RCR 022: Security News and Building a Security Framework (Part I)

Jan 28, 2019

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from ReduceCyberRisk.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: Colorado Communication Encryption; DHS DNS Hijacking; 5 Stages of a CISO. In addition, Shon will be providing training on the understanding of Cybersecurity Frameworks and their importance in protecting your business or for your CISSP certification. Some of the content will include PCI-DSS, ISO 27001, Cybersecurity Framework, and so much more.

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

welcome to reduce cyber risk podcast where we provide you the training and tools you need for your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcast you need to grow your cycle security knowledge while taking practical and actionable steps to protect Christmas from the evil hacker horde smart welcome to the reduce cyber-risk broadcast are podcasts ever got set up for January 28th 2019 hope everybody's doing well and where are they putting some with some great stuff to put together today and today's broadcast and it's going to be around the different cyber security stuff that's going on different news it's in them as well and along with some cyber security training around understanding cyber security Frameworks so the news talk about is Colorado Police encrypt their Communications gives stages of the Cicero or chief information security officers 6s finally we'll talk about security training for cybersecurity framework so this will be part 1 keep going obscurity news a lot of things happening lately these are actually some that aren't the typical the sky is falling and we're going to lose everything because everything is encrypted and long live the hacker no we're not doing that this this round we're actually going to have some different interesting things that I thought was kind of telling in the fact that the world is changing dramatically the first one apartment in Crips all radio communications in the show notes and also be in the slides as well but Graham cluley talks about this where there's they do Colorado Police Department had to actually go out and encrypt their Communications channels between the the squad cars and the actual Squad Squadron what they had to do was I did that because of all of the apps that were intercepting and eavesdropping on their Communications and so therefore when someone is going through a crime and they were trying to go and talk back and forth with the police department they ran into issues around that capability so is that date they did somebody woke up encryption on that now the interesting part around that was that in the military I actually had that challenge we would we would have a certain encrypted Communications when we were flying airplanes and we would talk between ourselves we'd have to link and sync up between the airplanes and they have to have a code that you'd put in and then that when that would happen is your airplanes could talk to most each other encrypted well so now it's moved from basically being an airplane's to now the situation rolls into as you got Police Department that have it so it's kind of interesting how the world has changed in the past but it's kind of cool how they technology is continually morphing and changing and it's actually changing in this case it's they're bad people they're just people trying to get the scoop but the police department don't want that impact their investigation so therefore they do these kind of thing so it's kind of cool that overall article in their on their website now as regards to DHS odhs issues an emergency directive and what exactly is that well recently there's been some DNS hijacking campaigns that have been going on and we talked about those I think it was last week or the week before last about what was happening and bottom line is there they believe there's some Iranian hackers that are working as a state-sponsored at that are actually going out and and hijacking DNS names so in the process of doing that what they do is they then can redirect the traffic to where they wanted to go to a basin impersonate that DNS name so what ended up happening is the federal government decided the US federal government to issue an emergency directive to enable some some capabilities within that the government to start looking at this in auditing what they had in place for the DNS standpoint able to intercept Ford record Network trap right but they can't deal with this happened as they've been fishing the registrar information and then they go in and change that information to the DNS no longer points to where you wanted to point to get points to their DNS servers so that's how they're able to then they copy your site they acted look like your site and then they can come copy the information that's being sent to him added into it so it's kind of interesting attack that's that's going on and obviously they've had some issue with it I know there's some creds that have been compromised for the US government & Fire I had mentioned that they had talked about it with them so they they enabled Sissa now what's this idea is it the cybersecurity and infrastructure in Security Agency okay and they were forming November 18th 2018 under Obama had actually signed the order to have it put in place they finally turned it on in November of 2018 so it's really not that old like 3 months old and they have the authority to be exactly go out an audit all these DNS servers and so I can only imagine the size of the US government is monsterous until there for finding these DNS servers and figuring out who are the the authoritative and the secondary DNS servers who has those how are