RCR 020: Security News and Information Security Governance (Part I)

Jan 14, 2019

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from Reduce Cyber Risk.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk.

Shon provides cybersecurity training for individuals working on their CISSP as well as ways to better secure your business's daily activities.

In this show, Shon will go over key security news, business training, and finally the key aspects to implement an Information Security Governance program within your business.

These videos will go over what the hiring professionals should be looking for and what potential candidates should strive to achieve to meet the growing cybersecurity job demand. This broadcast is Part 1 of 2 in the ongoing series designed to better secure your company while also training security professionals to provide better capabilities to their employers.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

welcome to the Reduce Cyber Risk podcast where we give you the tools you need to meet your cybersecurity regulatory requirements while helping secure your business and keep the evil hacker horde at Bay I'm your host for this action-packed informative podcast each week as I provide the information the best protect your business and reduce your company's cyber risk how to get going real Shawn Garber with reduce cyber risk in today's episode we are going to be talking about some cyber security news that have hit the the recent wire and then also some cyber security training that I've got that is being put out and it's a supplement to cissp course at you'll see out there from different companies along myself I have a cissp course available as well but again it's a certified information security systems professional cissp but there's some really good stuff that we've got coming down the pike for you from reduce cyber risk as a relates to the Iran DNS hijack we've got some stuff going on in the news around that so NASA I will start off at Nasa first NASA had and applique basically leak some data out there in the world and what they use is that using insulation called Gera there's other types of development software out there that is such as TLs but you're as one like that and it basically the code repository and allows you to track what you're doing with bugs your coding is your is your going through if you're indifferent Sprints but it's a form that they use for managing your development had a jury is delayed what's available on that was open for people to get access to accident I was not supposed to be this way was and what ended up happening was it allowed you want an all user permissions for that system basically it allows someone to get access into their jira console to find out what they're working on have access to the code and so forth now there was no PIR personally identifiable information that was available to them it was all just kind of discretionary data that had been out there but realistically just kind of comes down to is that they have left an Open Door basically if within their jury installation for people to come in it didn't really appear that it was a dedicated people that were trying to get into this however yeah it's more like somebody just kind of stumbled across it so something to consider around that is that when you're doing app development it's really important that the repository that you keep your data and whether it's a Cote a Cote codesource that you had your stuff in or the fact that you're using some level of documentation that's kept in like TLS or jira that your management solution you need to make sure that you have all of that lockdown because from my standpoint I've got a development team that works for me and if they had access someone got access to our code in the fact that it would invest early be intellectual property or when we something push us over the edge however it's something I'd contacts around our company and so therefore it's important that you lock all of that stuff down especially if you're dealing with outside parties that are third-party vendors that are utilizing your code you need to make sure that you have that a lockdown as well so it just kind of thing around NASA's app leaking data DNS hijacking now this is it the news and I actually affected a friend of mine I had the same situation occurred to him but what they've done is they've been able to hijack people's DNS now if you're not familiar DNS is the domain name service and it's it's a key component to making me internet work and really what it does is it please website has an IP address and he's IP address might be I don't know let's just say 13. 22. 16. 75 and that is really hard to remember all of those numbers I am so if you type in those numbers you can get to that site but it makes it way too hard for somebody like us humans to be able to understand all those numbers so what they did is they came up with DNS and it basically ties the name like reduce cyberbass.com to an IP address of 13. that's what I that's what it dies it too and so therefore that's basically is your name what would have been able to manipulate Iran has been able to manipulate DNS records and they're saying since 2017 so for the past almost two years they've been doing that so you going to have to do yours and what it does is it allows them to intercept the email data usernames and passwords that may be flying in that clear around these name so when you type in a DNS for do cyber risk instead of going to my side it would actually take you to some Iranian site which would be bad right so especially if they mimic and make their site look just like mine what they can do as they can start taking the data that would be put in there and they can Harvest that data obviously a bad thing we don't want that to happen jacking since 2017 now FireEye