Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #38 - The Joy of Cybersecurity Policies!

Nobody loves cybersecurity governance documentation like we do! This week, the guys discuss cybersecurity policies and why the proper policies make all the difference for security, compliance, and audits. Plus, learn what documents are most important, why the "one size fits all" cybersecurity policy templates don't work, and how to build documentation to your exact needs. 

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Interesting news from the feds last week we spoke about

Biden Orders CISA and NIST to Develop Cybersecurity Performance Goals for Critical Infrastructure

This week we learn:

US government agencies are failing to meet even basic cybersecurity standards 

Something for all of us to ponder……


Potentially good news from the Feds….

CISA Launches US Federal Vulnerability Disclosure Platform

Just some headlines……

Remote Print Server Gives Anyone Windows Admin Privileges on a PC

Microsoft: Watch Out for This 'Sneakier than Usual' Phishing Attack

WordPress Download Manager Plugin Was Affected by Two Flaws

SolarWinds Attackers Breached Email of US Prosecutors, Says Department of Justice

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

Hackers Are Using CAPTCHA Techniques to Scam Email Users

Raccoon Stealer Bundles Malware, Propagates Via Google SEO


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals and now  here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to cyber rants  podcast this is your co-host zach fuller joined  
by lauro chavez and mike rotondo and today we have  an incredible topic i think is one that one that  
everybody needs but a lot of people hate doing and  don't want to talk about but we're going to talk  
about it anyway because it's important so we are  talking about your cyber security policy library  
the documentation that your organization needs  to have in place in order to meet compliance  
requirements align with frameworks and do all  kinds of other great things but before we do that  
mike why don't you kick us off with news all right  so we've got some interesting news this week and  
we're trying not to get political on this one so  keep this in mind it's just news but last week  
we talked about how biden orders cisa and this  to develop cyber security performance goals for  
critical infrastructure this week we're hearing  that u.s government agencies are failing to meet  
even basic cyber security standards according  to courts the threat of cyber tax has  
grown significantly over the past decade but the  cyber defenses of key us federal agencies remain  
woefully inadequate according to a senate over  oversight report published april august 3. while  
several of the agencies made minimal improvements  in one or more areas inspectors general found  
essentially the same failures as the prior 10  years state department's inspector general found  
the agency couldn't account for 60 percent of the  employees who had access to classified network a  
network which the report notes contains data which  is to close disclosed to an unauthorized person  
could cause grave damage to national security  so that's awesome just something for us to all  
think about one thing in the news and then i think  we've kind of seen this playing out with kasaya  
uh ransomware actors increasingly targeting smbs  this has been going on for a while this is just  
a new thing they're actually targeting with small  to medium businesses which possess less than 250  
employees and they're doing increasingly targeted  grants more actors uh making matters worse is the  
ransom fees being demanded to unlock hijack date  is also rapidly escalating 450k average to now  
1.2 million dollars per incident so i know small  businesses you know your budget's on tight but  
you really need to invest in that i.t security  stuff uh we do have some potentially good news  
from the feds the system launches a u.s federal  vulnerability disclosure platform this is a  
public private partnership kind of thing  bug hunters who want to help the u.s federal  
government secure their online assets to  now source all relevant information from a  
vulnerability disclosure policy platform offered  by cisa it's through a crowdsourcing platform  
called the federal civilian executive branch so  check that one out it's a good uh good article  
and as usual joe posts the urls with the  podcast now we just have some headlines and  
a couple microsoft ones remote server print server  gives anyone windows admin privileges on a pc it's  
an interesting story microsoft watch out for the  sneakier than usual fishing phishing attack i'm  
sure everybody got notified about this this week  uh it's pretty vicious you have wordpress headline  
wordpress download manager plugin was affected  by two flaws one of them is cve 20 21 34 639  
solarwinds attackers breached email of us  prosecutors as the department of justice  
going back to the feds and their vulnerabilities  uh multiple vulnerabilities in google android os  
could allow for remote code execution hackers are  now using capture techniques to scan email users  
