April 19, 2021

The Cyber Rants Podcast

Episode #25 - CISO As A Service

Companies are turning to Virtual CISO and CISO as a Service providers for help as cybersecurity requirements continue to grow. Some see CISO as a service value, while others might not consider it important. Is hiring a vCISO always the right option? What are the pros and cons? How do you find a good one? This week the guys answer these common vCISO questions and more.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez and we're back for the cyber rants podcast thank you for joining

us this is your co-host zach fuller joined by mike rotondo and lauro chavez and today we are

talking about virtual csos or some called cso as a service but before we dive into that deep topic

uh mike you want to kick us off the news linkedin confirmed that it was not a victim of data breach

we there was a message or messaging out there that linkedin had been hacked apparently they have

formally denied that the recent disclosed data leak was caused by a security breach

uh data that was was obtained was via web scraping which whatever uh anyway they they're saying they

didn't get rich how ransomware gangs are connected sharing resources and tactics apparently they're

starting to create cartels uh many don't realize that they're often interconnected some of the

gangs behind the ransomware campaigns that we read about have established relationships being

in league with each other in league with each other they use shared data league sites and in

some cases shared infrastructure fbi arrest man to kill seven man for planned to kill 70 of the

internet an aws bomb attack i don't think the guy understands how the internet works but anyway the

guy tried to blow up the internet and aws uh aws data center in ashburn virginia um

just in time for tax season watch out for this w-2 phishing scam targeting the 2021 tax season

apparently there's a email that will go out to you to some people saying you can download your

tax return here from onedrive it is a forum that has embedded macros that will basically

steal your identity microsoft has busy april patch tuesday with zero days in exchange fixes

uh they release patches for 110 security holes 19 of those classified as critical

88 considered important the justice department announces

authorized effort to disrupt exploitation of microsoft exchange server vulnerabilities

uh this is kind of an interesting one because the courts authorize the fbi to go ahead and

fix the exchange servers that hadn't been patched altruistic sure the problem is they did it without

notice to any of the companies that they fixed and they're still trying to track down those

companies they fixed and let them know that they actually did fix them now you should have patched

the exchange server when all that came out i'm not sure how i feel about the fbi going in just

randomly updating servers for you microsoft patches for more critical exchange server bugs

um again microsoft just is having a bad week update your chrome browser to patch two new

in the wild zero day exploits google continues our problems coveted related threats powershell

attacks lead to malware surge power trojans along with solarwinds compromise and continued spread

of sunburst malware were major contributors to a massive spike in the number of observed attacks

in the wild during the last half of 2020. this is staggering mcafee said the tax averaged 588 per

minute in uh q3 and q4 q4 actually was higher than q3 was 648 per minute ran square attack caused a

supermarket cheese shortage in the netherlands this had me very sad uh they apparently um

a distributor got hacked and they were unable to deliver cheese in in the netherlands for almost

a week fireeye has 650 new threat groups were tracked in 2020 um continues to grow um mandiant

experts investigating intrusion that involved 246 distinct threat groups organizations faced

intrusions by four named financial threat groups six named advanced persistent apt groups including

groups of the nation states of china iran and vietnam and 236 uncharacterized threat groups

so it's bad out there uh intelligent reports four nation po four nations pose serious cyber threat

to the us this is a kind of like slap your face palm one uh it's china russia north korea and iran

big surprise but that comes from the odni global attacker dwell time drops in just 24 days that's

uh quite an improvement um 59 organizations detected attackers with their own environments

over the period over the period a 12 percentage point increase on the previous year so that's good

attackers target proxy log and exploit to install crypto locker uh crypto cryptojacking can be added

to the list of threats that face any unpatched exchange servers that remain vulnerable to the

now infamous privacy log on exploit um they're now using a monero crypto miner for that and that's

all the uh headlines laurel thanks mike blowing up the amazon data center huh yeah real smart idea

yeah um somebody's been somebody's been watching fight club a little too much i think exactly okay

anyways uh for exploitation this week uh we've only got a couple things uh

most importantly though is going to be jquery again i've been talking about this for a while

one of the libraries that i commonly see in my pin testing work that organizations are failing

to keep updated as part of their software delivery and continuous uh patching and scanning programs

they're missing the jquery libraries that are you know doing a lot of horsepower work for

the website so so make sure you're you're updating those this is going to be the third or fourth week

um that i've seen various types of attacks for jquery one um and this week we've got two more

uh from an independent tester for cross-site scripting using jquery which which could end

up being pretty harmful depending on where you're pulling your library from or if you're hosting it

and the other one this this week is really uh forget simple cms if you're not familiar with that

the smtp compact plug-in uh has a remote code execution for it which is pretty serious so if

you're using git simple make sure that you're uh upgrading away from that contact plugin

and that's pretty much it for this week in exploitation just remember if you can't

exploit it is it really vulnerable the question of the century will we ever know the answer

i thought it was at the center of like a lollipop of some kind or something i don't know

i'm pretty sure laurel and i have been at the at the forefront of some of those wasted efforts of

trying spending hundreds and hundreds and hundreds of man hours trying to fix something that was not

exploitable because some manager decided that it had to be done all the wisdom

yeah that's that's that's a word for that sure what was that one i don't know there's some hack

that came out a couple years ago you actually had to have physical proximity to the server

in order to hack it so you know working for a very large company with secured data centers

who's going to hack it who's going to actually have physical proximity to it and then

that anyway the admin whatever yeah get a real admin you got bigger problems yeah because

he's going to he's going to exploit that server you know instead of using his admin password so

yeah i guess you've never seen mission impossible tom cruise in action it could happen

uh or swordfish yeah you have to have 16 displays and a chair that lays all the way back in order to

in order to get the hydra yeah yeah you can't you can't find the hydra without at least

six 27 inch monitors no way right and halle berry helps true story well

the topic of today speaking of great wisdom is virtual c cell or cso as a service

and before we dive into it too deep let's just start with an overview of what it is basically

what happens is when small or emerging companies start growing they inevitably reach a point where

they say hey we need some we need to do something about cyber security we have technology now

we have customer data we have systems that we rely on for operation operations that need to

be protected and we're not doing it adequately on top of that compliance requirements and on and on

and so the natural place to look is for a virtual cso or cso as a service

type solution and generally what these are not always but for the most part a virtual cso

or cso as a service is going to be an individual consultant kind of a individual person that

just advises companies you know they might have a couple of clients that they work with

at any given time and they will be there to help guide and direct their cyber security program

so there are a lot of pros and cons um and uh there are companies that virtual csos are great

for and others not so much but that's what we're here to talk about today and before we do mike or

lauro what you know what have you been seeing out there in the virtual cso space um what if

what's been going well for them and what where do they fall short of companies needs well one of the

things that i see is the expectations aren't set properly uh for the vc so a lot of times and the

you know everything may be spelled out on a cell but there's still some miscommunication

or misunderstanding that you know you see so is not a button to see he's not necessarily

uh going to be your security engineer he's not going to be looking at your

tools he's not going to be you know um that's not really what he's there for so

that's what that's what i see is that's the biggest pitfall i see is that the expectations

aren't set properly that being said um we also run into issues where they go and they're excited

they're they're jacked up to get the bc selling because they're going to do all these initiatives

and then you can't get meetings set and the appropriate resources aren't available because

they're running around uh fighting fires and ktlo lands so um and then you have the other

companies that uh just their game busters where they're like yeah sign us more stuff

we'll do it we'll do it and they actually track it and go forward so that's what i see a lot of

yeah i see i see pretty much the same stuff um you know i think that there's a misconception

that just because um the individual is titled as a chief information security officer that they know

everything about cybersecurity and so you know i think back to those you know expectations right

i think you need to understand that this typical this typical individual is going

to be a leadership type and it's going to have kind of a more strategic overview to assist you

in your activities but you're going to like mike said you're going to be required to

do a lot of the work okay they'll point out shortcomings and things and you know probably

one of the first things they're going to say is you don't have enough people so i mean that's like

kind of a reoccurring thing i'm here a lot um a lot of the organizations that we see getting this

kind of vcs of consultation type work or just really finding out that they you know you know

kind of the obvious right they need more tools and they need more people to manage the tools yeah or

they need more capabilities rather than tools right and that in some sense is that that will

come with tools but they need more capability and they need more people to manage that capabilities

yeah a lot of people just want to check that box right oh we're going to see some now we'll