they protected and it's they've also said that it has to be completed by February 5th so this podcast I don't know what you think probably two weeks before the February 5th timeline so that is not a lot of time for them to get this done so hopefully they got a lot of people working on it so you just never know what's going on with that so anyway you can check that out it'll be interesting to see where that goes and what they dig up usually when they do an audit just use it when you find things that are not necessarily correcting in the kind of changes the dynamic just a little bit so that is around DHS emergency directive X15 stages of a CSO success dark reading and I thought it was kind of interesting because if your person has listen to podcast you've obviously are probably a small medium sized business that is looking for cybersecurity stuff to help you out or and also potentially to train some of your employees or if you're a security person who's looking to get the next certification ivacy the cissp or something like that you're you're tuning in well one of the things you're a security professional is a company and do the dark reading did as they walked through the various stages of what the sisters have done over time so this is basically starts back in the 1990's and works its way up to today which is the 220 2018 Easter 2020 so you can almost 30 years right 25 years and that is a long time ago but they talked about five stages in this is like not the five stages of Hades or anything like that could be I guess if you have a really bad day and you get briefed but it's the five stages of where they've seen Cicero's morph overtime and they had a 2019 Cicero round table or Advisory Group in that they had a response to where it's been or what was it where it's at today so stage 1 the number is basophils about the first five years of the a piece and they really came out this is what started run 1995 to 2000 when they started kind of coming up on the scene and they were limited in their security posture based mostly on login and password right so that was what majority of people we're dealing with at the time so that was the 1990s and 2000 that has now changed dramatically to the point where it's not just logins and passwords that you're dealing with round security and so they thought that was the whole focus of that point was pretty much just making sure everybody's got passwords and other aspect of it was that those were not really part of the equation as it came to senior leaders it was more of an additional add onto it and will honestly will see that kind of going through most of the stages up until we get to that stage 4 and Stage 5 is when the sisal starts to come out of that shell but something I kind of consider around that stage 2 more regulations are coming into place privacy regulations and so therefore the security officer the security person within the organization has to get smart on what is that and an understanding that the compliance aspects it was more regulations as they came into the Privacy tease but now it is time is going on so from that era to now today we all know that the regulations and the compliance pieces extremely large it's not actually even one where you can just go hate it I have only got a couple regulations to worry about her couple compliance things to deal with it is continually expanding its going beyond what it ever was I got to get into privacy I get into cyber security regulations I get into date of all those things that you would that normally would potentially be just in certain areas as a security officer can get you got to cover everything and you least got to be able to discuss it doesn't even know it but you better be able to discuss it and understand what exactly is occurring the other three they came out as being a risk it became more risk-based and so they they said that and we seen this in the past was like okay I'm going to try to protect everything in the military that was the point to you can spend gazillions of dollars but it billions and billions of dollars or try to protect it and it's not going to matter just need to get him once well then they change the orientation to go from basically being I want to protect it all IE stage 1 and 2 to being more of a risk-based approach now channel is that a bit in the fact that they says 2004-2008 from my experience it was more like in the 2010-11 before I start seeing change in that however that's when they expected the that's when they see the changes occurred for ra space stage 4 throat aware cyber-security again now you're dealing with between 2008-2016 which is not long ago you got social you got mobile you got Cloud you get everything on top of all the other stages that you have to deal with these are all cumulative today they haven't changed now with that being said we're trying to automate some of this piece and try to help with least number one trying to get some of that away from having to worry about it too much but the other day you still have to know one through four at this point that start aware cyber security Social Mobile and Cloud okay now Stage 5 privacy and data or where is a good friend of mine said and I've talked about this in some of the cissp training and I've done is it's all about the data and you have to know where the date is going who has the data who's touching the data it all comes down to that so that's Stage 5 privacy and being data or where we was just talkin to some individuals today about data Lakes you know it until you how do you deal with that you got Amazon was really got his monster daylight how do you manage that how do you protect it how do you keep it from somebody fall into the wrong hands and then you got the people