Ryan Wisniewski

Security 101: Never hardcode your passwords and/or cert keys into your devices. Lock control maker Chirp might have missed that introduction to security class since they hardcoded their passwords and private keys (no pun, well sort of a pun) into their applications. Chirp made CISA so mad they they were issued their own advisory (see below), as well as earning a "Exploitable remotely/low attack complexity" on CISA's executive summary. "Low attack complexity" means even your grandmother could attack these locks, remotely too. If you are one of the 50,000 households that use Chirp, well, sit by your front door with a loaded shotgun until Chirp fixes this issue. If you aren't a fan of loaded weapons, take a look at the newest Nerf Blasters. If you aren't a fan of Nerf, get yourself a wonderful mastiff dog (or two, very family friendly and protective, just cowards during lightening storms). https://lnkd.in/gQKWQE9t

8

Organization’s struggle with documenting NIST SP 800-171’s 3.3.1 System Auditing, especially when they are using Commercial Off the Shelf (COTS) software or cloud services. Like all of the other As the CMMC Churns Understand the Requirements series, we will walk you through understand the key definitions, the Assessment Objectives, and demonstrate how we show conformity to 3.3.1 System Auditing using SharePoint lists and Azure Sentinel. This Understand the Requirements video will be critical when we get to 3.3.3, Review and Update Logged Events, a THOROUGHLY misunderstood requirement. =============================================== Peak InfoSec Homepage: https://peakinfosec.com As the CMMC Churns Episodes: https://lnkd.in/eVGYGs3g Contact Peak InfoSec for Support: https://lnkd.in/e8sM_2Z3 Email: cmmc@peakinfosec.us =============================================== #cuicon #cmmc #cmmc2 #32cfrpart2002 #32cfrpart170 #infosec #informationsecurity #compliance #cybersecurity #cui #fci #cmmcab #thecyberab #nist800171 #defenseindustry #defensecontractors #defensecontracting #grc #manufacturing #dfars #manufacturingindustry #dib #satellite #satellitecommunications #satellitesystems #managedserviceprovider #msp #managedsecurityservices #mssp #DoD #GovCon #governmentcontracting #SmallBusiness #contracts #contractors https://lnkd.in/entjZARv

11

Known Exploited Vulnerabilities Remain Unmitigated Past Deadlines: - Critical severity KEVS took nearly 4.5 months (137 median days) - High severity vulnerabilities take more than 9 months (238 median days) - Medium severity vulnerabilities take nearly 1.5 years (517 median days) https://lnkd.in/g_RExD96

1

Today begins the Summer of CTEM! This week's installment is a brief overview of Continuous Threat Exposure Management. Stay tuned in all summer as we'll help guide you from the basic concepts all the way through adoption. https://lnkd.in/e_hRdzsm #summerofCTEM #ctem #exposuremanagement #vulnerabilitymanagement #cloudsecurity #applicationsecurity #riskmanagement #cybersecurity #guidepointsecurity #threatmanagement #securityoperations

101

8 Comments

This breach at #GlobeLife serves as a reminder that security isn't a one-time setup — it's a continuous process. Regular audits of access permissions and user identity management are essential. Orgs have to continuously evaluate their security posture to address vulnerabilities before they are exploited.

3

https://lnkd.in/ghNU25zv This summary from NIST is a great place to start in understanding some of the new changes to 2.0. Please note the addition of "Govern" to the classic list of outcomes. Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored Identify: The organization’s current cybersecurity risks are understood Protect: Safeguards to manage the organization’s cybersecurity risks are used. Detect: Possible cybersecurity attacks and compromises are found and analyzed. Respond: Actions regarding a detected cybersecurity incident are taken Recover: Assets and operations affected by a cybersecurity incident are restored. Cytellix®National Institute of Standards and Technology (NIST) Daniel Eliot