get all the stuff done and it doesn't work that way there's really actual effort

um and no tool you know more tools necessarily the answer it's more resources and we all know

resources are scarce but you know you start training people find interns do what you can

yeah i certainly think there's value there i think we you know we've we've seen organizations

that see you know that that have obtained value from from using you know various vcso resources

to have that type of strategic vision for cyber security but you have to remember that it's it's

a couple year plan right they're not gonna they're not gonna look at activities to help you you know

get short up in the next couple months right um they're you know they may have that capability but

a lot of them are gonna be a strategic perspective of the business and and dealing with privacy and

risk over the course of the next several years um and to try to position you in a place to get

budgets right and get people right right to kind of understand what that what assets you have today

um not necessarily to come and be your full you know cyber security team right or even a manage

your cyber security team that you you know may or may not have oh i was going to say and and and

you know in all fairness to the organizations hiring vcsos a lot of times they're marketed

as a one-stop shop we're going to do everything you know the website would make it appear that

yeah you know you hire hire me and your entire security program just falls into place um right so

that we do see a lot of the marketing around that stuff we do see a lot of kind of misrepresentation

um but um that's not you know not always the case now a good vc so i think will right up front um

tell you where they are strong um which like you you both mentioned is really around the strategy

a high level governance and compliance right they can support the development of policies

and procedures for your organization guide the leadership and better decision-making and then

probably bring in help bring in other resources or vet other resources but it's certainly not a

one-stop shop want even more cyber rants be sure to subscribe to the cyber rants podcast

get your copy of our best-selling book cyber rants on amazon today this podcast is brought

to you by silent sector the firm dedicated to building world-class cyber security programs

for mid-market and emerging companies across the us silent sector also provides industry-leading

penetration tests and cyber risk assessments visit silentsector.com and contact us today

now the click bait is real right and um i think a lot of you know a lot of it is is that is cutting

through the you know i call them nothing burgers right cut through that and then you know find

yourself a good resource that does meet those expectations you have but you're absolutely

right zach it's very very common yeah you know and sadly we're finding a lot of people that are

fly by night you know one-stop shop guys or try to be and they you know throw out some garbage

and really create makes things worse uh than when they started but they're great sales type

people you know um unfortunately there's a lot of that in the security world because they speak

a language that people don't understand and you know sound smart and then make a mess like that

like that risk assessment we just looked at with from that cissp that um basically just went down a

list and checked check it was a check or an x over control is implemented yeah oh man yeah absolute

garbage and i'm sure they paid a ton for it you know just like and actually you know we've seen

like pen test reports from big companies too that are absolutely machine language garbage you know

but well it's sad because these organizations are you know here's the thing is cyber security's

popular right now right unfortunately i mean um bad guys are working around the clock so

everybody who every it company who that was in the game before is now trying to get a leg in

in cyber security right and so they're they're offering different various services and you know

i think that that marketing is is really driven you know solely around a lot of that you know yeah

you know the proliferation of ms mssps or msps that are trying to sell themselves to

security people because someone's reading a cissp book at the office and they're now a uh

they're not an expert yeah and that's sad see the organizations right and they they're

they're trusting these these cyber security organizations have

operations of high integrity and they're really just winging it and so they don't

what what's sad is it now they have a false sense of risk right and and a false sense of objectives

that they need to complete or that they should have completed because you know the assessor

wants to give them good marks right or you know be lenient right be seen as a lenient assessor

and unfortunately leniency doesn't drive proactive cybersecurity processes no yeah i mean you have to

tell truth right you have to say you know what's wrong is wrong and what's right is right and

you know yeah no let's be honest like no no organization really there's a very small

subset organizations that want to be proactive cyber security on their own typically it's all

downstream from a governance or compliance they must be right right or client requirements and

you know you got to go in as a vc cell and say you know realize that facts don't care about

your feelings so you know it is what it is right this is wrong this is wrong this is wrong you know

we'll fix it and it's going to take x amount of time but you're going to have to commit to it um

and a lot of these companies just want the check box and you know the warm fuzzy that goes with it

you know we've come across companies i mean and and you know i'm not going to out any of

our clients but you know we have people that are hesitant because they've been burned before and

you have to win that back and rebuild trust and um typically we've done that by doing an ecra

first an enterprise cyber risk assessment showing our worth and then the vc so gig comes from that