to Great tool out there that is they've got some different stuff as it relates to their protections from web proxies to email but bottom line is they recommend that you monitor your mail server certificate and you need to watch where they're pointing especially if they're about ready to expire because you guys might gobble them up and next thing you know they're pointing your information to their web Surfer versus actually being pointed to yours was that it was really hard for how they could actually they're manipulating a DNS records are not real sure how they're doing it so it'll be interesting to see as this goes on overtime what comes of it that the other thing is kind of interesting is as our world becomes a very small place with the internet and the connections and as we become more and more connected from our cell phones to internet of things to Alexa's to you name it to whatever that might be how does that getting infected through these various companies that are various individuals are nation-states who may not have the best interest of myself in mind and maybe looking out for themselves and global domination links on the show not too far is where all these links came from but I thought that was kind of an inch now Alsina news you may have seen that were AT&T so we would never ever sell your data anymore okay that's why they make their money so AT&T Sprint Verizon T-Mobile there they've been selling your data shock believe can't believe it just terrible it is actually a lot of it comes down to is they say that in the fine print but they're they're using your data to sell it to make a profit and basically what they've done is they've actually turned on your location data and they will basically allow they take all of that data and they're pushing it to other third parties and they use that for benefits of like an example of I've seen it where stores where you walk into a store and it'll automatically pick up on the Wi-Fi that says you know what since you're picking up on the Wi-Fi we're in our store we're now going to Parlay adds to you so that you can you'll see the different stuff that's in our store different a different sales what are they it might be because they assume that most people are actually using their phones right these things will pop up as notifications those with a clear consumer benefit they will not allow it to be sold anymore again they were taking your your aggregation of your location dated since an AT&T standpoint and they were turning around and selling it to third parties as a profit so they're making money off you from the sale of the of the phone or the use of their service along with selling your data and this is where data is going to become more and more valuable it's it's amazing because as we become a data-driven society and we have artificial intelligence and machine learning kicked in the date is going to become more and more valuable they had an example in the article that they said Joe Cox what he actually paid 300 bucks to a bounty hunter to find to be tracked is got an image of Cox was to be tracked actually not the guy but the report he's able to track and locate a u.s. phone number for three hundred bucks and you discovered it through a third party that had purchased the subscriber's location records so basically for three hundred bucks you can put somebody down and it's from their phones why their phones are on all the time you're the thing is as you click on these the hughleys which is your end-user license agreement you click on these so often they just say just yeah except my location well when you're doing that you are allowing these people to potentially use your location and sell it to other people bucks they can find you if you're a bad person and you don't want somebody to find so that whatever phone to see if that comes I practically wherever how many places by T-Mobile that it will not knowingly share PIR personally identifiable information something to keep in mind with pii that is a u.s. kind of based term but it's getting Privacy Information lastly kind of a long all these lines was is that we're seeing more and more pressure from the US with US government to come up with some sort of Privacy Law similar to gdpr so it's kind of a gdpr kind of law so that will be interesting to see if that comes I person believe it's going to happen it's just a matter of time that they got to put something in place but we'll see where that potentially goes here in the future all right so we're going to move on to our training for the cissp how many mm is Sean Gerber was reduce cyber risk and this is the ongoing training for the cissp or certified Information Systems security professional that's a lot of words but bottom line is this is a supplemental course that's going to help with that training and that supplemental course is designed to meet all the same requirement that you would with the cissp and when they have learned doing that the cissp was that you have to be a mile wide and an inch deep in the training so with this is designed to do is to add to that training for you so the purpose of it is going to be just some quick down and dirty things that you can help you become successful as a security professional within your organization all right so let's get started information security governance exactly is it honestly that's one that I struggle with over and over again over time because the simple fact of it is is that it seems like he's Big Ten Dollar Words and you really when you come right down to don't know what they all mean that's the one thing I did I struggle with because realistically I feel like sometimes I got a third-grade education even though it's not true I do feel like that because from a security standpoint it always seems they're using these Big Ten Dollar Words that I don't totally understand