Brad cohosted this week with our VP of Ops, Renay Rutter. The two of them will take a deep dive into the world of a cybersecurity incident response — since we’ve seen so many of them lately. Tune in to learn more about how to properly prepare for an incident and how to handle one once it does occur.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Brad Nigh: Good morning. This is un security podcast. Episode 18. Today is March 11 and we are here very very early. Uh, of course I’m your host for the day brad. And today it’s gonna be a little bit different. We made Evan leave. He’s going to uh take vacation and marla made us promise not to give him a call in number. So instead we have a special guest host say hello,
[00:00:49] Renay Rutter: hello.
[00:00:50] Brad Nigh: So our guest host this week is our VP of ops Renee Rutter be interesting. I’m not sure what I’ve gotten myself into.
[00:01:00] Renay Rutter: You know, you really aren’t either. Um, I for that matter,
[00:01:04] Brad Nigh: it’s fun. We’ll figure this out as we go. It won’t be any different than normal. Of course not. All right. So one of the things we’ve been talking a lot about is all these incident responses we’ve been seeing. And uh, so we wanted to talk a little bit more about being prepared. What happens when it happens to you. So this is gonna be the first in a series around incident response programs. Um, as Evan says on the show notes or I put together it’s going to be riveting. Um, so
[00:01:33] Renay Rutter: I like how you say. Riveting cybersecurity incident response can be very riveting. It
[00:01:39] Brad Nigh: can be riveting if you’re not the one on the receiving end. Trying to go through it. If you’re kind of watching and observing it it can be pretty interesting. So true. So true. So Renee I guess to start um you’re your experiences can be different than evident myself, you’re more of a business background than the actual information security. So I’ll tell a little bit about maybe your experience with incident response and information security is all
[00:02:07] Renay Rutter: sure. Well I will say you’re right I’m talking with me is not going to be anything like dogging with you guys. I’ve listened to your podcast by the way if you’re going to do a pop quiz and asked me if I’ve listened. I have listened. Um and even last week in particular but you guys are pretty witty with your comebacks. Um I’m not gonna be able to keep up with the geek talk but I am awkward. So I do you know tend to fit in just fine with with your type but to give you um in all seriousness some background. Um I have kind of played at the high responsibility level um in most of my roles. Um Just by nature I would like to be in the middle of things. I’d like to make decisions and um my background has just led me to high technical jobs. So I’ve been in the software industry, the legal industry, health care and I. T. And most recently in health care I. T. With a large insurance company. So my exposure to understanding security I. T. How they play together with the business and how to make decisions sometimes um on the spot and most of the time hopefully planning. So you’re not on the spot.
[00:03:17] Brad Nigh: That’s good. Yeah, I think that you’re going to hit a little bit there with a good incident responses is you’re planning ahead so that you’re not going to be able to play it for everything. But if you plan ahead, you at least have an idea of what what you’re going to be doing in certain situations and you can glean from that if you’re in a new one. So
[00:03:37] Renay Rutter: yeah, it’s like plan ahead. So you can anticipate what someone else is expecting or looking for or experiencing and then being able to have an appropriate response to assure them that you know things you know can get resolved or you know at least have faith in what your recommendations are to do. So
[00:03:57] Brad Nigh: yes, you’re just hoping for the best.
[00:04:00] Renay Rutter: Always hoping
[00:04:01] Brad Nigh: for this. I wanted to thank you for helping out. And mostly the listeners, thank you for not making them listen to me talk for an hour straight.
[00:04:11] Renay Rutter: That could be that could be pretty brutal. I understand.
[00:04:13] Brad Nigh: Yes. So you mentioned you listen to the podcast. So that’s good. Um kind of get an idea of how this goes. Which is it just kind of goes, we have a kind of just a and outline and then it just you know, you know evident myself. It it kind of just goes off on tangents,
[00:04:33] Renay Rutter: sometimes it goes off on track. So I’m going to fully expect that. That’s ok if that happens here.
[00:04:39] Brad Nigh: Yes. Um so I guess the other thing we should talk about is what is your role here at f are secure?
[00:04:48] Renay Rutter: Um Good question. Yeah so I’ve been hanging out with you for about six months, six months and a week to be exact, yeah, time flies right
[00:04:56] Brad Nigh: when you’re having this
[00:04:58] Renay Rutter: much fun. It is fun and you guys talk about how much fun you have a security and I’ve always had fun insecurity as well. So yes so my role as Vice president of operations, going back to my nature of wanting to know that things are operationally running smoothly on the inside of an organization just lands me in the guts a lot of times which is why a lot of background in I. T. And operational things. So here um operations means um the entire consulting consortium if you will. So um all of you the consultants that work with our clients as well as in a technical capacity as well as in you know, vulnerability assessment consulting. So the entire team um uh is my responsibility in addition to the project management that goes along with that and most recently um R. H. R. N. I. T. Practices and programs.
[00:05:48] Brad Nigh: It’s a little bit of the analyst wrangling and dan issues. We cause
[00:05:54] Renay Rutter: analyst wrangling and looking out for the customer right customer satisfaction in the end fixing a broken industry has far reaching um implications.
