Penetration testing is something that more companies and organizations should be considering a necessary expense. Pen Testing  is an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems. They provide a valuable insight on how your digital and human assets perform. In this episode we review the criticality of scoping a Pen Test, along with differences between Pen Testing, Red...

The biggest takeaway from CIS Control 17 is that planning and communication are critical when responding to an incident. The longer an intruder has access to your network, the more time they’ve had to embed themselves into your systems. Communicating with everyone involved can help limit the duration between attack and clean-up. Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to...

CIS Control 16 - Application Software Security The way in which we interact with applications has changed dramatically over years. Organizations use applications in day-to-day operations to manage their most sensitive data and control access to system resources. Instead of traversing a labyrinth of networks and systems, attackers today see an opening to turn an organizations applications against it to bypass network security controls and compromise sensitive data.  NOTE: Crowdstrike notes...

LastPass and the recent Rackspace Exchange incident are two prime examples of "why" this Control is Critical!! Develop a process to evaluate service providers who hold sensitive data, or are responsible for critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. Identify your business needs and create a set of standards that can be used to grade services providers that are being proposed.  Organize and monitor all services...

MSP/MSSPs should offer solutions to provide users with frequent security awareness training to increase its overall security posture. The information provided by the security awareness training should be relevant and provide insights into recent security incidents. Training should also reiterate the necessity of using strong passwords, spotting and reporting phishing attacks, as well as properly handling personal information.  Security awareness training should include frequent phishing...

Network monitoring and defense is one of only two controls that does not contain any Implementation Group 1 Safeguards in Controls version 8.  This control is geared towards mature MSPs, MSSPs & organizations who have a mindset of  continuous improvement  that involves people, process, and technology.  Service providers  need a well-trained staff that executes on their network monitoring, detection, logging, correlation of events in order to thwart malicious attacks. 👏Special thanks for...

Abstract: Network Infrastructure Management - Establish, implement, and actively manage network devices, in order to prevent attackers from exploiting vulnerable network services and access points.  Network infrastructure devices can be physical or virtual and include things such as routers, switches, firewalls, and wireless access points. Unfortunately, many devices are shipped from manufacturers with “default” configuration settings and passwords that, if deployed as-is, can significantly...

Abstract: Data loss can be a consequence of a variety of factors from malicious ransomware, threat actors using "Double Extortion" and exfiltration, human error and natural disasters like hurricanes.  Regardless of the reason for data loss, we need to have a process established (RPO/RTO) to recover our data.  Key Takeaways for Control 11 Prioritize your data and come up with a data recovery plan.Protect your backed up data. (See Control 3: Data Protection.)Practice and Test restoring your...

Abstract: With the continuing rise of ransomware, malware defenses are more critical than ever before with regard to securing your MSP and clients.   Malware defenses must be able to operate in a dynamic environment through automation, timely and rapid updating, and integrate with other processes like vulnerability management and incident response.  Anti-Malware technologies have become an after thought in many organizations, a technology that they’ve always had, always used, and never really...

Abstract: Web browsers and email clients are very common points of entry for attackers because of their direct interaction with users inside an organization.  Content can be crafted to entice or spoof users into disclosing credentials, providing sensitive data, or providing an open channel to allow attackers to gain access, thus increasing risk to your MSP or client's business.  Since email and web are the main means that users interact with external and untrusted users and environments,...

Abstract: Log collection and analysis is critical for an organization's ability to detect malicious activity quickly.  Sometimes audit logs are the only evidence of a successful attack.  Attackers know that many organizations keep audit logs for compliance purposes, but rarely analyze them.   Due to poor log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing.  In this episode, learn about using logs in incident...

Note we discuss Log4j as this is a very timely topic to this control. Abstract: Cyber defenders are constantly being challenged from attackers who are looking for vulnerabilities within their infrastructure to exploit and gain access. Defenders must have timely threat information available to them about: software updates, patches, security advisories, threat bulletins, etc., and they should regularly review their environment to identify these vulnerabilities before the attackers do....

Abstract: It is easier for an external or internal threat actor to gain unauthorized access to assets or data through using valid user credentials than through "hacking" the environment.  There are many ways to covertly obtain access to user accounts, including: week passwords, accounts still valid after a user leaves the organization, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a...

Abstract: There are many ways to covertly obtain access to user accounts, including: week passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded  in applications for scripts, a user having the same password  as one they used for an online account.  Learn how CIS Control 5 can mitigate some of the most common ways  credentials are compromised. Sponsor:...

Abstract:  Learn why the number one thing organizations can do to defend their networks against top attacks, is to implement secure configurations! Azure Breach (8/26/2021): According To Wiz who found the CosmosDB Vulnerability, they quote: "Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment."  ...

Abstract: CIS Control 3 is Data Protection and data is pretty much what's at stake for a high percentage of cyber attacks.  Data is more valuable than oil and it fuels many organizations. Many of the baseline security recommendations from all of the security frameworks out there now recommend, or REQUIRE if you’re in a regulated industry such as healthcare, that certain things like full disk encryption are simply put into place no matter your risk profile.  Much of what’s in the Data...

Abstract: CIS Control 3 is Data Protection and data is pretty much what's at stake for a high percentage of cyber attacks.  Data is more valuable than oil and it fuels many organizations.   Many of the baseline security recommendations from all of the security frameworks out there now recommend, or REQUIRE if you’re in a regulated industry such as healthcare, that certain things like full disk encryption are simply put into place no matter your risk profile.  Much of what’s in the Data...

Abstract: There is a cybersecurity saying; “you can’t protect what you don’t know about.”  Without visibility into your information assets, their value, where they live, how they relate to each other and who has access to them, any strategy for protection would be inherently incomplete and ineffective. Note sponsors are at the end at minute 28:30 The Why might an MSP want to listen?  Most MSPs only capture 50% of the assets on a client's network. Min 2:30 - 8:46 (Ryan Weeks, CISO of Datto...

Google reports that Multifactor Authentication (MFA) prevents more than 96% of bulk phishing attempts and more than 76% of targeted attacks that are credential based. In this episode, learn how MFA maps to the different security frameworks, the impact it has, building a policy around it, how the threat actors exploit it - via MITRE ATT&CK - what you can do to defend against it - MITRE Shield, common mistakes or oversights made when implementing into their tech stack and trends. Note:...