afterwards it's like it's like a it's like getting in a relationship and the person had you know a

bad previous relationship and you've you've kind of got to get through all that right to make them

make them understand that you're to be true you can be trusted and that sort of thing right so

it does it does increase our work but you know and that said too it's it's just like anything else

right there are there are in world-class vcsos and there's people that should never use that you know

terminology on their website and their marketing materials and that sort of thing that are

that are uh selling the service so there's there's both sides but i think in order to

kind of guide people in the right direction um you know it's it's important to look at

the background their previous experience do they have actual cyber security experience working

with within large organizations yeah right because that's where yeah like through governance right

you don't you don't just do you can't just be in like small business cyber security

your entire life and then and then really function as a see so capacity right you

need or be an or be an i.t manager and then get an it was kind of a magical title of security

manager because nobody else would do the job right right right you need you need real world

experience in a large environment where there's a lot of structure where there's a

there are a lot of systems and processes that have to be in place in order to adequately manage

cyber risks so i think that's one of the things to look for in the background certifications

of course but um like we you know talked about there's not that's not everything right because

people can go out and and study and get to take the test right but i would look for that

prior experience where they operated what um large corporations fortune 500s what government entities

things like that to see okay where's the basis of knowledge coming from and uh if that's not there

it's probably not not all that real right because the books only go so far the certs are only going

to take you so far that that actual experience has to come into play um so it's something to look for

and i think you'll find some there are some really good vcsos or cso as a service out there that have

a more um robust background and another thing to look forward to is what are they how do they

operate right so one of the things that i've seen curious to hear thought about this but and i think

this is a huge disservice but there are companies out there that are that are charged by the

hour virtual cso basically call us when you need us now there's a severe problem with that because

the vcs should be driving the show driving the security strategy and operations continuing to

push forward proactively at all times it's not a it's not a reactive type measure and so i would

i would consider that too what does their structure look like are they coming

to you with a plan that's well articulated well laid out and reasonable or are they saying call us

when you need us and book some time and we'll just charge you by the hour because if they're doing

the latter that's not gonna that's not gonna build a program for you just it just won't

it's not no that's that's a security help desk that's not a vc so and you know we do do some

things that are a bucket of hours but they're a specific bucket of hours for a specific purpose

right right as opposed to a vc so but um i just wanted to go back to two things one uh

when you're looking for a vc so you're looking for someone that's had experience you don't want

someone that's worked at the same company for 25 years and that's all they know they need to have

breadth of experience they need to have done this at three or four or five different companies right

um you know you can commend the loyalty of being there for 25 years in one place but in reality

you only know one way of doing things then um the other thing is on some of the search

while all certs are not created equal some of them do actually require experience um points

to get like some of the cissp and sea risk and you know those kind of things uh for my

soccer and ice squared however we've also seen where people are fudging that experience and

that sort of thing so it is kind of still a crap shoot even though they're requiring experience to

get that actual serve so yeah good stuff and you know you can always ask to you know you know first

know for me with these these professionals ask the company to you know have have you meet with

the vc so it's gonna be assigned to you that way you don't sign up for a service and you meet one

individual and then when it comes time to actually do the work you get somebody completely different

that you never met before i see that happen a lot right we'll have like the main the main individual

is really really well versed very articulate in the subject and then you'll you'll get kind of a

b or c level player that'll get kind of put into the into place so interview the the organizations

and you know what i like to do is ask ask about a linkedin page if you have a security professional

that's claiming a lot of things that don't have a linkedin yet you should be concerned um and

and i don't do social media is not a a an excuse for linkedin for a cyber security professional

today right you don't have to do instagram or facebook or gab or any of the other alt tech stuff

but linkedin is you know certainly a place for professionals so look for that and then also ask

them to describe some um successes that they've had in their career of doing bc so work and where

they've had some failures and i think that will give you a realistic picture of that individual's

capabilities yeah very good points excellent yeah it always kills me when the the these these people

like hide even on even on linkedin it's like well are you actually doing business you know because

there's because if you're a security professional you're not afraid of getting hacked through

linkedin or the you know open source intelligence gathering through linkedin right because you're

protecting yourself in other ways but you reality is you still have to do business so that that

presence still matters and then another thing i'd add to that too is all these certifications