that have access to it they can run all kinds of reports that so these are all little things that you're going to have to roll around into more of a managerial role or more of a leadership role these are all the things you're going to have to deal with however doesn't have to be a manager or leader to be able to do with those things the whole point of this this article was just the kind of tell you how things continue to change the one part they mentioned in there that is pretty much spot-on is the fact that you just going to have to adjust and you're going to have to morph with the times the biggest part around this though is you do not have the luxury to basically sit back and not want and I know I'm already way behind and some things that I need to be just because it's changing so quick so again that's what we talked about police officers and crippling their Communications right by DHS and the challenges that DHS has had recently with a DNS hijacking it's going on and then we just talked about the five stages of social success. all right around going on for security news let's go ahead and roll ride into our training okay this is part of our cissp supplement in this is understanding cyber security Frameworks part 1 right part all right so we're talkin about cybersecurity framework where to get into the Hyatt what are they mean and we're basically to go to the fact of how do you unwrap these what are they actually what I mean what does it mean right acacian and what I struggle with as far as just common sense things I had to break this down to a point where I can actually understand it cuz I kept hearing all these security post talking about a framework what is a framework what the heck is a framework to me it's like I'm going to build a building it maybe build a hog confinement so from Iowa I can have some pigs in there at the frame and I got to build a frame around it and then I got to work to do it so there you go yeah building a hog confinement that's not true what is a guidepost in case a guidepost secure environment the whole purpose of it is is that you need to look at how do you secure your environment so if you don't know what to do so let's just say you are Billy Bob and Billy Bob has no idea what to do with round security he knows the terms basically and he knows that he should do some stuff but doesn't really know what what he should do beyond that and so therefore how do I do it well that's what the framework coming to play and they're really useful especially when you're dealing with frame Frameworks that are more simple but they can also have some that are more complex ISO 27001 is an example of that which will make your eyes bleed so the point of it is that you will need to have a framework it's also designed to meet some level of compliance requirements as an example there was a recent law that's been passed in Alabama or South Carolina in fact of it is that you didn't have to have it was for insurance agencies and he's insurance agencies and had a certain amount of people who talked about on the podcast a certain amount of people in your organization was basically a certain size we have a certain number of clients you must follow some strict criteria and all these criteria one of them is to have a security program in place and what they say is that if you follow a security framework for this then therefore that will help meet the overall goal of the law so I just helped to guide people in the right direction what to do however if you're a person that's not a security person you're going to read this stuff and go what in the world are they saying and I'm a security person and sometimes I scratch my head gone I have no idea what you're saying does getaway just a little bit so that does are some of the things around the framers as an example and there's many use cases but you New York Department of Financial Services indeed why or nydfs they have some high regulations around financial institutions it's by the state of New York and therefore one of those is that you must have some level of security and place it following a framework to do so so this is how they do it Massachusetts 201 CMR 1700 hit the book that the streets I think last week but basically comes right down to is that if you have anybody that's a Massachusetts resident and you get a breach within your organization there are some certain things you have to do one is the fact that you got to give credit freezes two people got to give credit monitoring the people of the standard fare around that but bottle I got to do that night but you also have to have the ability to they have to have a written security program in place sounds like you just as long as you you're working in that direction you're okay but it's still a little fuzzy to me bottom line is that they want you to have some documented written in the information security program that you need to follow well Frameworks are a great way to do that and therefore it cannot point you in the right direction so teamwork Consignment but a framework in cybersecurity available framers freak you to play with there's really about big the big five I call them there's no way more than just 5 obviously but there are some that majority of people utilize these Frameworks and the first one is pci-dss the payment card industry data security data security standard in this part of the PC is sec the bottom line is those debts the payment card credit card stuff goes goes through PCI ISO 27001 this is Define International standard international organization and therefore you follow that standardization for organization that organizations that you follow that and that it works out really well it from an organ from a global standpoint to be able