The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at www.southernfriedsecurity.com.

We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018.

We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event.  It was a great time and we hope to be there again next year.

Direct download: SFS_Podcast_-_Episode_205.mp3
Category:general -- posted at: 7:22pm EDT

Episode 204 - Evaluating Your Security Program: Communications Plan

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. If Education & Awareness are how the employees engage the program then Communications is how the management team engage the program
    2. In business life, like everywhere else, if people don’t know who you are or what you do then they aren’t going to be willing or able to support you in times of crisis or need
    3. The higher up in the org you want to communicate the more deliberate your plan needs to be
  3. Why Even Consider Communications?
    1. Each sub-org needs to be considered
      1. CIO-org
      2. CFO-org
      3. COO-org
      4. CMO-org
      5. CCO-org
      1. Unless you report to the CEO the next person down in your chain is going to have to likely carry that water
      2. We will address the opportunities and dangers of directly engaging a CEO at some other podcast
    2. Notice that there is no “CEO-org”
  4. Determine the Audience(s)
    1. Updated status reports are better than a ‘newsletter’
    2. Compelling progress reports (especially if validated by a third party) can be a huge gain
    3. If you invent something new it better be hugely valuable
    4. “Communication is what the listener does”
  5. Leverage Existing Comms Before Inventing Something New
    1. Get over yourself
    2. Really.
  6. “But this is just playing politics!”
Direct download: SFS_Podcast_-_Episode_204.mp3
Category:general -- posted at: 4:37pm EDT

Show Notes

 

Episode 203 - Evaluating Your Security Program: Threat Mapping

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”.  It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are

      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify
Direct download: SFS_Podcast_-_Episode_203.mp3
Category:general -- posted at: 7:40pm EDT

Episode 202 - Evaluating Your Security Program: Awareness & Education

 

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. What do you think you do?
      1. Mandatory CBLs
      2. CyberCyberCyberStuff (Posters, Email, Swag)
      3. Briefings and Classes
      4. Phishing Awareness
      5. $NOVEL_IDEA
      1. How many people is it designed to engage?
        1. Not how many people took the awareness, how many people were ENGAGED?
      2. How many people were actually engaged?
      3. How did they do? (CBL completions, % phished, reviews, etc)
        1. If CBL_Completion = 15(clicks) then you may want to rethink that
        2. 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
        3. If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
      4. Are you being honest with yourself?
    2. How do you measure it?
  3. Measuring Awareness & Education
    1. Don’t change the measurement...change the program
      1. The key to long term success is consistently measuring the same thing over time
      2. You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
      1. Big changes in delivery will skew the numbers in ways you likely will not like
      2. Constant large turmoil is counter to most corporate cultures
      3. Small changes take advantage of previous investments best
      4. “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
    2. Don’t make drastic changes until Year 3 unless you have to make drastic changes
    3. Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
  4. Adjusting The Program
  5. If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”
Direct download: SFS_Podcast_-_Episode_202.mp3
Category:podcasts -- posted at: 6:31pm EDT

We're going to use this episode to allow the cast to talk about reaching 200 episodes and you'll hear what *really* happened on the Lost Episode.

 

We will be back in 2018 with more episodes.  Until then be well and stay secure!

Direct download: SFS_Podcast_-_Episode_201.mp3
Category:general -- posted at: 12:24pm EDT

Episode 200 - Building A Security Strategy - Part III

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Tech
      1. Tech, by itself, only consumes electricity and turns cool air into warm air
      2. So many choices….
      3. The tech selection is the *least* critical one for developing a capability
      4. http://www.southernfriedsecurity.com/episode-192-security-waste/
      1. This is the “Stuff You Have To Do”
      2. Usually determined by regulation, policy, or corporate edict
      3. Describes a desired outcome - not how to get there
      4. Examples include “Malware Detection”, “Email Security”
    2. Service
      1. How you do the crazy things you do
      2. Security is not a One-Off - things must be repeatable and consistent
    3. Process
      1. Describes value team brings to org
      2. While tech and service selection is important the biggest improvement usually comes from better process
    4. Capability
  3. Capability = (Tech + Service) * Process
    1. Armorguy’s Maxim of Life: “Start small and iterate larger”
    2. Try to do to much out of the gate and you WILL fail
    3. Define success criteria for each stage that allows for error and learning
  4. Crawl, Walk, Run
    1. Security cannot exist as an island
    2. Interdependence with business units is key - if you don’t you are the foreigner and will be rejected
    3. The relationship with IT Operations is going to be wonky at first
  5. It Takes A Village
    1. Where do you look for more info?
  6. Strategy - It’s What CISOs Do…
Direct download: SFS_Podcast_-_Ep_200.mp3
Category:podcasts -- posted at: 9:32pm EDT

Episode 199 - Building A Security Strategy - Part II

  1. Recap
    1. Strategy vs Policy
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  2. The Question is “How do I make one?”
    1. Almost no business is in the business of information security
    2. Follow The Money
    3. Understand The Decisioning Process
    4. “Culture Eats Strategy For Breakfast”
    5. Vocabulary Matters
  3. Understand the Business of Your Business
    1. Know the Formal and Informal Org Charts
    2. Influencers are as important as Deciders
    3. Beware the Spoiler
    4. “Culture Eats Strategy For Breakfast”
    5. Don’t Give a Vote or Veto Unnecessarily
  4. Know Who Your Stakeholders Really Are
    1. We will keep discussing this.
    2. Underestimating the power of culture WILL result in your plan faling
    3. That’s a majority of the reason that Strategy Is Hard
  5. Culture Is The Key
Direct download: SFS_Podcast_-_Ep_199.mp3
Category:podcasts -- posted at: 1:23pm EDT