are verifiable right they each have everybody's got a certification number assigned to their certs

and that can be validated on the governing bodies website so whether it's ec council

or isak i see square any of those you can you can validate that person does in fact have the

certification and it's active um and that can just be a step in the in the vetting process

um but i think uh all all excellent points and so to go back you know and and do a little bit

of a recap so we've talked about the virtual cso or cso as a service is is not a one size

fits all approach right it should be tailored to the organization the services should be

tailored to the organization because every company is unique right and and your vc so

generally speaking it's a rarity to have both but they're generally going to be on the strategic

side not on the technical side so they're going to handle the governance and compliance and strategy

and then they're generally going to bring in third parties to do things like penetration testing

implementing tools technical configurations building hardening images things like that that

they're just they don't have the background or skill set to do on their own if you get one that

can do both that's a rarity um but generally speaking you have to consider your budget

and resource allocation of your of your own team members if you have some technical

people that can handle the you know these projects at the direction of the vc so

but you have to consider those those additional factors on top of the vc so price right because

it's not it's not going to be you know whatever the vc so charges you um it's not going to be

the end-all be-all budget that you need for cyber security well the vc so needs to be technical

i mean they need to at least understand or at least have had you know done this in the past

kind of thing like you know laurel handles you know most of our or all of our fantastic his

team does that but you know in the past i had that skill set i don't do it anymore it's molded over

but i still understand the language you know where i focus more on compliance and

that sort of thing so i mean it's they need to have that background at least understand

you know what's going on right you're still a good hacker what are you talking about man

well yeah i guess my point in the way we do things is i think uh quite a bit different

than what we see out there in the industry for for a good reason that's how we've designed it

right so it's bringing in a team together to bring in all the components

that are needed of course we don't sell products and tools and things like that they can

get those elsewhere but for us it's the focus is bringing in the the strategic and technical

realm of expertise and the hands-on support right so we're not just going to stop at the guidance

um we're going to do the um implementation and support as well but that's generally that that

for the most part in the marketplace that does not fall under a vcso type service that's kind

of a offering of its own you know excellent points about the virtual cso or cso as a service uh they

can be a tremendous asset for an organization and just like anything else they're they're

virtual sees those that are absolutely world-class and do a great job and there

are those that are completely misrepresenting their skill set and their service so be careful

when you're shopping out there folks it's not all the same everywhere you go just because they say

they can do cyber security doesn't mean they can do cyber security so mike lauro any

final comments before we wrap up just don't buy into all the buzzwords and everything like that

because you know they'll throw terms out there that make them sound smart they don't necessarily

are smart check the check the background check the website check you know make sure it's

who you're talking to is really who you're talking to and you know if you are concerned then uh you

know do the trial basis do a cyber risk assessment see what kind of work they actually produce or ask

to see if they can provide you a sanitized report of some time you know that that type of thing

um but it is a critical need and everybody needs to have or every company needs to have some kind

of security direction especially in this world today i mean i think one of the headlines and we

say there were 680 attacks per minute according to mcafee um so cyber security criminals aren't

aren't slowing down so you need the help yeah good points click bait is real just

add on to that you know clickbait's a real thing they're using keywords right they

want you to contact them right everybody's trying to get in on this game right now so

think of it as like car mechanics okay if you google car mechanics in your area i'm sure

there's a lot of individuals that operate out of professional dealerships and their home garages so

you know it may it may look like a cost-effective option but then when you start having issues later

you're going to end up going to the dealership anyway so you know just make sure you're making

the right choices for the problems that you need to solve and if you're looking for that leadership

that you're um you know like mike said you're checking that individual and asking good questions

make sure your virtual csos have good beards well that that's required that's that's a sign

of expertise i thought of wisdom right exactly works for both of you just makes me look gold

well thank you everyone for joining us on the cyber rants podcast check us out online at

silentsector.com or grab a copy of the book on amazon but most importantly if you like

the podcast subscribe reach out let us know your feedback comments all that uh we've always loved

to hear from you and we will see you on the next podcast pick up your copy of the cyber rants book

on amazon today and if you're looking to take your cyber security program to the next level visit us

online at www.silentsector.com join us next time for another edition of the cyber rants podcast

Episode #25 - CISO As A Service

Send Us Your Questions & Rants!