to follow this framework they are different pci-dss is different than ISO 27001 and it's different than some of the nist framework that are out there I just a couple that I have sitting out as the 853 which is around the security and privacy controls for federal information systems and organizations and then there's the 800-171 protected controlled unclassified information and non-federal systems in organizations and then the finally the one that actually I think he's got the most meat behind it I mean they all do but I mean the one that I feel is probably the easiest to be adopted by many is a cybersecurity framework at a big typically call up the Charlie Sierra foxtrot okay and in that you have they fall fall I but it used to come out of the critical infrastructure framework and if you can follow that and it does it's got some really good pieces in there to help you with your organization to walk you through what you should do to best protect your data so those are some of the key Frameworks right there's three of them Appliance and I talked about this in my seat in the cissp course that I put out there but I trust cobit control objectives for information related Technologies so those are those are some big The Big Five in that place and they're all really important to do but what am I to do summer roll into one is it used case and then you can kind of see how how that plays out case one I have is PCI standard payment card industry standards that are set up PCI I should just say PCI security standards now there is Technical and operational requirements that you have to put in place in this is managed by the PCI security standards Council and so what it comes down to is his you have to have a firewall you have to have operational ways to manage a fire while you have to have wait up manager change of management management of change so far so there's there's different types of PCI standards that are available one is a PCI PTS for manufacturers now from a flying standpoint I'm going to go back to my days when I say pts it just like it was like that the way back machine and just looked back and you're going much better time in my life practical test standards by the FAA when you flew airplanes you had to do a practical test standards well that's not where PCI is that is a different animal habitats for manufacturer there's a PCI DSS and that's the software development aspect around PCI development so how do you manager your credit cards and now what kind of the software development around your credit Cars that is all a PCI pa-dss however there is a change that it's coming and we will the idea that which is free of merchants and service providers this is the typical one that you get for anybody from I don't know your Olive Garden your restaurants are gas stations your daycares you name it they all have that if they take a credit card they all have to fall into the PCI DSS now there's some key components now these are just a few that I'm throwing out there of the DSs going to give me talk about Technical and operational pieces of this but they have firewall configurations so you need to know how to configure firewall or you need to pay someone to do it for you and they do give you some guidance around how you should protect those and what are some key things you should come there also are people out there that are certified in PCI assessors and so forth and they can give you some guidance run as well avoid vendor default passwords that's a given right so if you get a machine and it's got a password it's a fault is cortical password you they don't want that you don't want password from somebody else because guess what I used to do in a previous life is we would then Google this is before Google was really really really cool we would Google what are the standard manuals for let's just say some Linksys router well it tells me right in there what is the standard username and password to get into this Linksys router great already know it so now I'm good so the same default vendor passwords are everywhere and if they're default guess they're all no internet there everybody has available to availability to him so you want to avoid the data any data transmitted you want to make sure it's encrypted protecting the stored cold heart. Is the other part that that was interesting protect stored cold cold data they don't say how you should so you got the first one says encrypt Transmissions of data second one says quote unquote protect stored cardholder data what the heck does that mean how you protecting it while I've got a username and password to get into as a system that holds that data cuz you're protecting it right but their username and password the password is password or monkey or something like that yeah that is not really that effective so the key question around that is is there many many components to the PCI that you can definitely get into and I highly recommend looking on YouTube for some options around that but also get yourself a professional to help you if that is your livelihood Saran compliance aspects now there are tools available from the credit card companies that help you ensure that you meet compliance around PC they got scan tools and all kinds of stuff that that are available to you to use because the credit card companies they don't want you to basically give up your ghost on these cars they they want to keep the cars right it cost him a lot of money when they have to go reissue new cars they have to cancel account pain in the patootie for them so therefore therefore they provide some tools for you as the merchant to help you with that now from a qualified assessor standpoint different assessors are there different capabilities within the PCI that