Episode 198 – Building a Security Strategy – Part 1

 

Strategy is the hardest thing a CISO will do in their career...except if they have to explain a massive breach…

 

  1. What is a Strategy?
    1. What’s the difference between a strategy and a policy?
      1. A policy is binding statements
      2. A strategy is thought out planning
      1. A list of tech you want to buy
      2. A remediation plan that follows an audit/assessment
      3. A continued justification for the way you’ve always done things
      4. The stuff your favorite vendor told you needs doing
    2. What a strategy isn’t…
      1. Based on the needs and desires of the org and its senior leaders
      2. Culturally relevant
      3. A guide to where investment (money and people) need to be made
      4. Balanced between boldness and reassurance
      5. Built on a set of capabilities that map to business success criteria
    3. A strategy is…
    1. Creates a consistent frame of reference for talking about the program
    2. Helps senior leaders understand the where/why of the investments
    3. Lays out a connected story for CFOrg to make budget less hard
    4. Provides a decision-making framework that enables effective choices
  2. Why do you want one?
    1. Understand the business of your Business
    2. Know who your stakeholders really are
    3. Capability = (Tech + Service) * Process
    4. Crawl, Walk, Run
    5. It Takes A Village
  3. How do I make one?

 

In our next episodes we’ll break down each of the steps and talk more about strategy…

Direct download: SFS_Podcast_Ep_-_198.mp3
Category:podcasts -- posted at: 8:53pm EDT

Episode 197 - After the Penetration Test 

We've kind of talked about how to choose your vendors, and we’ll get more into services soon, but we wanted to take some time to talk about penetration tests and especially what to do as they wrap up, how they affect the organization, and how you can manage your penetration tests to make sure they're actually effective.

  • Receiving the report
    • First and foremost, you are the customer. The report is not done until you say it is done.
      • That doesn't mean to massage the data, but you need to be sure that the penetration testers actually provided value.
    • If there isn't a solid executive summary, send it back. Period. Your testers should be able to summarize what they did, what they found, and what they think for your executives.
    • A Nessus or Burp scan is not a report. Ever.
    • Always ask “how did we do for this application/organization size” etc. You’re not just paying for someone to run Nessus on your network, you’re paying for their analysis. Ask for that.
  • Triaging the Results
    • Results rarely go to the same place in the organization. You might have findings for different teams, or entirely different parts of your org. Make sure they get to the right people.
    • Results may be inaccurate for your organization. A penetration tester isn't necessarily familiar with your organization’s risk profile, priorities, or anything else. What they mark as a medium may be a high or critical for you, or vice versa.
      • Example: Information disclosure in Healthcare is often rated much higher when triaging than in other types of businesses.
  • Working with the stakeholders
    • Work in systems that make sense to people that need to do the work. Rally, Jira, etc.
      • This can also give you traceability for when things are actually fixed.
    • Don’t dump on people in big group meetings, take the findings to the specific teams
      • That will give them time to develop a plan for the findings that are affecting them
  • Managing upwards
    • No matter how well or poorly the report is written, it’s still going to end up being your job to explain “how bad is this thing you handed me?”
    • Have to manage the findings and their perception upwards
      • Remediate, mitigate, or accept
      • That's an upper management call
  • Dealing with the Re-test
    • Most penetration tests have a clause in there for re-testing findings. Make sure you actually take advantage of that.
      • This looks good from both an actual security posture position and a management position
    • Some penetration testers will let you remediate quickly and have them re-test, which can be reflected in the final report
      • Especially if your report might going to customers, this is incredibly useful. Take advantage of this if at all possible.
Direct download: SFS_Podcast_Ep_-_197.mp3
Category:podcasts -- posted at: 10:46pm EDT

SFS Podcast - Episode 196

 

Wannacry: Woulda, Coulda, Shoulda 

First and foremost: Why was medical hit so hard by WannaCry? See Episode 189 - Medical Device Security and Risky Business 455 - https://risky.biz/RB455/

  1. The Lead-Up
    1. Threat Intelligence is A Thing
    2. Threat Intelligence is Hard
    3. Threat Intelligence Feeds are [REDACTED] for many/most
    1. Do
      1. Stay Calm
        1. You have finite human resources
        2. You have finite time
      2. Prioritize Your Responses
        1. Episode 192 - Security Waste
      3. Know what all your tools can do and be ready to use them
        1. Your Business Continuity Program can inform that
        2. You do have a BCP, right?
      4. Know what area to focus on first
      5. Be willing to cut off an arm to save the body
      6. When you can remember that Herd Immunity is a Thing.
      1. Scare the Children
      2. Waffle in decision making
        1. This is not the time to point out for the millionth time that your patching program is suboptimal
        2. This is not the time to point out that if you’d only gotten that BlinkyBox last capital season this wouldn’t be an issue
      3. Focus on what you can’t do
      4. Overpromise
    2. Don’t…
  2. When the Crisis Arrives
    1. Be sure you’re in Aftermath and not still in Crisis
    2. Do a Hot Wash and a full After Action Review/Post-Mortem
    3. Document your lessons learned and distribute them widely
    4. Follow Up, Follow Up, FOLLOW UP!!
  3. The Aftermath
Direct download: SFS_Podcast_Ep_-_196.mp3
Category:podcasts -- posted at: 8:54pm EDT