Application security, Careers, Incident response, Leadership

Cliché Self-Help, RockYou2021, “Productive Procrastinators”, & Attracting Talent – BSW #220

This week, In the Leadership & Communications articles: Attracting Talent During a Worker Shortage, CISOs Say Application Security is Broken, Three Steps to Harden Your Active Directory in Light of Recent Attacks, Demystifying RockYou2021, & more!

Full episode and show notes

Announcements

  • Security Weekly is more than happy to announce that we will be at InfoSec World 2021 IN PERSON October 25th-27th, 2021! This year, our annual partnership with InfoSec World is extra special, as we are both business units under the CyberRisk Alliance brand! What does that mean for Security Weekly listeners & InfoSec World attendees? You will get to see and hear from many of the Security Weekly team at the event AND you will save 20% off on your world pass! Visit https://securityweekly.com/isw2021 to register using our discount code!

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Three Steps to Harden Your Active Directory in Light of Recent Attacks - 1. "A service that uses machine learning algorithms and other advanced detections to detect and block phishing messages and suspicious attachments must be in place in today’s threat landscape.", 2. "First, the local administrator password on each endpoint must be different. Microsoft offers a free solution called the Local Administrator Password Solution (LAPS) to achieve this. Second, you cannot nest domain accounts in the local administrators group to enable easy IT support." 3. "Two of the most common control sets we implement at Ravenswood Technology Group are the concepts of tiered security controls and privileged access workstations (PAWs). Tiered security controls prevent high-privilege credentials from being exposed to higher-risk assets such as client computers where the credentials might be stolen. PAWs isolate the tasks an administrator performs from their day-to-day workstation to a highly secured workstation,"
  2. 2. Demystifying RockYou2021 - "When any breach list pops up, you should check to see if the password you used is a part of it." - Better yet, this should be part of your Attack Surface Monitoring program, which will automatically discover credentials that are part of public breach disclosures, then operationalize it, and feed into your identity management program so that within 24 hours all affected users have passwords changed and established trusts/cached credentials reset.
  3. 3. How To Drive Value with Security Data - Thoughts? "...discuss some of the challenges that we face today with managing all of our security data and expand on some of the trends in the security analytics space. In the third section, we focus on the future. What does tomorrow hold in the SIEM / XDR / security data space? What are some of the key features we will see and how does this matter to the user of these approaches."
  4. 4. CISOs Say Application Security is Broken – Security Boulevard - Oh boy: "In addition, nearly all (97%) of organizations surveyed do not have real-time visibility into runtime vulnerabilities in containerized production environments, and nearly two-thirds (63%) of CISOs surveyed said DevOps and Agile development have made it more difficult to detect and manage software vulnerabilities." A suggestion: "While not security-related, supporting automated testing coverage will help the organization deploy changes in a safer manner and also make patching changes easier to deploy." - I'd argue that this IS security-related.
  5. 5. Ron Gula – Innovation and Emerging Trends in Cybersecurity - "Gula stresses the need for an engineering focus and looking for solutions that can fundamentally change the game rather than just reacting to the latest attack trend. We talk about newer cybersecurity technologies like browser isolation and deception, and some of the companies Gula Tech Adventures is supporting to bring the next generation of cybersecurity tools to market." - What solutions fundamentally change the game for you?
  6. 6. We’re Tired Of Reading Cliché Self-Help Articles - OMG, so much this: "They lure us in with the promise of being healthy, wealthy, or incredibly successful. Each article promises to “change your life” so you can “become a better person.” But more often than not, you’re left with a bitter taste in your mouth because the writer click-baited you just to get a few more views and dollars in their bank account." And this: "Self Improvement is ruined. Like a chocolate cookie, it’s crumbling apart and often doesn’t put the best interests of the reader at heart. It’s become a pitch-fest of courses and digital products to “help you live your best life.”"
  7. 7. You Might Be a Secret “Productive Procrastinator” - I do this more often than I would like: "There are obvious forms of productive procrastination such as organizing your office before you start a project. You somehow convince yourself that the mess will distract you from your work." So true: "It’s spending 1-hour researching fonts as you are trying to revamp your resume. Or working on a 20+ page deck and wasting time looking for just the right image on slide 2. You are working on a task related to the project (yay!), but you are spending too much time on a particular aspect of it that is not going to deliver the right return on your time investment (boo!)." Not bad advice, set aside 15 minutes to choose the style for your presentation (as an example): "Time blocking enables you to think through how much time you want to spend on a task."
  8. 8. How is Automation Helping in Security? - This is one aspect of automation that needs to be highlighted: "Human errors are playing a big role in security." We often do not want to admit that we, as humans, make mistakes. To combat this automation is important. Computers are are AMAZING at following directions, in fact, one could argue they are the best innovation of all time at following directions. This is a good and a bad thing, however, when programmed correctly, computers can help us automate those tasks that are boring but require a high degree of accuracy. What we also need is people on the team who can understand the possibilities that software and automation can bring, and guide that change into the organization and it's processes!
  9. 9. Attracting Talent During a Worker Shortage - We really need to adjust this for cybersecurity...
Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
  1. 1. 3 Ways CIOs Can Embed Resilience in Their Business - It's an important topic, but I'm not sure this article hits the mark. 1 is Secure IT and business alignment. 2 is Create data-driven architecture, and prioritise reskilling, and 3 is To innovate within budget, seek flexible licensing arrangements
  2. 2. Self-Direction 2.0 – How to Successfully Scale a Flat Organization - As larger security teams become more common, I thought this would be an interesting topic to explore - especially considering how important it is for security teams to be agile and self-directed to an extent. This framework, in particular, was interesting: One such mechanism used at Futurice is a 3×2 framework that’s designed to support strategic decision-making throughout the organization and across tribes. The idea is simple: You’re free to make a decision as long as you feel confident that it will benefit your clients, colleagues, and numbers (the “3” component of the 3×2), and that it will do so both today and tomorrow (the “2”). The company collectively articulates objectives and key results but gives its tribes a high degree of freedom in figuring out how to achieve them. Formal rules and processes are out. Instead, to share learning and information across teams and functions, the company encourages active dialogue on Slack and in community gatherings — a minimal approach to coordination that several companies in our cluster refer to as “no nonsense” or “no bullshit.”
  3. 3. Ransomware response: What CISOs really want from the federal government - CISOs want the government to do more! No, less! No, we want them to do something, we're just not sure what! The quotes and responses from CISOs in this article are ALL OVER the place. Still, it's good that we're having the conversation, right?
  4. 4. How to Get Your Team to Stop Asking You Every Little Question - Once you are established as a subject matter expert or just someone with a large amount of experience, it can be difficult to get staff and mentees to make decisions without checking in. While they absolutely can and should ask questions, it can be a nightmare with a larger staff, making it hard to get things done with all the interruptions. There are some important business culture lessons here - like managing expectations with asynchronous chat (no, I might NOT respond immediately) and giving employees the opportunities to safely make mistakes they can learn from.
Jason Albuquerque
Jason Albuquerque
Chief Operating Officer at Envision Technologies
prestitial ad