use flight B1 bombers and then I got into the cyberspace and worked as a hacker so I got to do some of those wonderful cool things but at the end of the day I run into Corporate America and I'll be as a security information or as a chief information security officer I see these Big Ten Dollar Words I struggle words have meaning but what the information security governance is its real having a higher level of visibility for leadership so that they understand what exactly is going on within the information Heap program within their company the definition and then you can tell me what you think of it but bottom line is security governance is a set of responsibilities and practices exercise by the board and executive management with the goal of providing strategic Direction ensuring that objectives are achieved ascertain that risks are managed appropriately and verifying that the Enterprise resources are used responsibly fault a lot of Big Ten Dollar Words the day it's kind of spells out exactly what information and it comes down to the responsibility of the senior execs and the boar and it is overalls information security is their responsibility and it's also the security officers responsibility but it's getting so bored and Senior Management senior leadership soda provide leadership for the security program within your organization it gives them guidance directions on what they need to do and Define objectives for your specific security program and when it comes down to is if you had this Define doubting and brought in a bullet size format it helps give you objective in Milestones to shoot for so what you have to do is you have to keep the end in mind and that comes out of a strategic plan of how you're actually going to get there and so this really comes down to is what is your plan now you could be a chief information security officer you could be the local janitor doesn't matter. All those jobs and they are wonderful but bottom line is is security is your responsibility especially if you're watching this video and so with that being mind you need to come up with strategic plans to help with your organization but it's also leadership's responsibility as well to help you with that and you need to take a risk-based approach being in the military I can tell you I've had plenty of times were the government will spend bazillion dollars and zillions of dollars are trying to protect their networks but at the end of the day we still get into so you have to decide from a risk-based approach how do you want to best protect your environment and how do you want to have your security program set up you also helps you with a management of resources and integrating it into the information security feel it also finally is about some measurements in metrics and metrics are a big deal it really are you need to understand how are you going to measure what you're accomplishing and what do you need to do to fix the problem not security practices what are these security practices there a collection that define an organization they really are and they're integrated imposed in various forms are purposes by different needs or requirements what exactly does that mean cool sentence with lots of big words that if we didn't say a whole lot but what it comes down to is as let's say for instance you have a company and your company is regulated and it could be regular by DeForest as a defense acquisition something alert yet why does Addie fart if you're a vendor the US government requires you to have a cybersecurity pro play it could be that you are falling to see if a switch is the ability anti-terrorism standards that could be an issue you could have a requirement where the vendors require you to heavy ISO 27001 certified so you may have some Regulatory and or compliance requirement is gdpr when you to do various security practices industrial standards that you may have to meet for that and this in the case of iso 27001 especially if you have to create something I've seen vendors that have had to maintain a certain certification for the international standards organization ISO 27001 and it's a very specific criteria that you have to meet Aden assessment of these governance principles they should occur you should be audited and you should be assessed based on the principles and he's usually are based on Frameworks that will get into later on the cissp course but it comes right down to it isn't that that's how they follow those Frameworks you follow him and that's what you usually audited against the nest is the nist 800-53 and 800 100 and you're like going what does that well bottom line is there regulations that are in place for the National Institute of Standards and technology for the US government and these are standards that were provided for the Department of Defense for when they come up with systems how do they make sure that they made a certain criteria and it does happen a lot when I was flying airplanes when you fly the airplane supposed to fly the same way and I didn't always play the same way but they created the actual the plane and they had to follow the standard therefore they needed some standards that were put in place International standards organization ISO is another set of standards that are more globally in nature has u.s. United states-based ISO is a global responsibility of global organization now is your talking about naked not naked but Naked cat and their benefits CD the National Association of corporate directors so they had a bit put off some guidance around this and these are the people that have boards right that say can I help a line with what is a board look like in there people that are memberships of the naked naked naked and so there's four practices that they recommend boards need to have to operate one is an information security on the agenda