Vulnerability Management Concerns by Role Type

Have you ever thought about what kind of data/intelligence you may need with regards to vulnerability management? It tends to vary at levels of abstraction based on the audiance, but don’t think the person doing the patching may not be considernig upwards or that someone in a C level position won’t care about the zeros and ones (life doesn’t work that way!)

Anyway I was talking to a friend and came up with these so thought I’d share them with the world. Have I done a decent job? can you think of others? How do you measure and report? What are your concerns?

Let’s take a look at what I came up with (this wasn’t a very long time in the making 😉 )

Education

Infrastructure Penetration Testing Realities

Penetration testing is just like being a cybercriminal, right?

Honestly, it feels weird writing this, however I feel there’s a real issue with penetration testing and some myths that (for understandable and obvious reasons) exist in some people’s minds. So I’ve taken to trying to explain to people what an external penetration test actually entails in the real world of business. So here goes!

Leadership

Board Level Security Metrics

Everyone always asks what are the best security metrics to have? The answer is simple to me, use metrics that are valuable to your business governance and decision-making processes! Easy right.

Not so easy in real life right!

Education

Creating a tracker and dashboard for Cyber Essentials

I was talking to a friend about a requirement to “measure” cyber essentials compliance. Now if you know a thing or two about standards and applying standards to complex technology environments you might come up with:

Can’t we just script a checker?
Don’t we have all the audit data in the *checks notes* 1000 inventory systems we have?

Well sure, you could write a massive set of rules which ignore any context and try and cater for a huge number of different scenarios. You could use the Q&A approach as well (which is how the standard workbook works anyway so that already exists). But let’s say you are an IT manager, and you want to KNOW how your environment stacks up!

The question is simple, it’s easy to ask, look:

“How compliant are we against Cyber Essentials?”

Guides

Cyber Essentials Readiness

So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.

Leadership

Tabletop: “you have 400 servers; 800 users and your…

CISO Tabletop Scenario Intro

I thought it would be fun to explore what people do with regards to Cyber Securityleadeship, budgets, contraints and realities of business change. So here’s a blog post to supliment my thread on twitter:

MrR3b00t | #StandWithUkraine #DefendAsOne on Twitter: “Tabletop: you have 400 servers, 800 users and your cyber security budget is 100K…. what do you do? https://t.co/Nw0Pd7rH8L” / Twitter

please note: the list below is based on experiance, it’s also a list I made whilst drinking about half a cup of tea so it’s not complete or “the answer” it’s just some observations about an approach I advocate.

Leadership

Why do “we” suck so badly at digital security…

Everything is fine until it’s not

I’ve been travelling to different organisations and visiting different networks for a while and whilst each organisation is unique (they really are) their operating models, technology challenges and weak security postures generally aren’t as unique as the organisational itself.

One thing that does spring to mind however is that there is a massively common pattern we find with organisations.

Those that invest well have better postures, better technology experiences and an improved security posture.
Those that don’t historically invest well, well they have quite the opposite:
- They don’t train staff
- They have very weak postures
- They carry an extraordinary volume of business risk

One thing that is common though, is that all of this tends to link to financial investments, so executives and boards usually have some idea if they are spending or not in this space, what they commonly don’t have a good view on is they getting what they “thought they were buying”. Sadly, too often what they assumed was “in the box” with the “IT provision” with regards to quality and cyber security just simply isn’t the case. Everything is fine, until you look… then it’s less than fine! So, what can we do about it?

Leadership

Cyber Realities: Impacts of Cyber to Business

Introduction

This post stated out as a technical post about commonalities found in the field that vary based on business operating model, IT capability and vectors used by threat actors. Whilst writing this it led more into business leadership, governance and investment risks. How do these two subjects’ interface? Well to be honest they are the same thing from a different lens.

In this post we are going to look at:

Common Technology Deployment Models and the associated threats/risks/vulnerabilities
Common challenges I find in organisations
And finally, a question… is this the business outcome that you want

Architecture

The difference between what can be vs what often…

I’ve travelled all over the internet, I’ve worked with logs of organisations from banks through to small ISVs and one thing I would say is fairly universally true. What can be isn’t what is.

There’s a lot of different operating models and technologies in the world. There’s logs of differen’t specifics. This diagram here is not mean’t as a refrence architecture but more as an indicator.

There is also a massive reality people must understand, cyber good most definatley costs more at the point of deployment than cyber bad. Cyber bad’s ROI is truly variable and in mind mind is too hard to measure. For one org with cyber bad can experiance a significant breach (and cost) and another may have lady luck on their side.

Defense

I’m the CEO, why should I care about Cyber…

Introduction

First and foremost, I’m going to start by saying if I include any cliché quotes it’s probably in an ironic context or used to show how they aren’t practically useful. Why are we here? Well, based on the title, it’s because you are either a CEO/MD or you are in a leadership position and want to learn a little more about cyber security.

I’m sure you have read the news, I’m sure you have seen vendor adverts explaining something like:

Zero Trust
The Security Skills Gap
How phishing can be solved through security awareness training (pro tip: it can’t)

And I’m sure someone on your LinkedIn feed you have seen people exclaim all kinds of crazy things like:

TLS Weaknesses Lead to Ransomware
Security is Simple (it, I’m afraid, is not)
Managed Security Service Providers ensure security