[00:06:03] Brad Nigh: We don’t always Get the right fit at first and try to find the right one okay. Um so when we start we’d like to do a recap of the week the previous week. Um is there anything you would like to start with to share about what what stood out to you last week? What did you do or what happened that was yeah special or
[00:06:27] Renay Rutter: you know, I forgot I was going to be asked this question. So last week I’m always so in the moment forward thinking, but last week um I don’t know I got to spend a lot of time thinking big picture and got to spend some time with you and we did some planning and looking forward to how our last few months went and what the next few months are going to look like and hearing about how involved you’ve been in helping our customers directly with incident response um planning really our program around what that’s gonna look like in the future. So uh you know I found that really rewarding to get kind of into the guts. It’s just what what I like about my weeks.
[00:07:05] Brad Nigh: It is nice. Uh you mentioned we had a kind of a half three quarter day planning session uh and yeah from my perspective where exactly where you’re just in the moment, go, go go to kind of sit back and take that moment to look forward and also look back and say, okay, what did we get done? Where are we at? Okay, what do we need to do next?
[00:07:31] Renay Rutter: Right. What did we learn? Right. That also ties to incident response? Right? Because you can plan better when you look past and say we don’t want to experience this again. So what do we do differently? So we get a different outcome this time?
[00:07:43] Brad Nigh: It’s a nice, it’s a nice change of pace. Yeah, I agree. So from my standpoint, we had that obviously, but more incident responses and this is not a repeat from the last like five weeks. Um we had another, another incident response come up where it was actually a repeat. They didn’t follow any of the recommendations and uh, surprisingly
[00:08:06] Renay Rutter: so disappointing and unfortunate. Right?
[00:08:09] Brad Nigh: Well, and yeah, this is a pretty fairly unique situation and they’re fairly relatively new. Um, 80 staff, It’s got a lot of mess to clean up and unfortunately just wasn’t able to get it done. So we’re in the process of digging a little deeper now and trying to figure that out. So yeah, one thing I do want to mention uh from our marketing department, so they don’t yell at me because that’s no fun is we have hacks and hops coming up. This is at going to be on March 28th from 2 to 5 at day. Block Events center in Minneapolis and you can go to hacks and hops dot com to register and buy tickets. Uh, get appetizers and beer and networking and a keynote panel. I don’t know who the speakers are going to be though.
[00:08:58] Renay Rutter: Well, you know, what’s cool about this one. What I do know is that it’s going to center around the discussion around vendor risk management. And so when you talk about incident response, you talk about your relationships with vendors and how you manage those and where that risk is and how that fits in the big picture of having a good security program. I think it’ll be fun. Especially since our panel now will include some of our customers. That’s, that’s
[00:09:20] Brad Nigh: pretty cool. So the panel is going to be Todd Thorsen who’s the information security risk Management and compliance senior manager at code 42 Melinda Ramble stone, vice presidency. So at probation, Medical and Aaron Brown the CTO at sea change. So it’s a pretty good uh, panel right there.
[00:09:40] Renay Rutter: As, as john says, those are the cool kids.
[00:09:42] Brad Nigh: Those are the cool kids. So, uh, make sure you listen, we’ll give you the, Or as you’ve listened, Gosh, you can tell I’m reading it and it’s really early. The special promo code for 50% off is insecurity. So on the website it says listen, there’s your code insecurity gets you 50% off tickets
[00:10:01] Renay Rutter: insecurity. Okay, I’m
[00:10:04] Brad Nigh: telling all my friends unless I mess that up and then I get yelled at by marketing, but that’s okay. Um And one last piece of housekeeping. Uh We love it when you get you do. Yeah man.
[00:10:16] Renay Rutter: Can I start over nervous?
[00:10:18] Brad Nigh: No, I’m just tired. It’s this time change your life savings. Yeah. Was could not wake up this morning. Um Try this again. I want to remind you to contact the show. Um We do like it, it’s really helpful. Like you said, we like to learn and improve. Um So you can email us at insecurity at proton mail dot com if you like to be a guest on the show, email us or you can contact ever myself on twitter. Evan is at Evan drake had seen and I’m at at brad and I So there you go. All right, there you go. Now we go. So what we’re going to talk about today is just at a high level phases of an Ir plan. Get the business side of it on how these go what what’s actually involved. Um And then if we have some time we’ll talk about some news stories, but this is gonna be interesting. You know, you know, you are a seven like they say a normal person. Um So not an information security professional. So this would be a good, good conversation. Uh huh. Yeah, we’ll see. We’ll we
[00:11:21] Renay Rutter: will see. Yes.
[00:11:22] Brad Nigh: All right. So I guess we’re gonna start with as a business professional as the business side. If you, you know when I come to you and I say, hey are you ready to talk about our I. R. Playing when you hear I are playing incident response plan? What is the first thing that comes to your mind?
[00:11:40] Renay Rutter: Well, if you talk about me first of all, it’s like, well I hope I have one. Right? Um And then it’s what does it look like? Right. Was it thorough? Has you know, have we talked about it lately? You know um have we tested it? You know you tied to bigger things like business continuity or disaster recovery? Right. So the first thing I think of is where is it kind of put my fingers on it and is everybody I know that I need know about what their roles might be. Right. Roles and responsibilities are probably pretty key at an Ir
[00:12:10] Brad Nigh: plan. That’s a big one is wins. Yeah. When’s the last time it was reviewed? When do we look at it last who’s what’s changed in the environment since the last time we talked about it?
[00:12:23] Renay Rutter: Well and I will also say it’s not just an IT responsibility, right? Know my history, it’s been very much an IT responsibility. So it tends to have that the technical bend and through through my most recent years it was okay we have to understand that that technical band carries so much further. Right, What’s the brand awareness? What’s the communication with customers? And so it’s just so much more than just that technical preparedness
[00:12:51] Brad Nigh: really is. I think one of the biggest things that we see that isn’t in there is well we’ll talk about it in the preparation but yeah it is not getting that organizational wide by in not having a team that is yeah I our team is what city they’re going to respond to the virus, they’re going to respond to this.
[00:13:12] Renay Rutter: Exactly. And so what what happens though the minute somebody will say oh it will respond to this everyone else as they hear about especially at an executive level you get some sense of panic. Well what about this? What if this happens where am I going to tell? So and so. Right
[00:13:25] Brad Nigh: yeah or the I think what I’ve seen also is well it’s a nice thing and they check out that too and then and now it is struggling going well I don’t know what do I what order do I restore it in?
[00:13:39] Renay Rutter: Yeah the I. T. Is focused on the the behind the scenes hero ship if you will get it working again. But it’s not always about getting it working again. It’s about what’s the process of doing that and how do we continue to protect ourselves and prioritize prioritize message to the customers and you know all the people in the rest of the organization that will be asked about what’s going on. What are those messages And you take an I. T. Response to what the message should be. And then you need a little synthesis
[00:14:08] Brad Nigh: right translation
[00:14:10] Renay Rutter: some translation in there and actually find that role fun. That’s where I’d like to sit a lot.
[00:14:16] Brad Nigh: I think you know speaking of you definitely have helped clean up some of my writing because I do I try to be pretty good about not getting too deep in the weeds me when I go. What’s that mean? Yeah that’s when I’m like oh darn
[00:14:29] Renay Rutter: it, explain it so I can get it because if I can get it anybody can get it.
[00:14:33] Brad Nigh: Yeah I tried to do a pretty good job but yeah it definitely works because you do get the technical side of it. But I also have that more business focus. Um Have you been through an incident at you know one of your previous organizations or jobs?
[00:14:49] Renay Rutter: Um To me incident is a lot of things and absolutely um of a major magnitude shut down a company. Absolutely not. Um But certainly um some scarce And some um what would you call it? 10 gentle um response. Um just because of the nature of being in the health insurance industry, somebody else gets breached. Um you share
[00:15:12] Brad Nigh: a lot of you better
[00:15:13] Renay Rutter: figure out what you need to understand if you’ve been exposed in any way. So from that regard. Absolutely yes.
[00:15:19] Brad Nigh: So when you did that did you feel like you when those came up and you were trying to figure it out. Did you feel like you had a good plan at that point or world?
[00:15:27] Renay Rutter: Actually I felt we did have a plan. Um but it never has all the elements that you wanted to have in. And there’s always that nuance that makes this time different or that compliance factor or regulatory nature that you have yet another person to answer to on how you are addressing it right? Not just responding to a potential incident outside of your walls, but how are you responding and preparing? Should that penetrate your walls
[00:15:56] Brad Nigh: indirectly? No, I think that’s a good point and we do talk about that in the phases. Is that follow up and that lessons learned and that’s one of the key things for any plane disaster recovery. Business continuity incident response plan is are you sitting down and people hate the term postmortem. But you know maybe that follow up that lessons learned stays where everybody involved gets together and actually goes through what happened and what could we do to fix it? And what do we need to add to a plan?
[00:16:26] Renay Rutter: Yeah. And you know with my I. T. Bend for you know a good 56 years uh Specifically in a highly regulated industry there’s postmortem is just the way it is. You’re constantly reviewing and looking back and looking at what you’ve learned and what can be done differently constantly.
[00:16:43] Brad Nigh: You would think. Not always, I’ve seen lots of places where it’s like move on, we’re done there. We figured it out. We survived. Yeah. All right. So now we have painful a painfully awkward silence according to the notes but we won’t do that. Um So when we put together and I are playing and and all the phases that are included, we’re gonna go very high level today. Probably focus mostly on, you know, just talking through what each of those phases includes. But um You know when 17 gets back and he and I geek out and go into details, but we’ll get the business side of it and just talk about a high level, make sure that that the normal people get it.
[00:17:25] Renay Rutter: Okay, well I’ll keep you honest.
[00:17:27] Brad Nigh: Here we go. All right, So phase one this preparation and I think we’ll we’ll go through the phases real quick and come back. So phase one preparation, phase two is identification and assessment. Phase three containment phase for his investigation. Phase five. Eradication, recovery and phase six is follow up. So, You know, all of those are obviously important parts, but none of them will be successful without phase one being given the right time and effort put into it to start.
[00:17:59] Renay Rutter: What do they say? Plan to work and work the plan? Yeah,
[00:18:03] Brad Nigh: so much so so when we look at our incident response uh template, you know, we talk through what’s included. One of the first things we do that we don’t see a lot is uh defining an incident what what qualifies as an incident. How do you know if you’re going to initiate this plan or not? So you know, from our standpoint, obviously this is just some best practices from our side, but when we look at it, it’s a violation of an explicit or implied security policy. So do you have good policies? Well, you know, we talk so much about how information security all ties together. We’re talking about incident response plans were now saying our first thing that’s an incident is we have a violation of policy.
[00:18:48] Renay Rutter: So what’s an example of a security policy?
[00:18:50] Brad Nigh: So you could have, you know, acceptable use is probably the biggest one from a user standpoint has access to what, who’s allowed what our users allowed to do. Um you know, it could be a user installing software that wasn’t approved, it could be going to a website that’s not approved.
[00:19:09] Renay Rutter: It could also be what access you might give your customers or vendors. Right. What’s their policy, security policy and how they access your information or your
[00:19:18] Brad Nigh: systems could be trying to think through like uh it will access control policy. That’s a big one. Do we find out that? Oh gosh, everyone has full access to the share that has critical healthcare records in it? We have we have an incident. So um talking about versus is Yeah, that violation of a policy. So we need to go back and make sure we actually have a policy attempts to gain unauthorized access to a information resource. So when we look at an information resource we have to define that that’s defined in a policy and people talk so much like why do we have to have policies? So
[00:20:00] Renay Rutter: what’s an information resource?
[00:20:01] Brad Nigh: Spread information resource? Uh So the way we define that would be really any computer, any uh data asset. So file share could be in a database server workstation. It’s really just a way kind of a catch all too say I. T. Something
[00:20:22] Renay Rutter: you want to protect
[00:20:23] Brad Nigh: right? It could be an information resource, could also be paper records as well. So it’s really how you define it. But yeah typically when you think information resource is going to be your servers workstations, your data assets and physical paper records.
[00:20:38] Renay Rutter: So you see his theme here, this is this is for the listeners benefit. This is kind of how our days go working together, brattle talk about something and I’ll say well what’s what’s that, What’s that? So you know I might ask a few more questions. It’s helpful though.
[00:20:52] Brad Nigh: Oh no it’s absolutely it’s great. I actually enjoy it because because I do tend to go and think a certain way and that’s not normal so that’s okay. It’s good quiz time for you. So it is keeps me on my toes um so attempts to gain unauthorized access. What could that be? Well it could be, you know, invalid login attempts could be um failures on the file share for somebody trying to get HR records. So it could be any of those types of things uh, denial of service to a information resource. So that would be a denial of service attack, taking it down, making it unavailable. So it really ties back to the CIA triad confidentiality integrity availability of information security offer take away one of those three legs we have an issue. So this one is related to are the resources available when we expect them to be available
[00:21:46] Renay Rutter: and is the person who is supposed to be monitoring that availability, doing their job?
[00:21:55] Brad Nigh: Um, so denial service, I think the most common ones since we’ve been, you know, looking at the interior responses we’ve had lately is ransomware, You know, technically, yeah, those servers are still there but their ransom, those resources are not available to the business. So
[00:22:12] Renay Rutter: talk to me about ransomware, I mean, so what is the an executive here from the right person when ransomware happens? What’s the message? What happens? You know, they look in their email or somebody’s on their doorstep? So we have a ransomware situation, does that mean?
[00:22:26] Brad Nigh: What that means is that you’ve gotten malware on your system that has changed the file extension and locked you out of your files until you pay a ransom. Some of them do have uh decryption available so you could bypass it and recover the majority that I’ve seen. Do not. So your options are at that point recover from backup or pay the ransom and hope for the best and statistics about getting your files back after you pay or not. Great. I don’t know off the top of my head.
[00:23:00] Renay Rutter: So the better route is cross your fingers at your last backup is great
[00:23:05] Brad Nigh: pretty much or avoid it in the first place. That would be the best part. Um So I look at unauthorized use of information resources so what could that be? Uh You know, I think one example that um I’ve had personally was we had a help desk technician that set up a tor server under his desk using the network for torrent NG games and movies.
[00:23:33] Renay Rutter: So no malicious intent. Just maybe wanting to capitalize on the company’s network. Not expecting to expose them.
[00:23:43] Brad Nigh: Yeah, just not thinking
[00:23:46] Renay Rutter: correct, not thinking about the performance management opportunity. Right.
[00:23:50] Brad Nigh: Yeah. That didn’t when we found that didn’t work out that didn’t work out for him. Um But you know, what are some others, you know, I think you know, Bitcoin mining, that could be a big one. All right. I’m gonna make some money and the company electricity bill um running a company, your own business for profit. We’ve seen that where they’re running you know an Ebay shop or some sort of web shop but they’re doing all their stuff at work really. So they’re not doing their job, they’re making money on the side and getting paid by the company. Some examples there that could be a
[00:24:27] Renay Rutter: that goes off that goes against core principles, right? As an organization, you have established core principles which you also talked about right? And I want to be great if everybody kind of adopted some of the similar thinking that we’ve gotten out there, they’re you know, they’re pretty standard kind of do the right thing um principles. But when you have when you’re screening and recruiting employees and retaining employees and and helping grow them, it’s there’s some basics there that get completely missed when situations like this happen.
[00:24:55] Brad Nigh: Yeah. Yeah. I think. Yes I know. Um So unauthorized modification of information that could be people changing records. Falsifying records, modifying things that they shouldn’t. Um You know, from a banking perspective this is sort of along the lines of like the embezzlement, you know uh changing payroll. Uh you know There’s a lot around that one.
[00:25:26] Renay Rutter: So I would think coming from a software industry to that it can be unauthorized procedures on releasing code and making code changes
[00:25:36] Brad Nigh: who made this change,
[00:25:37] Renay Rutter: did it open up some information, you know and make it vulnerable. Yeah.
[00:25:44] Brad Nigh: And then the last one and this one is kind of a big one, loss of confidential or protected information. So if we identify it doesn’t matter how somebody emailed it, somebody had in the U. S. B. That got lost. If we knew there was confidential or protected information immediately triggers the incident response
[00:26:05] Renay Rutter: plan. So that one happened a lot in my history. But that’s you know from an executive standpoint or management. Whatever people fill up their briefcase before they leave every night and they take it home or when they travel they come back the next day and they’re either leaving a laptop unattended or forgotten or even if a briefcase is lost or stolen you have paper records and if you’re in certain industries you’re going to have information on there that should not be in anybody else’s hands. So even educating management and leadership about carrying around that you’re putting the company at
[00:26:40] Brad Nigh: Risk. We had 1 um assessment for health care. They had a lot of remote workers were talking about. How do you dispose of the paper records or whatever? And do you prevent people from printing remotely? So. No they need to be able to print but we’ve trained on, they train them. How do you? Okay well whenever they have they have a box at their house full of these printed out medical records that they bring into the office to shred and they were very proud. I was like okay uh so is this a locked box or is this just no no just like a paper box that they stack them and when it gets full they bring it in how did they transport it? Just in the back of their car, in the front seat of their car. Did they ever leave it unattended in a parking lot or do they leave their car unlocked at any time during this? And you could just see like the color drain and like do you know you’ve, if you’ve lost any information you don’t have any idea that that’s totally out of your, your control.
[00:27:46] Renay Rutter: Exactly. And then you think about the shredding and destruction companies and what has actually happened when a truck hearing documents for shredding is somehow in, in an accident or whatever. And uh I actually am aware of files of health records blowing across North Dakota Because of some a situation like that, right? You can’t control everything right? Nothing is 100% secure but awareness is
[00:28:13] Brad Nigh: important for so a first step for it in such a response is understanding what is an incident. Very, very riveting stuff here.
[00:28:25] Renay Rutter: Are we still in Phase one preparation? We’re
[00:28:27] Brad Nigh: yeah, we’re just getting started. So I’m gonna talk through at a higher level now. So roles and responsibilities that we have to define, that’s the next big one and this comes back to policy too. We have to define roles and responsibilities. It’s like the, you know in an emergency situation. If you say somebody call 911, nobody will call. But if you point to someone and say you call 911, they’ll call 911. Exactly. It’s the exact same thing here? We need to have somebody responsible and understand this is your role, This is what is expected of you and have it defined so that they can come around and and actually um you know do do these things. So if we declare an incident, what are we doing?
[00:29:16] Renay Rutter: Right? And it’s not just the front line, who is responsible to do this thing or this task? Right? It’s at all levels in the organization knowing what your role is. Um who is the need to know group, right and containing it. Um so that when it is shared that is shared thoughtfully and intentionally And understanding again, who is that decision maker? Because when you say someone call 911, nobody wants to be the someone unless you say it’s in the playbook playbook is a key term. Right?
[00:29:47] Brad Nigh: And so that goes the first roll we define as incident response commander. And that’s exactly and the first responsibility is to seek approval from executive management for administering the incident response program. So we’re saying right off the bat tie in executive management this you you are the incident response commander. It is your responsibility to work with executive management. You are the go between from the people doing it and management and getting that buy into to run this
[00:30:21] Renay Rutter: and having a fresh awareness of what to do when they are contacted because you don’t experience hopefully an incident every day or even every month even every year. And executive roles can change. Right? Um Or just the, well what is the plan? Where do I find this plan? Is it didn’t keep a copy at home? Um where do I go to find it? And who do I check with again? What my role is? You have to practice and review
[00:30:46] Brad Nigh: regularly. It’s never ending. So we talk about the incident response commander um an incident response team. So that’s really going to be you know the incident response commander is their responsibility. Another one is to actually assemble a team. Now a lot of times this is going to be your IT group which is your team itself. This is where they’re gonna be looking for the signs of a compromise on the network. They’re going to be looking at log files. So it is a little bit more of a technical side of this. But I think you still need to have some sort of a uh business wide tie in on your incident response team. You need to have contacts across the organization.
[00:31:34] Renay Rutter: Yeah well a good incident response team has the I. T. Security right? You have legal and then you have communication, write some of this representing that and compliance. Um you know just the customer themselves operations you really need a representative sample across the organization to get past that thinking that this is just an I. T. Issue or a security issue when I was largely focused on I. T. It included security by the year left the organization. They finally pulled security as an organization out and reporting to a sea level other than a C. I. O. Which is huge for the organization and visibility for the security
[00:32:14] Brad Nigh: industry. It really is. I think that’s a big big change. We’re starting to see there’s a events talked about it. We’ve talked about on this before. There’s an inherent conflict of interest between the Ceo and security. Right? It just it is what it is. But yeah getting it through uh somebody else. Although we’ve seen the security go through the chief marketing officer and that didn’t work so well.
[00:32:44] Renay Rutter: I was gonna say sales and marketing don’t want a lot of boundaries either. Right? So security is is you know the bad guy in the organization but at the same time it’s it’s revered and it can be the hero role too. I mean look at just the mission we have as a company. People look to fr secure to help with security programs and give them that guidance. That’s really a powerful position to be in. And you take that responsibility seriously as in any organization understanding and respecting the different roles that everybody brings the table. So security may have their thing but it needs to understand what that means and where their responsibility lies right. Marketing needs to understand that everybody needs to understand how to work together. That’s what a good plan is and a good playbook.