you need to talk about it you can stick your head in the sand like an ostrich and say it doesn't exist you have to be able to talk about him identify Information Security leaders do you have people in place that will be your leader for your company and they are in the security space isn't effective corporate information security policies so it's not just one but do you have multiple policies in place that focus on your information security program and then fine you finally you assign information to key committees for support and the purpose of that is that if you have a committee that's keeping the security person abreast and supporting that person that's a positive thing so those are the four practices that boards need to have to operate now what are the benefits of governance accountability right so if you have some level of oversight some government accountability to ensure that the data is properly being protected the best Disco in the world will take it probably a good idea cuz guess what I make mistakes so it's good to have accountability and have oversight into what is actually occurring it's also an integration of risk management now my view of risk management is different than the people that do it for a living and their of ideas of risk management so it's also incorporate that into the process and getting other people involved as protection also and some respect from some level of civil or legal liability. Does it mean to be protected and also a lawyer twice but bottom line is is that you need to talk to a lawyer especially if you are an organization that is looking for a cybersecurity to your to protect your company but bottom line is is they've seen and they witnessed that protections from civil and legal liabilities have occurred if you put Security Programs and security governance in place does it means going to go away but it can't have less of a sting potentially and is also plenty of other benefits now business integration what does that mean just an IT issue to resolve the challenge it really isn't your integrated all levels of the organization and it comes down to have seen it so often where light he's got that was an IT issue well it's not an ID issue it's a business issue business but at the end of the day it's still a business issue and so it needs to be integrated all levels of the business so that for all the way from down to me as a guy that cleans out the toilet all the way up to the guy that is has multiple homes and multiple cars but bottom line is is that it needs to be at all levels also managed by a group or a committee it deck and that's when we come back to the committee piece that nacd had said you have some level of oversight and some groupthink around how you're going to protect the business and then you also can report these findings to the board of directors that's another part of what in business integration the Board needs to be aware of it it's not just a ID issue Kansas some key parties that should be involved in a little bit of reason why that is we're talking about that the board of directors in the trustees of the business now some businesses don't have that and realistically I think I've been on scene aboard a couple times right never been on a board kind of scares me what kind of sit the corner suck my thumb but reality goes is that these are the people that are interested for the business and they have the best understanding of strategic risk and how the business is properly said it's off of line do they have their wrists with outside competitors is there a global risk from a competitive standpoint of intellectual property concerns that someone might steal it that they have the best connection of what that looks like are they in a position for a hostile takeover they would know that not that I really know what that means but they would know that IP privacy data Etc are the executives they usually are owners within your company they are there ultimately responsible for the data and the protecting of the data that that's the ones that do it now they may entrust their thoughts to people like myself to help them with that but at the end of the day the date of belongs to them steering committee's what kind of talked about this a little bit as well members of the board are Executives and security that are part of this committee to help guide the Strategic view of where you going to take your organization how you going to protect your data they also best understand the culture and the organizational objectives of the company as we all know the culture is very different from company to company until the steering committee will help bridge that Gap and understand what that could be Station security officer legally responsible for information just becoming bigger and bigger issue where so you are legally responsible for the data that's a scary proposition because realistically I don't always have control of the data and I don't always have control of the security sometimes these decisions were made before I even showed up Social Security professional be careful what you wish for because you never know what you're going to get also provide strategic Direction based on your organization which then come down from the executives and from the board so they can help drive those things for with within a company thanks so much for joining me today on my podcast if you like what you heard please leave a review and as I was a greatly appreciate any and all feedback also check out my videos that are on YouTube just search for Sean Gerber and you will find a plethora of content to help you secure your business lastly head on over to reduce cyber risk and looked at all the free stuff it's available for our email subscribers is growing each and every day thanks again for listening

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .