Connect with us

Troublemaker CISO

The Troublemaker’s Guide to EVM: A Real-World Perspective

Published

2 months ago

on

Let's cut to the chase. Vulnerability management is a never-ending battle. Sure, we could spend all our time patching every single vulnerability, but let's be real, that's not practical or cost-effective.

Here are some harsh truths about EVM:

  1. The Time Crunch: We don't have infinite resources or time. Maintenance windows are limited, and downtime is costly. Balancing security with business needs is a constant struggle.
  2. The Development Dilemma: Developers are under pressure to deliver features fast. Security often takes a backseat to speed and efficiency.
  3. The Prioritization Puzzle: Not all vulnerabilities are created equal. We need to prioritize based on risk, not just severity scores.
  4. The Network Nuances: Different networks have different vulnerabilities. A one-size-fits-all approach won't work.

So, how do we navigate this complex landscape?

  • Embrace a Risk-Based Approach: Prioritize vulnerabilities that pose the greatest threat to your organization.
  • Automate Where Possible: Use tools to streamline vulnerability scanning, patching, and configuration management.
  • Foster a Culture of Security: Educate your employees about the importance of security and empower them to report suspicious activity.
  • Collaborate with Business Leaders: Work with business leaders to understand their priorities and align security efforts with business objectives.

Remember, cybersecurity is an ongoing battle. Stay vigilant, stay informed, and don't let the bad guys win.

So, if you need more guidance on EVM, here you go. This is based off solid academic research and experience, references included. The guidance does not provide detailed steps as each will be unique to your environment and risk tolerance. 

 Foundational Principles for successful EVM

  • Risk-based approach: EVM must be grounded in a comprehensive understanding of the organisation's unique risks and opportunities. This involves identifying critical assets, assessing threats and vulnerabilities, and evaluating the potential impact of exploitation.
  • Continuous monitoring: The threat landscape is constantly evolving, so EVM must be an ongoing process. Organisations need to continuously monitor for new vulnerabilities, assess their potential impact, and implement timely remediation measures.
  • Prioritisation: Organisations face a constant influx of vulnerabilities, making it impossible to address them all immediately. Effective EVM requires prioritising remediation efforts based on the severity of the vulnerability, the likelihood of exploitation, and the potential impact on the organisation.
  • Collaboration: EVM is not solely the responsibility of the security team. It requires collaboration between security professionals, IT staff, developers, and business stakeholders to effectively identify, assess, and remediate vulnerabilities.
  • Human factors: People are often the weakest link in cybersecurity. EVM should consider the human element, including potential insider threats, the need for security awareness training, and the cognitive load associated with managing vulnerabilities.

Key Practices

  • Asset management: A comprehensive inventory of all hardware, software, and data assets is essential for effective EVM. This enables organisations to understand their attack surface and focus remediation efforts on critical systems.
  • Vulnerability scanning: Regular automated scans help identify known vulnerabilities in systems and applications. Organisations should leverage a combination of internal and external scans to get a complete picture of their vulnerability landscape.
  • Patch management: Timely patching of known vulnerabilities is crucial for mitigating risk. Organisations should establish processes for evaluating, testing, and deploying patches promptly, prioritising critical systems and high-severity vulnerabilities.
  • Secure configuration: Misconfigurations are a major source of vulnerabilities. Organisations should implement secure configuration standards, leverage hardening guides, and employ automation to enforce secure configurations.
  • Vulnerability scoring and prioritisation: Various frameworks and tools help organisations prioritise vulnerabilities based on their severity, exploitability, and potential impact. The sources highlight the limitations of relying solely on the Common Vulnerability Scoring System (CVSS) and recommend considering additional factors such as the availability of exploits, known attacks, and business context.
  • Threat intelligence: Integrating threat intelligence into EVM enables organisations to focus on vulnerabilities that are actively being exploited or are likely to be targeted by attackers. This helps prioritise remediation efforts and reduce the overall risk.
  • Vulnerability chaining: Attackers often exploit multiple vulnerabilities in sequence to achieve their objectives. EVM should consider the potential for vulnerability chaining and implement mitigations to break these chains.
  • Reporting and communication: Effective communication of vulnerabilities and remediation efforts is essential for informed decision-making. CISOs should provide clear and concise reports to executive management and the board, highlighting key risks, remediation progress, and areas requiring further investment.

