利用人員、流程和技術克服網絡安全貧困線的成本效益策略.pdf

《利用人員、流程和技術克服網絡安全貧困線的成本效益策略.pdf》由會員分享，可在線閱讀，更多相關《利用人員、流程和技術克服網絡安全貧困線的成本效益策略.pdf（46頁珍藏版）》請在三個皮匠報告上搜索。

1、Overcoming the CyberSecurity Poverty LineCost E?ective Strategies Using People,Process,and TecnologyRobert WagnerMr_MinionMr_Minioninfosec.exchangeAdvisory CISOAdvisory CISO/Managing DirectorCommunityHak4Kidz Co-FounderISSA Chicago BoardChicago CISO of the YearBurbSecBSides312Do me a favor?Take pict

2、uresPost to socialIntroductionSmall Businesses Keep Making the Same Mistakes Large Enterprises Made 20 Years AgoI Wrote This Talk BecauseCyber Security Poverty LineThe line below which an organization cannot be e?ectively protected-much less comply with-security regulations.Wendy Nather,2010MoneyExp

3、ertiseCapabilityIn?uencePrimary HurdlesUnderstanding the Impact on Small BusinessAttacks targeting Small-to-Medium Enterprises comprised46%of all attacks in 2021-Verizon Breach Report 2021Cyberattacks cost SMEs an average of$200,000 per?rm.and 60%of(SME)victimsgo out of business within 6 months.Hisc

4、ox InsuranceWhere Do We Start?Too Much Focus on TechnologyPeopleTalent is Hard to Find-Is it really,though?Consider Non-traditional approaches to hiringSpeaks in Business TermsExperienced in Incident ResponseUnderstands ComplianceCreates Realistice Risk and Vulnerability ObjectivesHeres What To Look

5、 ForVirtual CISOsHire a Few Strategic LeadsTarget of Empathy&MentorshipRun interference for Business PoliticsLead by ExampleCreate a Low Cost ArmyInternsTemp-to-HireEntry Level HiresNuture TalentStop Chasing UnicornsCreate a Culture of Mutual Mentorship and SharingTrain them so well that they could

6、leaveTreat them so well that they stayHelp Justify Their Training to the BusinessThey usually dont know the right languageEncourage Participation in the InfoSec CommunityLook for talent in existing employeesFrom Within and WithoutHow to Nurture TalentUse Neutral LanguageWords like self-reliant or le

7、ad are coded for masculinity.Energetic can deter older candidates.New AI for Diversity HiringChecks Your Job Descriptions for Inclusive LanguageGet Rid of Nice to Haves in Job DescriptionsMen apply at meeting 60%of the requirements.Women apply if they meet 100%Foster a Language of InclusionDiversity

8、 HiringInvest in Unconscious Bias Interview TrainingEvaluate Resumes BlindlyUse a diverse panelUse Structured Interviews and Score CardsConsider Non-Traditional BackgroundsSome of the best infosec professionals were also musicians,nannies,and artistsWeed Out Hiring BiasThe top ethnically and cultura

9、lly diverse companies out-pro?ted the least ethnically and culturally diverse companies by 36%.And companies with more diversity had 19%higher innovation revenues-Insight GlobalCISA Cyber Essentials ToolkitBite-sized actions for IT and C-suite leadership to work toward full implementation of each Cy

10、ber Essential.Cyber Readiness InstituteThe Cyber Readiness Program guides small and medium-sized enterprises to become cyber ready.SANS Cyber AcesOnline course that teaches the core concepts needed to assess and protect information security systems.Security BSides&Other ConferencesMany o?er free(or

11、cheap)trainingLevel Up the Talent You HaveFree Security TrainingStructure Around Security TaskRotate Analysts Thru Various TasksTeach Peers As They RotateDitch the Tier StructureCreate a Fusion SOCEmployee Security Awareness Training45%of employeesreceive NO security training at all from their emplo

12、yer62%of companiesdo not provide enough security awareness training to receive ANY bene?ts.Amazon Security Awareness Traininghttps:/ Coursehttps:/ Based)https:/ Your Own CompetitionBackdoors&BreachesBlack Hills Information Securityhttps:/ everyone loves awareness trainingFree Awareness Training Reso