10

Hear Ye, Hear Ye! Gather 'Round for the Latest Installment of the LBMC Cybersecurity Sense Podcast: "PCI Monthly Update: Latest PCI News, Requirement 11 Overview, and QSA Insights" Step forth and lend thine ears to this most informative episode, wherein Andrew Kerr, William Parks and myself, the sages of cybersecurity at LBMC unravel the intricacies of PCI DSS v4.0 Requirement 11. Esteemed for its rigorous scanning requirements, this standard is a bulwark in the fortress of data security. Join as the esteemed QSAs share their profound wisdom on maintaining the bastions of compliance. This discourse is not merely an auditory delight but a beacon of knowledge for those navigating the tempestuous seas of cybersecurity. Pray, delay not! Avail thyself of this opportunity to acquire sage advice and remain fortified against the ever-lurking threats of the digital realm. Listen posthaste: https://lnkd.in/gfDTTZaH Equip thyself with knowledge, for it is the sword and shield against the unseen foe! #Cybersecurity #PCIDSS #DataSecurity #Compliance

5

See point #3 from James Berthoty: It's called "Fear of Missing Out" (#FOMO) #Marketing. When #Security folks learn what others are using, they jump in and wanna buy the same product(s), irrespective of their needs. I didn't realize that you can buy #EDR without #FIM and other basic stuff until recently. Forget about FIM, you have to go the AppStore to get #Slack integration, etc. #Platform'ization of security production might be great for sellers, but buyers are getting half baked tools. Sometimes, the budget runs out before you get what you really need! When an Organization is hacked, I wonder why nobody names and shames the tools they were using? 🤔 https://lnkd.in/e9WFdw27

6

1 Comment

According to Verizon's 2024 Data Breach Investigations Report, the exploitation of vulnerabilities as an initial access point for breaches increased by 180% between 2022 and 2023. This surge is driven by zero-day exploits and other vulnerabilities exploited by ransomware actors. The report underscores the need for quick patching, enhanced security awareness, and advanced threat detection. Is your organization prepared for these threats? Remember, CMIT Solutions is your IT resource. #Cybersecurity #DataBreach #Vulnerabilities https://lnkd.in/eJx3KvxE

9

Metrics and CISO Success-What to measure. When I became a CISO for the first time, I was hard pressed to get everyone to agree on a metric for the security team. The customer wanted one thing and my boss wanted another and the reality was sometimes very different. Those first few years I was yanked around a lot, partly from my own doing. I did not take much of a stand.  Until one day a breach happened and it made me snap back to several core measurements. I could make a very long list of metrics ….but I thought I would start with these. What else would you add? So, what metrics matter? Tactical metrics provide quantifiable benchmarks to assess the effectiveness of security initiatives. The time it takes to detect and respond to threats, the number of incidents resolved, and the rate of false positives in threat detection systems provide tangible data on a security team's operational efficacy. These metrics are crucial to monitor regularly, as they directly correlate with the ability to swiftly and accurately address potential threats. Strategic metrics such as risk scores and compliance rates help align the cybersecurity strategy with business objectives. For example, a CISO must measure compliance with industry standards and regulations to avoid penalties and protect the company's reputation. Understanding the risk exposure of various assets allows CISOs to prioritize resources effectively, ensuring that the most critical assets are protected. This strategic alignment between business goals and security protocols is vital for long-term success. Lastly, customer-centric metrics on data security, applicable threat intel, and ensuring the security of any digital transformation initiatives are increasingly important. Tactical Metrics Recommendations: Implement Real-time Monitoring and Alerts: Equip security systems with real-time monitoring to detect and respond to threats instantly, enhancing response rates and reducing damage. Regularly Review and Adjust Metrics: Continually update tactical metrics to stay aligned with the evolving threat landscape, ensuring relevancy and effectiveness. Strategic Metrics Recommendations: Integrate Cybersecurity with Business Risk Management: Align strategic metrics with overall business risk management to ensure cybersecurity efforts support core business goals. Use Predictive Analytics: Apply predictive analytics to anticipate future security issues and optimize resource allocation and strategic planning. Customer-Centric Metrics Recommendations: Regular Customer Feedback Loops: Implement regular customer feedback mechanisms to understand their security perceptions and guide improvements. Transparent Reporting on Security to Customers: Regularly share security updates and audit outcomes with customers to build trust and demonstrate a commitment to data protection. #CISO #CIO #CEO #Cybersecurity #CyberMetrics #cyberoperations