Frameworks and Standards

The following frameworks and standards provide foundational guidance for EVM:

  • NIST Cybersecurity Framework: This framework offers a comprehensive set of guidelines for managing cybersecurity risks, including vulnerability management.
  • ISO/IEC 27002: This standard provides best practices for implementing information security controls, including vulnerability management.
  • CIS Benchmarks: These provide detailed configuration guidelines for hardening systems and applications, reducing vulnerabilities.
  • DISA STIGs: These offer security technical implementation guides for securing specific systems and applications used by the U.S. Department of Defense.
  • CISA Known Exploited Vulnerabilities (KEV) Catalog: This catalog lists vulnerabilities that are known to be actively exploited, helping organisations prioritise remediation efforts.
  • Exploit Prediction Scoring System (EPSS): This data-driven model helps predict the likelihood of a vulnerability being exploited in the next 30 days, aiding in prioritisation.

Tools and Technologies

The following tools and technologies can support EVM efforts:

  • Vulnerability scanners: These tools automate the process of identifying known vulnerabilities in systems and applications.
  • Patch management systems: These tools automate the process of deploying patches, ensuring timely remediation of vulnerabilities.
  • Configuration management tools: These tools help enforce secure configurations and automate the process of hardening systems.
  • Threat intelligence platforms: These platforms provide access to real-time information about threats and vulnerabilities, enabling organisations to prioritise remediation efforts.
  • Security information and event management (SIEM) systems: These systems collect and analyse security logs from various sources, helping identify potential attacks and vulnerabilities.
  • Endpoint detection and response (EDR) solutions: These solutions monitor endpoint activity and help detect and respond to attacks, including those that exploit vulnerabilities.

By implementing the guidance provided, organisations can establish a robust EVM programme that effectively mitigates risk, enhances resilience, and protects critical assets.

References:

Books and Reports:

  1. Alleman, G.B. and Quigley, J.M., 2024. Risk Management: Managing Tomorrow's Threats. Auerbach Publications.
  2. Baker, D., 2024. A CISO Guide to Cyber Resilience: A how-to guide for every CISO to build a resilient security program. Packt Publishing.
  3. Brown, A.R., 2024. Taming Your Dragon: Addressing Your Technical Debt. Apress.
  4. Chaput, B., 2024. Enterprise Cyber Risk Management as a Value Creator: Leverage Cybersecurity for Competitive Advantage. Apress.
  5. Chaput, B., 2021. Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM). Clearwater.
  6. Centre For Cyber Security Belgium, 2015. Cyber Security Incident Management Guide. Centre For Cyber Security Belgium.
  7. Hampton, J., 2014. Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure, and Seize Opportunity. AMACOM.
  8. Herrmann, D.S., 2007. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Auerbach Publications.
  9. Hyslop, M., 2007. Critical Information Infrastructures: Resilience and Protection. Springer Science+Business Media.
  10. Küfeoğlu, S. and Akgün, A.T., 2023. Cyber Resilience in Critical Infrastructure. CRC Press.
  11. National Research Council, 2014. Leveraging Two Decades of Experience in Cybersecurity. The National Academies Press.
  12. National Research Council, 2009. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. The National Academies Press.
  13. Steinberg, R.M., 2011. Governance, Risk Management, and Compliance. (Publisher information needed for complete citation).

Journal Articles and Websites:

  1. Brooks, A.W. and John, L.K., 2018. The Surprising Power of Questions. Harvard Business Review Magazine, [online] Available at: https://hbr.org/2018/05/the-surprising-power-of-questions
  2. Clinton, L., Higgins, J. and van der Oord, F., 2022. 2023 Director's Handbook on Cyber-Risk Oversight. National Association of Corporate Directors (NACD), [online] Available at: https://nacdonline.org/insights/publications.cfm?ItemNumber=74777
  3. Deloitte, 2015. Tone at the top: The first ingredient in a world-class ethics and compliance program. [online] Available at: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-tone-at-the-top-sept-2014.pdf
  4. Drew, C., 2023. 25 Negativity Bias Examples. Helpful Professor, [online] Available at: https://helpfulprofessor.com/negativity-bias-examples/
  5. Dunn, G., 2023. 2022 Year-End Securities Enforcement Update. [online] Available at: https://www.gibsondunn.com/2022-year-end-securities-enforcement-update/
  6. Lipton, M. et al., 2018. Risk Management and the Board of Directors. Harvard Law School Forum on Corporate Governance, [online] Available at: https://corpgov.law.harvard.edu/2018/03/20/risk-management-and-the-board-of-directors-5/  
  7. McCoy, K., 2017. Target to pay $18.5M for 2013 data breach that affected 41 million consumers. USA Today, [online] Available at: https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/  
  8. Mendro, J.J., Tulumello, A.S. and Hilborn, J.H., 2019. Recent Application of Caremark: Oversight Liability. Harvard Law School Forum on Corporate Governance, [online] Available at: https://corpgov.law.harvard.edu/2019/08/16/recent-application-of-caremark-oversight-liability/#more-120953
  9. Micheletti, E.B. and Lindsay, R.M., 2021. The Risk of Overlooking Oversight: Recent Caremark Decisions From the Court of Chancery Indicate Closer Judicial Scrutiny and Potential Increased Traction for Oversight Claims. Skadden, Arps, Slate, Meagher & Flom LLP, [online] Available at: https://www.skadden.com/insights/publications/2021/12/insights-the-delaware-edition/the-risk-of-overlooking-oversight
  10. Needleman, S.E., 2022. Twitter's Ex-Security Head Files Whistleblower Complaint on Spam, Privacy Issues. WSJ, [online] Available at: https://www.wsj.com/articles/twitters-ex-security-head-files-whistleblower-complaint-on-spam-privacy-issues-11660422044 .
  11. Seets, C. and Niemann, P., 2022. How cyber governance and disclosure drive business value. Harvard Law School Forum on Corporate Governance, [online] Available at: https://corpgov.law.harvard.edu/2022/10/02/how-cyber-governance-and-disclosure-drive-business-value/.

Standards and Regulations:

  1. American Bar Association, 2020. Model Business Corporation Act Annotated (fifth ed.).
  2. CIS Benchmarks. (Publisher and date information needed for complete citation).
  3. CISA Known Exploited Vulnerabilities (KEV) Catalog. Cybersecurity and Infrastructure Security Agency (CISA), [online] Available at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog [Accessed 17 October 2023].
  4. DISA STIGs. Defense Information Systems Agency (DISA), [online] Available at: https://public.cyber.mil/stigs/ [Accessed 17 October 2023].
  5. Exploit Prediction Scoring System (EPSS). Cybersecurity and Infrastructure Security Agency (CISA), [online] Available at: https://www.first.org/epss/ [Accessed 17 October 2023].
  6. Federal Information Security Management Act (FISMA) of 2002.
  7. Food and Drug Administration 21 Code of Federal Regulation Part 11.
  8. Health Insurance Portability and Accountability Act (HIPAA) of 1996.
  9. Homeland Security Presidential Directives (HSPDs).
  10. ISO/IEC 27001:2022.
  11. ISO/IEC 27002:2022.
  12. ISO/IEC 27034-1:2011.
  13. ISO/IEC 27036.
  14. ISO/IEC 29147:2020.
  15. ISO/IEC 30111:2019.
  16. ISO/IEC 30111:2020.
  17. ISO/IEC TS 27034-5-1:2018.
  18. NIST Cybersecurity Framework. National Institute of Standards and Technology (NIST), [online] Available at: https://www.nist.gov/cyberframework [Accessed 17 October 2023].
  19. NIST Special Publication 800-30, Revision 1. Guide for Conducting Risk Assessments. National Institute of Standards and Technology (NIST), 2012.
  20. NIST Special Publication 800-37, Revision 2. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. National Institute of Standards and Technology (NIST), 2018.
  21. NIST Special Publication 800-39. Managing Information Security Risk. National Institute of Standards and Technology (NIST), 2011.
  22. NIST Special Publication 800-53, Revision 5. Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards and Technology (NIST), 2013.
  23. NIST Special Publication 800-61, Revision 2. Computer Security Incident Handling Guide. National Institute of Standards and Technology (NIST), 2012.
  24. NIST Special Publication 800-137. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology (NIST), 2011.
  25. NIST Special Publication 800-207. Zero Trust Architecture Standard. National Institute of Standards and Technology (NIST), 2020.
  26. New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. New York State Department of Financial Services, 2023.
  27. Sarbanes-Oxley Act of 2002.

Court Cases:

  1. In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
  2. Marchand v. Barnhill, 212 A.3d 805 (Del. 2019).

Other:

  1. The People’s Law Dictionary.
Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CISO Blog

The Scourge of Vulnerabilities and Our Ever-Vigilant Duty

Published

4 days ago

on

January 14, 2025

By

Hold onto your hats, folks! We're diving headfirst into the murky waters of cyber vulnerabilities—a relentless scourge that’s as persistent as the Monday morning blues. In a world where everything and everyone is connected, staying vigilant isn’t just a best practice; it’s a downright necessity.

Let’s face it: vulnerabilities in our digital systems are the gifts that keep on giving—to cybercriminals, that is. Nobody wants to hear that their latest software update shipped with a gaping hole just begging to be exploited, yet here we are, playing an eternal game of cybersecurity whack-a-mole.

The problem is simple: as technology evolves, so do the avenues for attack. Every new feature, line of code, or interconnected device is a potential weak point waiting to be discovered. Don't get me wrong—I love new tech as much as the next person, but security needs to evolve with it, preferably at twice the speed.

Think back to the headlines: massive data breaches, ransomware attacks, and even critical infrastructure takedowns. These aren’t just abstract incidents happening elsewhere; they’re reality checks demanding our constant attention. And with the Internet of Things (IoT) ushering in a tech revolution, we’re adding new devices faster than ever, increasing our attack surface exponentially. Who knew your smart toaster could be the weak link in your home network’s defense?

So, what’s the takeaway here? Vigilance, cloud partners, is key. Ensuring the security of our systems isn’t a one-time affair—it requires ongoing diligence and a proactive approach. Here are some golden nuggets to keep in mind:

  1. Patch, Patch, Patch: It sounds like a broken record, but timely updates and patches are your first line of defense against newly discovered vulnerabilities. Outdated software is a cybercriminal’s playground.
  2. Comprehensive Monitoring: Keep tabs on your networks and systems with robust monitoring tools. The sooner you detect an anomaly, the faster you can respond before it snowballs into a crisis.
  3. Security Education: Arm your workforce with knowledge. Regular training sessions, phishing simulations, and awareness campaigns should be part of your innate company culture. The more your people know, the less likely they are to be the unwitting door-opener for an attack.
  4. Zero Trust Approach: Treat every connection as a potential threat. Implement identity verification at every access point and minimize trust zones within your network.
  5. Incident Response Plans: Like a fire drill, everybody should know what to do when the alarm sounds. A well-rehearsed incident response plan can mean the difference between a minor hiccup and a major meltdown.
  6. Community Sharing: The cybersecurity community thrives on collaboration. Sharing intelligence about vulnerabilities and attack vectors can help us bolster defenses collectively. Be part of the conversation.

In this age of rampant connectivity, imperfections are the norm. Vulnerabilities will exist, but our approach to managing them dictates whether we become sitting ducks or remain at the forefront of defense. The threat landscape is ever-changing, but so too is our capacity to adapt, innovate, and strengthen our digital fortresses.

As guardians of the cyber realm, let’s commit to not only recognizing the challenges but rising to meet them head-on. Our vigilance today is an investment in the security of tomorrow. Stay sharp, stay aware, and remember: in cyberspace, complacency is not an option—it’s a liability. So gear up, troubleshooters, and let’s keep our networks safe and sound. Another day, another battle—let’s win it together!

Continue Reading

Troublemaker CISO

Silly Thoughts Lead to Epic Failures: The Cybersecurity Circus of 2025

Published

5 days ago

on

January 13, 2025

By

Welcome to the wild world of cybersecurity in 2025, where organizations are still finding new ways to trip over the same proverbial rake, all while the mainstream media sensationalizes each breach like it’s the latest blockbuster hit. You’d think by now that companies would realize the door isn’t just wide open; it’s practically got a neon sign flashing “Welcome, Hackers!” with an arrow pointing straight to their data vaults.

Let’s face it: sometimes, a silly thought leads to an epic failure—but sometimes, it’s the absence of thought that gets us into trouble! Just the other day, I stumbled upon a report about Company X getting breached through a poorly coded API. I mean, seriously, folks? It’s like someone threw caution to the wind and thought, “Hey, why not push this disaster to production? What could possibly go wrong?” Sure, hindsight is 20/20, but you can bet that the attackers didn’t find that open API just lying around; they probably spent ages scouting it like some kind of digital treasure hunt.

We defenders know the drill. There are countless layers of security designed to keep the bad guys at bay, but let’s be real: the only guarantees in life are death, taxes, and the fact that there is no such thing as a truly secure system. Period. Now, imagine this scenario: our crafty attacker finds that golden API and begins their meticulous exploration. We throw around terms like “lateral movement” and “privilege escalation,” but really, it’s no different than watching a fox in the henhouse.

Once they’ve sniffed out the jewels—your personal information, trade secrets, whatever they can turn into cash—they start assessing those defenses in what can only be described as a ruthless game of chess. They poke, they prod, and they wait to see how we react—like military strategists plotting their next grand operation, because let’s be honest, they want those spoils without ending up in a shiny orange jumpsuit.