[00:33:31] Brad Nigh: Yeah, Yeah. And I think kind of tying into that the most successful ones that I’ve seen, obviously you can be successful anyway, but typically going through, you know, CEO or even a chief legal or you know, chief counsel, illegal, whatever that term is. Um, those those two seem to be the best equipped to better to support security
[00:33:54] Renay Rutter: in every organization is different. Sometimes you see CEO or CEO, it just depends on the, you know, the culture of the organization. Even sometimes. Yeah,
[00:34:04] Brad Nigh: but typically not CEO can be, but not always. So what we’ve talked about, that’s just the introduction that wasn’t even Phase one. That was just setting the
[00:34:16] Renay Rutter: planning is so important bread. It is so important. So if if I kept us on that subject, I would say my experience is that is Ben key, right? Make sure you know what you’re doing when you have to do
[00:34:27] Brad Nigh: it. Yeah. And I
[00:34:28] Renay Rutter: hope you don’t.
[00:34:29] Brad Nigh: Right. Yeah. So that’s our that’s our introduction to an incident response plan. Um, you know, we can we can go more in depth. But I think what I’ll do at this point is save that for Evan and save you the pain of listening to me talk about the
[00:34:46] Renay Rutter: incident.
[00:34:47] Brad Nigh: Yes. I could probably
[00:34:48] Renay Rutter: keep up though. I’m feeling pretty pumped. All right. Oh, you don’t have to do it. We don’t have to know. So a few more steps will
[00:34:55] Brad Nigh: help. So let’s all right in that case, let’s talk about preparation that phase one, what is included at a high level. So what we’re looking at in preparation is talking about establishing logging and alerting uh, monitoring practices, ideally we want to set the stage so that if something happens, we can be alerted to it quickly and identify where it’s coming from and what the impact is going to be. So we talked about going through, um, you know, logging, logging and alerting and what, what all do we want to include in that. Yes, everything.
[00:35:38] Renay Rutter: So I have questions about that. So I can talk about this because I remember what it’s like to have whatever the solutions and services and programs that you can get for logging and monitoring, right? And then the goals become, how long does it take you to even detect something and stop it before it gets too far. And all those are great things in preparation. Right. But I will add and you know, it’s very important. What is the investment it takes to be able to put those things in place to, to prepare. You need to prepare your, your financial investment, right? The company’s commitment to having the resources to follow this through the talent of those resources and developing it and and sometimes paying high price to make sure you have that talent. Um so investment is really key to preparation because you can have the best intentions of the world to do, logging and monitoring and catching these things. But if you don’t have the team or even some of those tools you’re only going to
[00:36:33] Brad Nigh: get so far, you’re not going to be able to do it. Me and you’re like that’s just not realistic.
[00:36:38] Renay Rutter: Yeah. And that’s a strategic discussion at a high level of the organization to invest in this like an I. T. Investment or like an investment in a in a sales team. You have to understand what a good security program investment requires.
[00:36:52] Brad Nigh: And I think uh you know we talk about when we start with with an assessment, we tell people, hey, you know realistically this is your first one. You’re gonna probably spend more over the next two or three years than you’ve spent on security in the last 10. Oh for sure. And why is that? Well we’re going to tell you all the things that you need, including logging and alerting and updates and things like that
[00:37:16] Renay Rutter: and having the policies documented and reviewed and plans pulled together that takes time and resources. I remember the security team at the insurance company, I was in the middle of A growing from an eight person security team to a 40 person security team within a few years but that included everything like the logging and monitoring and provisioning of things and that changed over time. But strategically that’s a major commitment and an organization to be hiring that kind of talent
[00:37:44] Brad Nigh: well and one of the things that people maybe struggle with is um yeah is justifying that and understanding that well we’re going to be a you know whatever 90,000 for this software solution for this logging alerting for whatever it is we haven’t had an incident. So why am I spending that money?
[00:38:07] Renay Rutter: Right. So that’s the exercise of business impact and risk assessment and you know what you know you know you know the drill right? And what’s the economic sense of doing this? What’s the risk?
[00:38:18] Brad Nigh: Right? Yeah and again time back is how do you get business to do that traditionally that seems like that’s been an I. T. Focus or that’s been pawned off on I. T. To figure out and do this.
[00:38:34] Renay Rutter: I have faith though that that’s changing it is a major seat at that table right? But I have faith that business and because of the breaches that are seen out there and because of the impacts that you see happening to other businesses nobody wants that to happen to them too. They don’t want to be in that I don’t want to be in that group and so you see more and more interest there’s still that gap between the I. T. Security mind and the business mind and how to make the right decisions and not feel like talk to you know talked over right That’s, that’s the thing. You caution right when you’re talking security and I have, if business doesn’t fully understand what that is, it’s harder to make that investment and say, yeah, I get it. I just want us to be secure. I don’t want to have things that happened. You need to have a good conversation there and that’s that’s a talent in itself to find people who can sit in those chairs.
[00:39:25] Brad Nigh: It’s a challenge. Especially. Yeah, but personal experience a lot of times that just as seen as a cost center not as a a positive, it’s like we’re just you guys don’t provide any value to the organization. Why are we spending more money?