13、urcesSecurity awareness training is never used as a punishmentEmployees receive regular training in identifying risksEmployees are encouraged to ask for help when unclear about a security issues or policiesMake Training Fun and PersonalEveryone is Held to the Same Security StandardsCreate a Healthy

14、Security CultureEmployees Know Each OtherThis is one of your greatest strengthsTeach Them to Identify RisksBefore They Become a ThreatFree Government Resourceshttps:/securityawareness.usalearning.gov/itawareness/index.htmhttps:/www.cdse.edu/Training/Toolkits/Insider-Threat-Toolkit/https:/www.cisa.go

15、v/topics/physical-security/insider-threat-mitigation/resources-and-toolsSmall Orgs Can Be Easier to DefendInsider ThreatProcessNow with Implement Groups!Implementation Groups(IGs)are the recommended guidance to prioritize implementation of the CIS Critical Security Controls.CIS 18 Critical ControlsI

16、ts OK if you dont start with Control 01Start where youll be the most e?ectiveCurrent Methods Are NOT WorkingFind Better Ways to Describe Risk40%of global risk and compliance decision makers are improvising risk management-ForresterStop Using Risk MatricesUse Monte Carlo Simulations InsteadThis,Your

17、Board Will UnderstandBasic HygieneRisk or Threat Assessments 1stThese should always preceed a security assessmentTailor audits&assessmentsThey should support YOUR security goals and budget needs whenever possibleEvery assessment should be a Purple Team ExcerciseCreate Highly Detailed Scoping DocsIf

18、you dont scope assessments properly,most consulting?rms will simply have their interns scan you with NessusInsist on Quality OutputA paid assessment should result in actionable recommendations and remediation plansThey can be your best leverage when done rightSmart Assessments&AuditsBlack Box is a p

19、oor choiceThese assesments require the tester to break in on their ownThey waste too much time on a result you know is going to happen.They will eventually phish their way inThese primarily just test the testerTransparent Box is a better optionAssumes the tester will get in anywaySo just give them a

20、ccess and details of the orgSee how far they can getSaves time,reduces costAllows for testing of more vectorsTranslucent Box-next step upLimited info is shared with the testerTypically just login credsSimulates a real-world scenarioGet the Best Value for AssessmentsPick the Right BoxImplement MFA fo

21、r EVERYONEUsersAdminsContractorsExecutives(even when they complain)PartnersThird-Party VendorsANYONE that touches your systemsLog and monitor all privileged credential activity and sessionsGoogleMicrosoftTextPower SnapIDAuthyImplement Secure Remote AccessPut Shared Accounts/Passwords in a Vault or F

22、irecallGuerilla Zero Trust-Zero Trust is a Process,not a TOOLUse Jump Boxes or Secure Admin Workstations(SAW)for Priveledged TasksThis is the quickest way to isolate these tasksLog and monitor all privileged credential activity and sessionsFor compliance and forensic reviewInclude session metadataAu

23、dit Priv Access Creds to network devicesMost Vuln Scanners can check for default pwdConsider Hiring a Dedicated Resource for AutomationFind Ways to Automate EVERYTHINGTechnologyLeverage those Other Cloud ServicesEasy,Robust,Frequent,Immutable BackupsPut the pw in FirecallUse available cloud-based se

24、curity servicesAWS-WAFGoogle Cloud ArmorClean Images,Regularly ReloadedChaos EngineeringSwitch Users to ChromebooksGet Rid of Active DirectoryUse Identity Mgmt ToolsOkta,Ping Identity,EtcSpecial thanks to Lintile&AccidentalCISOIn Two Easy StepsLimit Your ExposureHoney FilesFiles with names like Pass

25、word ListAlert on AccessHoney AccountsDomainAdmin_xPut fake password in the descriptionAdd to admins groupLogon hours=0Honey Database/Honey TableCall it something juicyYour leverage for more budget and in?uenceDeception TacticsHoney Tokens in MemoryUse CreateProcessWithLogonWFree tool:Invoke-Runas.ps1Loads fake admin acct&creds into memoryHoney PeopleLinkedInHRAccts PayableMore are coming every daySecurity Tools Designed and Priced for SMBs Do ExistAsset ManagementEDRThreat IntelligencePassword VaultAuthenticationMonitoring&SEIMhttps:/ Source Assessment Tools-Helpful LinksThank You!