Now, let’s talk about the fallout for the CISO, who likely spent months if not years building up their defense strategy only to find themselves in epic trouble the moment things go south. If the breach is public enough, CISO could find themselves facing the axe, their name dragged through the mud while everyone wonders how they let this happen. But let’s not forget: if the CISO did their job right (and wasn't slacking off), they probably have documentation proving they rang the alarm bells and recommended necessary investments. Spoiler alert: leadership doesn’t necessarily prioritize funding for these recommendations—those discussions rarely make the headlines.

What happens next? After signing a gag order—oops, I mean a mutual separation agreement—the CISO walks away with a nice little cash settlement while the rest of us roll our eyes. Because here’s the kicker: most breaches are far from “point-and-click” attacks. The more sophisticated ones involve years of planning and a deep understanding of corporate networks, not just random DDOS attacks meant to annoy.

The chilling reality is that information security departments are stretched thinner than ever, expected to be omnipresent and all-knowing while facing tighter budgets, a shrinking workforce, and an ever-evolving tech landscape. It’s a high-wire act that would leave any seasoned performer with their heart in their throat.

So, as we continue to navigate this crazy cybersecurity circus in 2025, remember this: the stakes are high, the threats are real, and while we can acknowledge that silly thoughts lead to epic failures, we must also ensure that we’re all pulling our weight to mitigate the inevitable risks. After all, in the digital realm, ignorance is not bliss—it's a recipe for disaster. Now, I’d love to chat about this more, but that might just be NSFW!

Continue Reading

Troublemaker CISO

Welcome to 2025 – Buckle Up!

Published

2 weeks ago

on

January 6, 2025

By

Well, well, well, here we are—2025! A shiny new year sprawled before us like a blank canvas, and we’re already buzzing with the inevitable chaos that awaits. If you thought 2024 was a wild ride, just wait until you see what’s in store this year. Spoiler alert: the cyber landscape isn't getting any calmer, folks!

First off, let’s take a moment to acknowledge just how far we’ve come. The technology we have today is nothing short of astonishing. We’ve got AI chatbots that can compose symphonies, drones delivering your takeout, and smart everything—sure, your fridge might know what you want for dinner better than you do. But with great power comes a whole lot of responsibility… and vulnerability.

With every awe-inspiring leap in technology, we’ve injected ourselves with a healthy dose of risk. Cybercriminals are sharpening their tools, adjusting their tactics, and, let’s be honest, getting more creative by the minute. We’re not just dealing with the usual suspects anymore; we’ve entered the age of sophisticated attacks from state-sponsored hackers, rogue actors, and even the dark web's most twisted minds. Killware, ransomware-as-a-service, and all sorts of nasties are part and parcel of our relentless digital reality.

So as we step into this new year, it’s time to double down. If you’ve been sitting complacently in your comfy chair, expecting everything to just work out fine, now’s the time to snap out of it! You need to be proactive—this isn’t just about protecting your organization; it’s about safeguarding lives and livelihoods.

Let's talk about your security posture. If your cybersecurity strategy still consists of a firewall and a hopeful wish, then you’re sleeping at the wheel. We need to re-evaluate everything—start conducting those penetration tests that keep everyone on their toes, implement zero-trust architectures (if you haven’t already), and remember: audits aren’t just an annual exercise; they’re your ticket to staying above water.

And don’t forget the importance of awareness and training. Your teams are your first line of defense, but they can only do their jobs if they know what to look for. Launch those phishing simulations, run educational campaigns, and challenge your employees to be the ever-watchful guardians of your organization’s crown jewels.

In 2025, let’s not just react but anticipate. Embrace intelligence-sharing with other organizations—I can already hear the groans, but seriously, it’s a must! The cybersecurity community is stronger when we work together, learning from each other’s successes and mistakes.

As we toast to the possibilities that lie ahead, let’s commit to shattering the complacency bubble that seems to loom so heavily over the industry. We’ve got challenges ahead, but that’s the nature of our game. Let’s tackle them head-on, with courage, creativity, and, dare I say, a little bit of swagger.

So here’s to 2025—a year for the bold, a year for transformation, and a year for kicking complacency to the curb. Let’s make it one for the books! Now, get out there and secure that digital frontier like your life depends on it—because in this game, it just might. Cheers!

Continue Reading

Trending

Copyright © 2017 Keller Holdings