[00:39:44] Renay Rutter: You know what I’d venture to say though even you and your role over the years you have come to understand that and when you are sitting in a position where you get it technically and you feel so passionate about helping the next guy understand it. You’ve, you know, you’ve learned not everybody thinks like you think and you’ve learned how to you know, change the language and and speak on somebody else’s terms, right? That’s called relations and and the more you do that and other people like you do that, the closer we are to fixing the broken
[00:40:12] Brad Nigh: industry. And I think part of it with a good example mobile device management, you know, it was, we were looking at it and it was going to be whatever I $10 a device a month Came out to be whatever. $12 a year. Well, they’re like, well that’s ridiculous. Why are we doing that for? Okay. Because we don’t know you’ve got all this information. All right. How do I make them understand it? And you know, it’s not the best study, but the ponemon study, which is kind of the biggest one that’s out there about the cost of a breach, It says, you know, $245, per record. So it was like, all right, how many records do we have? Okay, let’s take 10% of that. We can if we have mobile device and it prevents one bridge over the next 12 years, it’s paid for itself, Write a single breach is going to cost 12 years of this. Oh,
[00:41:12] Renay Rutter: okay. Like it’s expensive to do
[00:41:14] Brad Nigh: business. It is, but I don’t think people I think that, but it’s it’s that’s finding how what’s the trigger for the business to understand and kind of get their attention to listen versus just be like whatever you’re just asking for more money. So, All right, so part of this preparation logging alerting and monitoring. So three different pieces logging, we’re collecting it monitor alerting were actually triggering on suspicious activity anomalies and then the monitoring is going to be the human or automated uh follow up on those alerts and just checking it out. So there you logging alerting and monitoring high level. Very exciting actually follow that. See see we tried to do that. There’s a way for reporting um we’ve got all kinds of stuff and reporting we’ll go into that a little bit more. But really you’re identifying at that point to say if this happened this is the incident type. Do I have to report it? Who do I report it to? And then what time frame? So this could be internally this could be a breach. So you have to notify the ocr for healthcare records or the pc I. Counsel for credit card records. So you have to have all that defined because what happens if you identify a breach and don’t report it properly. Especially the regulatory
[00:42:40] Renay Rutter: oh sure government contracts they have very specific time frames of when it must be reported.
[00:42:46] Brad Nigh: So you miss those and yeah that’s not good. That goes badly for you. So All right I think we’ll wrap that up there. So we kind of went through preparation a little bit logging alerting, monitoring, reporting rene. Still awake. That’s good. All right we’re talking about some news very quickly and then we’ll wrap this up um there was a chrome zero day that was out there google is saying update right now so if you have not updated your chrome yet this came out on March 6th so it’s been about five days update right now that’s a pretty significant um exploit.
[00:43:26] Renay Rutter: Yeah now a good I. T. And security team would already have this automatically installed, correct?
[00:43:33] Brad Nigh: Well they would have the ability to, so a lot of times with patching and vulnerability management you’ll do a test group and then push it to everyone because it can break things. I’ve been in places where we updated a version of IE and it broke the core functionality of a critical business app.
[00:43:51] Renay Rutter: That was a constant struggle. And in my past as well you’ve got patching and think that security team insists on that. The infrastructure team is like but wait no this is going to break or the application development team is trying to get some software released now that just changed everything. So it’s a careful orchestration of balancing risk and the timing of patching in an organization
[00:44:13] Brad Nigh: huge. And there’s certain ones like this one where you maybe would patch your test group, give them a day and then patch everyone else maybe give them two days. But typically you know you would patch on a monthly basis at least.
[00:44:27] Renay Rutter: Well and insert the proper vigilance if you’re in a test situation to from a monitoring standards
[00:44:33] Brad Nigh: or are there other mitigating controls you could put in place to stop that. We’ve seen it with ideas and I. P. S until you can properly uh test it. Um So the next one. Uh So the first one was from a variety of sources. I just said uh the naked security blog from sofas for that. Second one is again from naked security dot sofas dot com. Companies are flying blind on cybersecurity. So this one was not surprising whatsoever to me but it was interesting to see the numbers put out there. Um So what does that mean
[00:45:13] Renay Rutter: exactly? Flying blind on cybersecurity.
[00:45:16] Brad Nigh: So they were saying they have no idea. Uh So yes that’s blind blind then. Yeah so they were saying um Finance said they did uh quiz organizations, 30 100 IT managers around the globe anywhere from 100 to 5000 employees. 60% of the companies had been hit by a cyber attack in the last year. Um They can’t see what’s happening on the endpoint. So 37% only discovered when they hit servers, 37% are detected on the network. and 17% of it managers didn’t know exactly how long the threats have been out there. So that’s that’s pretty bad.
[00:46:01] Renay Rutter: That’s where good intrusion detection tools are really critical.
[00:46:07] Brad Nigh: And say they said organizations spend 48 days every year investigating incidents. And 15% of these turned out to be malware. So we’re looking at 41 days a year investigating non issues. So let’s talk about why are we running around in our headless chicken mode which I like. So a lot of it is comes back to that incident response plan. Are we? Do we have the tools in place so that we’re not 1941 days is a significant amount of time.
[00:46:37] Renay Rutter: I wouldn’t want to fly blind for 41 days
[00:46:39] Brad Nigh: just trying to figure out what’s going on. So uh, have a good incident response plan in place, have the right tools in place. Um, and hope for the best.
[00:46:51] Renay Rutter: So, you know, sometimes that can be really overwhelming when you think, you know, we just say it’s almost flippant, right? Have a good incident response plan. How do you know you have a good incident? So I was
[00:47:00] Brad Nigh: looking through it, I think you’ve gone through it from start to finish with organizational wide by in you do an incident response test a tabletop with different varieties, business units and, and the different team members and you have lessons learned,
[00:47:18] Renay Rutter: Do you talk to others outside the organization or, you know, people like fr secure I suppose. And somebody who’s had the experience before that maybe have the lessons learned and tap on that. There’s probably organizations that you’re part of that. You can say, hey, how do you handle these things sometimes that you can get you a lot further than trying to reinvent the wheel.
[00:47:40] Brad Nigh: Absolutely. That’s a good point. Um, you know, I think looking at, um, industry organizations, whether it’s, you know, Misaka ic squared one of the local chapters of the, you know, was it the minute of the
[00:47:55] Renay Rutter: s S.
[00:47:56] Brad Nigh: C. A. Or whatever. Yeah, whatever it is. So the one, well I’ll get yelled at um
[00:48:03] Renay Rutter: you’re going to yell at me for anything so far. No
[00:48:06] Brad Nigh: okay. No I’m just saying well I didn’t have to talk straight for an hour so yeah there’s all kinds of resources out there yet. Starting reinventing the wheel is a nightmare especially as something of this degree.
[00:48:21] Renay Rutter: Well just because of the nature of feeling a little bit vulnerable and insecure boy great word choices right? Um when you’re trying to build a plan like this you really do want to know that you can lean on some other people who maybe have some more experience and shouldn’t um shy away from that. Nobody has to be the I’ll just figure this out myself. It’s a good plan will have lots of inputs.
[00:48:44] Brad Nigh: Yeah and I think what you’ll find at least my experience has been once you reach out to someone even if it’s another I. T. Group or some sort of you know whatever. When you reach out looking for assistance or asking a specific question you’re not alone and all of a sudden it’s like being, being the first person to ask, opens the floodgates and you just start getting all the comments and conversation going.
[00:49:11] Renay Rutter: You feel more supported and reassured that okay this must be the right thing to do because there’s others that have some input.
[00:49:18] Brad Nigh: So awesome. Good last story this was a couple of weeks old at this point but um I thought it was appropriate given the topics Uh payroll provider gives extortionists a payday, this is on Krebs on security from um february 23rd apex Human Capital management suffered ransomware attack over the weekend. Um four a.m. On Tuesday the 19th. They had been infected with ransomware. Excuse me. Uh So they took everything off line, they were working through it um and they ended up having to pay the ransom. They tired to different firms and to look into us and both of them said you’re going to have to pay. They wouldn’t say how much it was but the the issue and this is what we were mentioned earlier. They paid the dig the ransom but the decryption key didn’t work uh as I had promised. So it broke all kinds of directories. Many execute herbal files were inoperable so it’s just no fun being in that situation. They paid a ton of money and are still, we’re still having all kinds of issues with an outage. Um So I did like the tips on the bottom of the Krebs page. So payer patch early and often. So ransomware is conduct about that. Yeah, it’s gonna exploit known bugs. Disable. Rdp remote desktop protocol just especially over the internet, do not make that available. It is going to get hammered um filter your email isolation of mission critical systems of data. So network segmentation only the things that need access can have access.
[00:51:15] Renay Rutter: These are all great topics for future podcasts
[00:51:18] Brad Nigh: back, we’ll talk through a lot of this and as we go through it back up your key files and databases, making sure you have solid backup and you’re testing your backups. That’s the worst time to find out you have a corruption or you didn’t get what you thought in a backup is when you need it. Um, and then disable macros in office. So I think that’s a big one and then enable controlled folder access. Uh, so creating rules around executed all files in um, local user profile folders. So don’t allow those executed was to run and you know, app data, local app data, program, data attempt all etcetera. and the other Big one I think is is uh turn off local administrator for your users.
[00:52:05] Renay Rutter: Right. That’s a hard one for the users to accept at least you know, the just off the geeky, you know, I want to do it myself, I know how to do it. Why can’t I?
[00:52:15] Brad Nigh: Yeah, trust me because that’s the one thing I think people maybe don’t realize on ransomware is it’s only going to encrypt with the user has access to that. It’s, you know, the user context is running in so a laptop gets infected. It’s just a regular user that only has read access. The damage is going to be limited there. They have full access to the file share. It’s gonna be on it’s all anyway. That was a good one. All right. Well, I think we will wrap that up so thank you Renee for filling in for Evan and friday insights
[00:52:51] Renay Rutter: Well, and you know, it actually was more fun. I was kind of nervous and so I insisted on getting my coffee. But here’s the good news. How many steps did I take during this? May be too So see it was riveting. At least for me, it’s fine. So you have to
[00:53:05] Brad Nigh: Have fun. Alright, well, is it for episode 18 of the insecurity podcast? Evan will be back next week. He went out to our s. A on Friday uh and hope we’ll probably have more ir stories. But secretly I’m kind of hoping not. Um and again, don’t forget to register for the hacks and hops using uh our super secret promo code of Unsecured security. So send your suggestions and questions to us at insecurity at proton mail dot com. And thank you.