and i added this last one in simply because  i wanted to say this raccoon stealer bundles  
malware propagates via google's seo check out  raccoon steeler that's all i got lauro what do  
you have for us today nothing as cool as raccoon  stealer i mean you know the article's interesting  
but i just wanted to say raccoon stealer on  a podcast yeah raccoon stealer so i wonder if  
he's a mecha raccoon anyways yeah so thanks thanks  for that mike uh and and um for bringing up that  
wordpress again in the news right so um i won't  repeat that one um but i do have a a couple good  
exploitables this week that i think uh everybody  should be aware of if you're out there using a  
product called qdpm it's a free web-based project  management software that you can download runs on  
php or mysql anyways the current version is 9.2  and there's i don't really know if this is an  
exploit versus a misconfiguration but it's been  made public that uh all of your connection string  
information username passwords for the databases  are all stored in a yml file and you can just  
essentially directory traverse over to that  directory um and download that database yml  
file and pretty much have all the passwords  to everybody who's using the online site so  
um check that out if you're using that that free  web-based project management tool qdpm um and  
then i've got a remote code execution which is an  interesting platform it's called moodle and what  
moodle is is it's it's kind of another open source  software but it's an online learning management  
system so in lms and you can essentially you know  make your own learning modules and all this all  
this bit well yeah the lat the latest version and  the last version both have a remote good execution  
um dependent and uh that sits out there  on github if anybody wants to test it  
i think all the testers know where they'll  go get this information that's you know a  
lot i think a pretty big open source used for  scholastics and education and stuff like that so  
if you're using moodle make sure you're checking  out which versions you're on and working with the  
vendor to get something mitigated in place or  at least to know when the next release is now  
and that's all i got zach what are we  uh what are we talking about this week  
well you know we're we're going to try to do the  impossible here and make cyber security policy  
policies fun i you know i don't know maybe you  have some ideas but uh but somehow we're gonna  
do this we're gonna pull this off but i think what  we need to do first just for the listeners benefit  
for those people that are building a formalized  cyber security program for the first time  
we need to talk about what is in that and and why  right so what are what are the core components now  
let me preface it with i don't want to go too  far in the rabbit hole here because there's  
i mean you could have a policy library of hundreds  of documents if you really wanted to i don't know  
why you would but some organizations that just  enormous let's talk about kind of your mid-market  
type businesses what they need uh and as far as  policies go and why so what are your thoughts on  
kind of the you know and and maybe they don't have  to be in order but the most critical policies that  
you need to have in your document set we'll start  there well first off this policies are fun so we  
don't really need to make it fun exactly this is  probably one of the most fun topics you'll hear us  
talk about actually and actually sound secret has  a massive cyber security policy library we just  
don't force them that's right that's right just  because you can doesn't mean you should exactly  
kind of like when there used to be encyclopedia  salesmen and they you know go door-to-door we  
could we could start doing that with our policy  library it's pretty equivalent exactly i just i  
used to sell the rainbow series door-to-door  you know the security series from the 80s  
a lot of pocket protector and everything  got the floppies out and stuff  
knock knock knock have you heard about cyber  security the department of defense offers the  
rainbow series that talks about slamming  my face i think i think the listeners  
think you guys are like 400 years old  well mike is yeah i'm only 350. sorry
hey so let's put in the probably the most  important the most epic the most foundational  
of the policy documents that you as a business  owner and this and this i guess it doesn't matter  
how how large or small you are i think this is  kind of one of those foundational policies now  
i don't want to get caught up in the name of  this because different frameworks may call  
it different things but mike um would you say  that information security policy is probably the  
that first piece to put in place yeah it's  kind of the one policy to rule them all right  
it's what establishes your framework for your  policies and kind of gives you an overall of  
what exactly is happening and why so yeah i  think i definitely agree with you on that one  
yeah and that's important you know as you  know call it policy you know zero zero or  
even zero one if you if you wish right or a um  any something beginning right uh i i think that  
