CISO Tradecraft® G Mark Hardy & Ross Young
-
- Technology
-
Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.
-
#174 - OWASP Top 10 Web Application Attacks
In this episode of CISO Tradecraft, host G. Mark Hardy delves into the crucial topic of the OWASP Top 10 Web Application Security Risks, offering insights on how attackers exploit vulnerabilities and practical advice on securing web applications. He introduces OWASP and its significant contributions to software security, then progresses to explain each of the OWASP Top 10 risks in detail, such as broken access control, injection flaws, and security misconfigurations. Through examples and recommendations, listeners are equipped with the knowledge to better protect their web applications and ultimately improve their cybersecurity posture.
OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
OWASP Top 10: https://owasp.org/www-project-top-ten/
Transcripts: https://docs.google.com/document/d/17Tzyd6i6qRqNfMJ8OOEOOGpGGW0S8w32
Chapters
00:00 Introduction
01:11 Introducing OWASP: A Pillar in Cybersecurity
02:28 The Evolution of Web Vulnerabilities
05:01 Exploring Web Application Security Risks
07:46 Diving Deep into OWASP Top 10 Risks
09:28 1) Broken Access Control
14:09 2) Cryptographic Failures
18:40 3) Injection Attacks
23:57 4) Insecure Design
25:15 5) Security Misconfiguration
29:27 6) Vulnerable and Outdated Software Components
32:31 7) Identification and Authentication Failures
36:49 8) Software and Data Integrity Failures
38:46 9) Security Logging and Monitoring Practices
40:32 10) Server Side Request Forgery (SSRF)
42:15 Recap and Conclusion: Mastering Web Application Security -
#173 - Mastering Vulnerability Management
In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.
Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij
OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/
Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207
Chapters
00:00 Introduction
00:56 Understanding Vulnerability Management
02:15 How Bad Actors Exploit Vulnerabilities
04:26 Building a Comprehensive Vulnerability Management Program
08:10 Prioritizing and Remediation of Vulnerabilities
13:09 Optimizing the Patching Process
15:28 Measuring and Improving Vulnerability Management Effectiveness
18:28 Gamifying Vulnerability Management for Better Results
20:38 Securing Executive Buy-In for Enhanced Security
21:15 Conclusion and Further Resources -
#172 - Table Top Exercises
This episode of CISO Tradecraft, hosted by G Mark Hardy, delves into the concept, significance, and implementation of tabletop exercises in improving organizational security posture. Tabletop exercises are described as invaluable, informal training sessions that simulate hypothetical situations allowing teams to discuss and plan responses, thereby refining incident response plans and protocols. The podcast covers the advantages of conducting these exercises, highlighting their cost-effectiveness and the crucial role they play in crisis preparation and response. It also discusses various aspects of preparing for and executing a successful tabletop exercise, including setting objectives, selecting participants, creating scenarios, and the importance of a follow-up. Additionally, the episode touches on compliance aspects related to SOC 2 and the use of tabletop exercises to expose and address potential organizational weaknesses. The overall message underscores the importance of these exercises in preparing cybersecurity teams for real-world incidents.
Outline & References:
https://docs.google.com/document/d/13Qj4MOjPxWz9mhQCDQNBtoQwrXdTeIEf
Transcripts: https://docs.google.com/document/d/1yfmZALQfkhQCMfp9ao3151P9L2XcEXFm/
Chapters
00:00 Introduction
00:47 The Importance of Tabletop Exercises
01:53 The Benefits of Tabletop Exercises
03:06 How to Implement Tabletop Exercises
05:30 The Role of Tabletop Exercises in Compliance
08:24 The Participants in Tabletop Exercises
09:25 The Preparation for Tabletop Exercises
16:57 The Execution of Tabletop Exercises
21:58 Understanding Roles and Responsibilities in an Exercise
22:17 The Importance of a Hot Wash Up
23:36 Creating an After Action Report (AAR)
24:06 Implementing an Action Plan
24:34 Example Scenario: Network Administrator's Mistake
25:08 Formulating Targeted Questions for the Scenario
26:36 The Role of Innovation in Tabletop Exercises
27:11 The Connection Between Tabletop Exercises and Compliance
29:18 12 Key Steps to a Successful Exercise
30:43 The Importance of Realistic Scenarios
34:05 The Role of Communication in Crisis Management
37:33 The Impact of Cyber Attacks on Operations
39:57 The Importance of Tabletop Exercises and How to Get Started
40:35 Conclusion -
#171 - Navigating Software Supply Chain Security (with Cassie Crossley)
In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity.
Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2
Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9
Chapters
00:00 Introduction
01:44 Discussion on Software Supply Chain Security
02:33 Insights into Secure Development Life Cycle
03:20 Understanding the Importance of Supplier Landscape
05:09 The Role of Security in Software Supply Chain
07:29 The Impact of Vulnerabilities in Software Supply Chain
09:06 The Importance of Secure Software Development Life Cycle
14:13 The Role of Frameworks and Standards in Software Supply Chain Security
17:39 Understanding the Importance of Business Continuity Plan
20:53 The Importance of Security in Agile Development
24:01 Understanding OWASP and Secure Coding
24:20 The Importance of API Security
24:50 The Concept of Shift Left in Software Development
25:20 The Role of Culture in Software Development
25:52 Exploring Different Source Code Types
26:19 The Rise of Low Code, No Code Platforms
28:53 The Potential Risks of Generative AI Source Code
34:24 Understanding Software Bill of Materials (SBOM)
41:07 The Challenge of Spotting Counterfeit Software
41:36 The Importance of Integrity Checks in Software Development
45:45 Closing Thoughts and the Importance of Cybersecurity Awareness -
#170 - Responsibility, Accountability, and Authority
In this episode of CISO Tradecraft, the host, G Mark Hardy, delves into the concepts of responsibility, accountability, and authority. These are considered critical domains in any leadership position but are also specifically applicable in the field of cybersecurity. The host emphasizes the need for a perfect balance between these areas to avoid putting one in a scapegoat position, which is often common for CISOs. Drawing on his military and cybersecurity experiences, he provides insights into how responsibility, accountability, and authority can be perfectly aligned for the efficient execution of duties. He also addresses how these concepts intertwine with various forms of power - positional, coercive, expert, informational, reward, referent, and connection. The host further empathizes with CISOs often put in tricky situations where they are held accountable but lack the authority or resources to execute their roles effectively and provides suggestions for culture change within organizations to overcome these challenges.
Transcripts: https://docs.google.com/document/d/1S8JIRztM6iaZonGv0qhtWY4vDyBfGhs-/
Chapters
00:00 Introduction
00:22 Understanding Responsibility, Accountability, and Authority
01:20 The Role of Leadership in Cybersecurity
02:47 Exploring the Concepts of Responsibility, Authority, and Accountability
03:08 Applying Responsibility, Authority, and Accountability to the CISO Role
04:20 The Interplay of Responsibility, Authority, and Accountability
11:57 Understanding Power and Its Forms
12:43 The Impact of Power on Leadership and Influence
24:04 The Role of Connection Power in Today's Digital Age
24:40 Understanding Different Sources of Power
25:13 The Power of Networking and Connections
26:49 The Challenges of Being a CISO
29:19 Understanding the Value of Your Role
33:56 The Importance of Expert Power
37:46 The Consequences of Ignoring Maintenance
43:40 Aligning Responsibility, Accountability, and Authority
44:39 The Importance of Legal Protections for CISOs
45:30 Wrapping Up: Balancing Responsibility, Authority, and Accountability -
#169 - MFA Mishaps
In this episode of CISO Tradecraft, host G Mark Hardy discusses various mishaps that can occur with Multi-Factor Authentication (MFA) and how these can be exploited by attackers. The talk covers several scenarios such as the misuse of test servers, bypassing of MFA via malicious apps and phishing scams, violation of the Illinois Biometric Information Protection Act by using biometric data without proper consent, and potential future legal restrictions on biometric data usage. G Mark also highlights the significance of correct implementation of MFA to ensure optimum organizational security and how companies can fail to achieve this due to overlooking non-technical issues like legal consent for biometric data collection.
Transcripts: https://docs.google.com/document/d/1FPCFlFRV1S_5eaFmjp5ByU-FCAzg_1kO
References:
Evil Proxy Attack- https://www.resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web
Microsoft Attack - https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/microsoft-reveals-how-hackers-breached-its-exchange-online-accounts/amp/
Illinois Biometric Law - https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994
Chapters
00:00 Introduction
00:43 Understanding Multi Factor Authentication
01:05 Exploring Different Levels of Authentication
03:30 The Risks of Multi Factor Authentication
03:51 The Importance of Password Management
04:27 Exploring the Use of Trusted Platform Module for Authentication
06:17 Understanding the Difference Between TPM and HSM
09:00 The Challenges of Implementing MFA in Enterprises
11:25 Exploring Real-World MFA Mishaps
15:30 The Risks of Overprivileged Test Systems
17:16 The Importance of Monitoring Non-Production Environments
19:02 Understanding Consent Phishing Scams
30:37 The Legal Implications of Biometric Data Collection
32:24 Conclusion and Final Thoughts