11

3 Comments

As you've probably heard by now, Verizon's 2024 Data Breach Investigations Report (DBIR) just dropped. I'm proud to say that Cyentia Institute was a contributor again this year. I should say "one of the many, many data contributors." I know most people focus on the findings from the DBIR - and they should. But to me, this is the most remarkable and important aspect of the DBIR. I can't think of any other report/project in the #cybersecurity field that can unite all these logos in a common effort of data sharing and analysis. And do it for 15 years! Yes - I know the DBIR first published more than 15 years ago (I was there). But 2010 was the first time we included non-Verizon data from the U.S. Secret Service. That initial step took quite a bit of effort, but then they introduced us to the Dutch High Tech Crime Unit, the Australian Federal Police, London Metropolitan Police...and the dominos kept going. I clearly remember when I got a "yes" from the first private sector IR service provider that was a competitor of Verizon at the time. The execs HATED the idea of sharing the spotlight, but they eventually conceded. And their participation paved the way for all the others you see here. And though I'm no longer leading the DBIR production effort, I'm honored to be one of those logos I started adding so long ago. Also - it's not easy managing all those contributors and datasets. As you review and apply all the insights from this year's DBIR, raise a toast of appreciation to the DBIR team that is dedicated to what they do for the community. Many thanks David Hylender Suzanne Widup Philippe Langlois Alex Pinto #databreaches #cyberrisk

259

15 Comments

The ROI on preventative and proactive cyber security controls increases each day and with each reported breach. Let's hope for Panasonics sake that this one is just chatter and not their reality! Either way it highlights the requirement for increased security defences - DM me if you'd like to know more about exactly what your organisation can do to stay ahead and be prepared in case of the worst case.

2

🚨 Positive News from the NIST NVD Team! 👇 NIST has released a new NVD announcements page + some important updates: 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗦𝘂𝗽𝗽𝗼𝗿𝘁 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁: NIST has contracted additional support to restore pre-February 2024 CVE processing rates within the next few months. 𝗔𝗱𝗱𝗿𝗲𝘀𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝗕𝗮𝗰𝗸𝗹𝗼𝗴: NIST is collaborating with CISA to ingest the backlog of unprocessed CVEs to the NVD, with plans to clear the backlog by the end of the fiscal year. 𝗟𝗼𝗻𝗴-𝗧𝗲𝗿𝗺 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀: NIST is implementing technology and process updates to sustainably manage the increasing volume of vulnerabilities. This includes supporting automation in vulnerability management, security measurement, and compliance. 𝗖𝗩𝗘 𝟱.𝟭 𝗥𝗲𝗰𝗼𝗿𝗱 𝗦𝘂𝗽𝗽𝗼𝗿𝘁: Since May 14, 2024, NIST has been ingesting both CVE 5.0 and CVE 5.1 records, including support for CVSS 4.0 and #purl. 𝗖𝗼𝗺𝗺𝗶𝘁𝗺𝗲𝗻𝘁 𝘁𝗼 𝘁𝗵𝗲 𝗡𝗩𝗗: NIST assures that it remains dedicated to maintaining and modernizing the NVD. 𝗜𝗺𝗽𝗿𝗼𝘃𝗲𝗱 𝗖𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻: Most importantly in my opinion, NIST promises that moving forward they will keep the community informed of their progress toward normal operational levels and their future modernization plans. Only time will tell if these commitments will indeed materialize... #VulnerabilityManagement #InformationSecurity #CyberSecurity National Institute of Standards and Technology (NIST)

65

8 Comments

DoD is already in progress to update DFARS 252.204-7012 to align it with the CMMC audit program. How elegant would it be to simply put a single sentence into DFARS 7012 and the CMMC Final Rule that says : "For contracts with an award date prior to xx/xx/2026, the requirements within 800-171 rev 2 shall apply; after xx/xx/2026, the requirements within 800-171 rev 3 shall apply."

56

6 Comments

Beyond defining alerts & analyst detections, the MITRE ATT&CK framework supports SOC investigations by providing a progression of how an attacker would use certain tactics and techniques. Director of Threat Operations, Carolyn Terranova, sheds insight on this. #SOC #MITRE

29

1 Comment

Passkeys are a leap forward for phishing defense which is why I see more consumer-grade services offering them. Just be sure you have strong backup methods in place, especially when using passkeys to auth multiple services. https://lnkd.in/ewV5WN97

1