help you evaluate the capability is qualified security assessors okay these are approved to validate the adherence to the PCI DSS an auditor right they there they come in they audit you to make sure you're meeting requirements based on what the PCI DSS States so you have to give an external facing website you have to have your website skin and they don't want you just going out to Billy Bob Skinner market and do it they want you to have an approved scanning vendor that you go through to do the scanning of your website so I guess that's all your internet facing stuff now org has a lot of reference materials you can refer in reference back to to help you with securing your your site keep places account consider PCI security standard. Org and give yours scanning vendors now there's a self-assessment questionnaire where can I get that here in a minute before I do that this the network configuration pieces this is also need to understand that you need to do this now you can self help it you can do it yourself but it's probably not the best option so there's any sort of configuration that needs to occur you probably need to pay someone to help you with it and the reason I say that is because it is potentially increases your liability in the event something goes sideways you should Outsource turn around PCI. You can't just say hey Bill your PCI certified dude go do it for me and Bill goes sure I'll do it with them Bill misses something and next thing you know you didn't suit in the case of the credit card companies if you don't take it seriously they just turn off your ability to use a credit card will today's world if you don't have a credit card reader at some kind that is bad that makes your going-out-of-business baby so around that Panera's that that PCI puts together for you just PCS security standards to help you with this and the first one is a self-assessment questionnaire a now it says what it says is a card not present card not present merchants and Call of Duty's are outsourced so what does that mean that means that everything is outsourced you don't have to if they don't keep anything and you have a third party that does it so when it comes to the information nothing to stay in resident within your system so that but you still need to follow the SAQ even if you don't take your assistant you need to follow it a good example be WordPress maybe or a website that you may have and use an iframe that will end take the data and ship it off for you technically with an iframe you don't have to have the full up PCI evaluation you can go to an abbreviated version like the SAQ a because the credit card is never in your system it's my granddaughter off to the payment card company SAQ is cars not present Merchants all I did all that stuff to Outsource as a QB is basically imprint only Merchants No Electronic card holder so that's the old style you got a card on you you're probably younger than 30 you're going I have no idea what he just said carbon copy that they copy your credit card they charge it and then what ends up happening is they sent it in to the credit card company if you're a merchant it's a good way for you to get taken because one of the papin is you run the card and then there's no money the guy's gone you know so it's it's actually it's it's good that use electronic so if you can use it recommended SECU cbt-i Merchants using only web-based virtual terminal No Electronic storage case of using a web-based purple turtle of some kind then that way that one will fall into you D's Auto Merchants not including in the description for SAQ a through C and then all service providers so if your preserves provided you got to do it are you going to have to do it but it's it's basically that's the full the full thing you got to go through the whole shooting shoot and caboodle is right in that there weather Templeton checklist to go through this on addressing these capabilities and I would recommend that you go online and see what you can find to help you with it I was just looking at the site and they have a whole laundry list of things that you can go through and check in the box on it that the only downside of that is if you going to have to understand the technical terms behind it cuz if you don't understand it it's just basically kind of useless so make sure that whoever does your configuration for you you understand and they understand what what's needed alright so this the references I've got four of this broadcast last podcast and what we've got is it said it governance has got some great stuff out there than is cybersecurity framework Kelly pics security tenable strands around security Frameworks adoption surveys PCI security standards and interactive application security testing now that was part 1 part you know we're going to have part 2 will be coming up here next week we'll have that aspect attitude as well reason I did that I broke it up is because if not the podcast be but I have long and all I know is my ADD last about 5.2 seconds and if I go longer than that then everybody's leaving well if I know if I had both together we'll have a whole lot of people gone oldest us very similar we have today all right thanks so much for joining me here at reduce cyber-risk we greatly appreciate it hope everything goes well for you and catch us on the flip side what you heard please leave a review and as I was a greatly appreciate any and all feedback also check out my search for Sean Gerber and you will find a plethora of content to help you secure your business lastly head on over to reduce cyber risk and looked at all the free stuff it's available for our email subscribers it's growing each and every day

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .