, so we wanted to make sure we brought that one back. But, you know, it’s been two and a half years, almost three since we recorded, and we wanted to kind of revisit those security fundamentals. I think what Steve you’re calling them, the security fundamentals improved, just security revamped or evolved,
Steven Maresca 01:18
You know. So some of these things are evergreen, but the reality is, the world has changed, right?
Michael Grande 01:23
So it’s almost, it’s almost like, you know, daylight saving times comes. You got to check the batteries in your smoke alarms. Well, it’s somewhat, what are you doing? What are the fundamentals that you’ve implemented? Right? It’s like a regular status check, yeah.
Steven Maresca 01:36
Except here this the smoke alarms are moving around, and you have to find them again. That’s true, that that’s true.
Jason Pufahl 01:41
So we’re gonna, we’re gonna tackle this really, in two parts. The one part really is there are things that we expect now that most people probably have done, and there’s, and frankly, there’s still the foundation to a to, I’ll call it a basic security program that everybody has to be doing. So we want to cover that. In the event that you aren’t already doing these things, will continue to re emphasize that you need to, but then I think a lot of it is what’s the evolution look like, and are there new things that you have to be paying attention to or should be doing, right? So looking looking back, we’ll just sort of tackle these one by one. Certainly patching and addressing known vulnerabilities remains a constant, right?
Steven Maresca 02:20
Always. It’s the baseline expectation that systems are kept up to date. It’s a business requirement. It’s a best practice for security. Everyone that isn’t doing it is probably in that position because they’ve had some oversight, not because they are ignoring it today. Might have been a less common practice in the past,
Jason Pufahl 02:39
But I mean that that’s I mean, that’s bread and butter. There’s tools in place to do it. A lot of the applications, operating systems, they do it on their own already. Anyway, it should be really straightforward. Going back to the discussion we had around, you know, sort of the ROI of these threat actors. They look for known vulnerabilities to exploit, right? Plain and simple.
Steven Maresca 02:58
If the doors open, it’s easy while tonight, so deny that opportunity credential management is really the next thing, and this is about authentication and authorization. Since 2020, almost every organization on the planet’s implemented multi factor authentication, two step authentication, whatever you call it, and that’s great, if it’s not in place, it’s an oversight, and it’s right now just a base expectation. Candidly, the part of the conversation to follow is the fact that the landscape has changed. Our controls are working, and how do we react to that? We’ll talk about that in a minute.
Jason Pufahl 03:32
Then the well, I guess we still are talking about security awareness training, and that never goes away. It doesn’t and it’s only it’s becoming increasingly, in my opinion, increasingly important. A lot of the conversations we have are less about, do you have a security control in place? But is it more? Do your employees understand what to do if there’s an issue, how to respond to an inquiry that is unanticipated? You know, recognizing phishing and social engineering, all that stuff.
Steven Maresca 04:03
Here’s the thing, security controls and investments implemented are working because they’re working. The training of personnel and behavior matters more, right, for sure, and in fact, it feels like really good example of that.
Michael Grande 04:19
It’s security awareness training, that the process has been streamlined. It’s, it’s an easy implementation, generally now right across an organization so, you know it, there’s almost no excuse not to implement some sort of a program.
Jason Pufahl 04:33
Yeah, it’s just making sure people do it. I mean, I think that remains right. Really, one of the challenges, you can always get people that are onboarding harder to get people in the company to do it. And how do you get how do you make it front and center, and how do you make it valuable? Right? Exactly. So, yeah.
Steven Maresca 04:49
So the other you know, baseline expectation is backing up data, business critical information needs to be housed in an appropriate location and preserved. If it’s not there, you don’t have. In the case of an emergency, if you need to rebuild, and if you do have it, every security incident that an organization is likely to face becomes a relatively quick things to recover, to recover from. I think most orgs understand that today, and it’s a matter of sustaining what they’ve already put in place from a data backup perspective.
Jason Pufahl 05:21
So I think, I mean, I agree everybody knows to back up, and I don’t know if everybody knows to test it all the time. So I feel like that’s probably, for me, sort of a takeaway like you, you may have put your backup process in place a couple of years ago. Are they still working? Are you still getting the data you want? I think we’ll talk a little bit about knowing where your data is in a minute. I feel like that’s a critical piece,
Steven Maresca 05:44
Yeah, validation of the data that’s stored to make sure it’s actually there when you do a restoration, it’s now an expectation. You know, cyber liability insurance will ask for that. When did you do your last backup restoration test? If you haven’t, now is the time to get to that level of priming.
Jason Pufahl 06:02
And then probably EDR is the most. I mean, in my opinion, almost the most common tool that we see deployed now. It’s required by cyber liability insurance, a whole variety of other reasons. I think most people have implemented that at this point, right? So our discussion is much more, are you using a good tool, and are you collecting the data out of it that you need to and reviewing that data?
Steven Maresca 06:28
Right? This is a budgetary decision. In many cases, organizations that deploy EDR that were middle of the market maybe have some gaps from the perspective of capability. When we do a pen test, it’s pretty common for some of our tactics to be unobserved, with a top of line EDR, or even market, you know, top quadrant type, EDR, you’re not having that problem. You detect the attack early. So now it’s more about refining what is in place and making sure it’s appropriate.
Jason Pufahl 06:58
So I mean, all the things that we talked about, I’ll say over the last four or five years, they all remain, we’re seeing a lot more adoption, no question about it, better implementation in general. And now, in a sense, it’s time to ramp it up a little bit a little bit more, right? So moving then from I’ll call it just a total controls space. More to a what are you supposed to do as an organization space, right? And that’s our policy,
Steven Maresca 07:29
Yeah. So what we talked about before, that’s, you know, block and tackling basics. Organizations now are broadly expected to have acceptable use policies in information security policy and written information security program documentation to basically say, here’s our specification of what we organizationally think we are supposed to be doing. Here is what we expect of our employees, and here’s how we safeguard data. If that type of material doesn’t exist, it really, in my opinion, impedes demonstration of value to business partners, and it has the net effect of looking like a greater risk from a liability standpoint. So build the policies. It will help with a huge number of compliance and reputational elements, just to show we’re doing the right thing.
Michael Grande 08:20
So a quick point on sort of policy development, and I know it’s a it’s a key deliverable, you know, in a lot of our different engagements that we have, but depending on the sophistication of the client, you know, one of the concerns, and I’ve had this conversation with different folks in the past, is, well, isn’t this an automated thing? Can’t I use, you know, can’t they use an AI to develop a policy for me and just have it so, you know, I check that box. Maybe just spend a second talking about the importance of the relevance of customization to a certain extent, right? Developing these policies, you know, pursuant to what your business is.
Steven Maresca 09:01
It’s a very important point to raise, because there are lots of policy templates and libraries that exist. They tend to be generic or, you know, catch all policies that don’t apply to all business types. You don’t want a 40 page policy for an organization of 20 people, it doesn’t make sense. You want something practical and attuned to the type of business. Similarly, you know, if you have a generated policy from a template, it may reference regulations that don’t have anything to do with the business in question. There’s additional risk where you know the policy that you grab off the shelf includes stipulations that the org must fulfill things that are frankly inappropriate for the data that they deal with. They produce audit findings when policies on the books that isn’t backed up by actual implementation or procedure. It’s really an important point to stress. Because a lot of policies are not just pieces of paper in order will come in expecting that there’s evidence that the policy language being followed. So customizing something, attuning to the business and understanding whether it’s appropriate for for purpose is the necessary step to avoid quite a few negative outcomes. Otherwise, we tend to make small policies that are appropriate for staff and business, rather than something really large, because it’s just asking for trouble, right?
Jason Pufahl 10:34
So you talked about this a little bit more when we were planning for this, the round of the idea of data flow, data inventory, I actually argued about it in a tiny bit where, because I think it’s important, and I was trying to reconcile that with some of those more basic controls. So maybe spend a minute, because you convinced me.
Steven Maresca 10:54
Well, so we’re out of the realm of basic controls. We’re into refinement, and most organizations have a sense of the data that they process or store or or need to use for their business. What they don’t necessarily do a good job of doing is saying exactly where that data is stored, in what volume and in what type that data is. So case in point for why that’s important. If you have a breach or a security incident, you’re probably bringing in a third party. That entity needs to understand very quickly where your key data and your key systems are, and if you don’t have that in a simple spreadsheet, you need to reconstruct that on the fly. A business and all of the people in it might know that the file server on the P drive stores all the finance data and the H drive stores the Human Resources data. But everybody’s different. Merely having a map of where everything is is hugely beneficial. The attackers are looking for it anyway. You might as well equip yourselves with some understanding of where it’s going, where it’s coming from, and in that notion, also documenting where data enters and exits the organization is a really important thing. Yeah, so flow and where it’s stored, those are the two things that really are intrinsically important. And it’s not a huge lift if you have an asset inventory, servers, workstations, applications. Add another column indicate what type of data is there. It’s done, yeah.
Jason Pufahl 12:23
I think what convinced me really is, and we’ve said this, I was just trying to think if it truly was like a fundamental control or not. But it’s just easier to protect data when you know where it is right, rather than just kind of blindly trying to protect everything.
Steven Maresca 12:36
So major issue in an incident is the latent data that sits on workstations and stuff like that. You have to go find that after the incident to say, we have to notify these people or not. Yeah, if you know ahead of time that a particular department stores data locally or at a particular file share, it just is a an opportunity to reduce risk and a way of getting to a conclusion faster in an incident. That’s why totally reasonable. So shifting back again to security awareness training, it’s a good segue from data. Most security awareness trainings taught talks very briefly about, you know, phishing, how to identify suspicious messages. That’s great, but it doesn’t often get into how people are supposed to behave around data use, security awareness training, addressing that will absolutely bolster the previous subject, and furthermore, give a sense of you know what’s important to particular roles. That’s what’s often missing. Training for your finance people, training for your HR folks in particular because they are targets,
Jason Pufahl 13:43
Yeah. And more often we see just generalized security awareness training. I mean, there’s certainly your your your computer based training. I don’t see a better way to describe it, but there’s modules for business units. A lot of the in person training is a little more challenging because you’re trying. You’re typically doing larger groups. So how do you actually compartmentalize a little bit better?
Steven Maresca 14:02
And it’s obligatory in some cases, if you’re collecting your processing credit cards, your people in that role need to have PCI, DSS specific training about how they preserve cardholder data if you decide or a threat for a CMMC, absolutely. Yeah. Some of them, if it’s not being done, it’s quite literally a compliance failure.
Michael Grande 14:19
And you know, talking about the evolution of controls, and, you know, I know many organizations see it, but sort of enhancing those general financial controls that exist within any size business. You know, with dual control authority, a lot of banks are implementing, you know, positive pay payment systems now to verify that there’s actually the intended recipient is where the money needs to be going. You know, I don’t know how many cases I’ve seen of this where it feels like, you know, the bad actors are crawling LinkedIn. They’re looking for new additions to each company. They’re taking advantage of that with targeted phishing attacks to say, hey, this is a new employee just hired. They just made an announcement on LinkedIn, let’s, let’s target this person, and possibly if they have any financial authority in an in an organization. So, you know, keeping an eye and refreshing those things and working with your financial institutions really important as well, because those things are constantly evolving and changing and and financial, you know, monetary damages can can add up very fast from a direct, direct issue that can come about, wire fraud, etc, and
Jason Pufahl 15:29
Difficult to recover, right?
Steven Maresca 15:31
And often unrecoverable, right? This is a situation where many orgs are doing the right thing at the moment, but it’s because the people know from on the job experience, and that’s not the same as training against it and having a procedure that’s been documented that a new guy can follow. That’s the absolute necessity here. Yeah.
Jason Pufahl 15:53
And your point when we were discussing this is, you know, there are so many of the controls that remain constant, but because now companies are doing such a better job at implementing backups in MFA and EDR that the attackers are getting more sophisticated, which is really the problem for the evolution of this, right?
Steven Maresca 16:11
And you know, to expand on the financial controls aspect, we saw an attack recently where there’s no urgent or particularly easy to detect phishing chain that precedes them. They are gradual. They interact in a benign and believable manner and build credibility and basically manufacture a behavior in accounts payable personnel based upon very capable deception. Yeah, that’s the way things are working today. It’s not just a, hey, we changed our bank account. Please update it kind of a message any longer, yeah? So it just drives home the point.
Jason Pufahl 16:52
So, I mean, I think, you know, that really concludes today with, you know, the transcript will always be there. It’s easy enough to look at the, you know, the items in sort of written format, not a substantive change, really, over the last four or five years, really just some additions, and some call it improved practices. And you know, we’re seeing, we’re seeing cyber liability insurance, we’re seeing regulatory expectations, you know, shift a bit, kind of the reason we added, you know, a couple of years, absolutely so as always, thanks for listening. We appreciate it. If you have any questions, reach out to us. Thank you.
17:28
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.