you know that that particular policy is going  to need to have the foundational language  
that empowers leadership to commit to cyber  security in the company for daily operations  
it provides i think what are enforceable controls  or should be enforceable controls in that document  
for your organization and then also needs to  have some form of change management updating  
kind of doctrine and care and all these all these  documents well but that first document is going  
to give you the baseline for implementing  a cybersecurity program and it's going to  
hold you to it so you can consider that you know  that corporate that policy corporate law almost  
you know yeah just as you know if you're  gonna you know i know a lot of people  
executives should sign off on your policies your  board should in theory that's the that's the way  
it should work however most most board  members and ce level executives are not  
going to read a policy library but if they're  going to read one policy it should be this one  
right yeah yeah i think if everybody has to  read one policy it probably should be this one  
yeah right i mean if if you have to write  one policy this would be the one to write  
yeah yeah the policy to rule them all like you  said we're gonna get you know throwing the lord  
over the rings anywhere we can you know the  other one that's key and i know if you're done  
or not but the other one that's key is the data  classification management policy because you need  
to know what you're protecting and you know where  your data is you know where your gold is as far as  
uh you know your critical data your classified  data your compliant data as far as you know ephi  
or pci or pii or compliant data you own uh you  need to know where it is you need to know where  
it's stored and how it's stored so that would be  your data classification management you could also  
add retention and destruction to that title as  well or you could break those out into separate  
ones if you're you know feeling chatty want to  write a lot so yeah totally we talked about that  
i think a couple podcasts ago about not being a  data hoarder and understanding where your data is  
like very upfront in your business processes or  at least as you become aware that you need to  
do these things um but you're right mike um you  know data classification i think needs to be uh  
there even if you're not even if you don't think  you're holding any regulatory data you're holding  
something you need require you require some  form of data for your business function i hope  
so i mean there's something there whether it's  hr data or anything else that you need for people  
power resources anything like that right i mean  if you go to your employees birthdays and social  
security numbers that's important data right  especially to them so you want to secure that so  
so we got so we got zero zero one right would  be cyber security the information security  
policy that would be the foundation and then data  classification is going to be going to be two and  
like you said you can throw some retention and  destruction stuff in there as well um to cover you  
know if you feel like riding a bunch or you know  break that out we think what do you think three  
should be probably get with acceptable use and  that just tells your users how what they can do  
what they can't do as far as a you know give some  guard rails basically for how how to function on a  
computer and in your it environment i think that's  a good number three yeah yeah no absolutely i i  
like to point out acceptable use because it falls  into a lot of places like mobile device management  
um how the employees you need to manage their  remote resources and data and stuff like that  
and so um a lot of companies you may you may have  some of this language in your handbook already  
but i think it's important to if you do not  have that in your handbook that you you at  
least find a way to get to get this into a  separate policy and get get it strengthened  
and let your your employees know but you know i i  think it certainly is an alternative a handbook is  
a good way to get around a good handbook that  has adequate language that's enforceable is a  
good way to get around having the acceptable use  if you don't want to create that yeah and that's a  
handbook actually if you're looking at like a sock  two or something satisfies a lot of requirements  
um and uh it's a good thing to get  your hr people to work on with your itd  
if they're bound in leather it's even better  it's even oh yeah you want to be found stamped um  
personalized with each team is lost oh yes  absolutely go all out go all out make it fun  
you guys are right documentation is fun let's keep  talking about this but uh let's take a quick break  
first want even more cyber rants be sure  to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber  rants on amazon today this podcast is brought  
to you by silent sector the firm dedicated to  building world-class cyber security programs  
for mid-market and emerging companies across the  us silent sector also provides industry-leading  
penetration tests and cyber risk assessments  visit and contact us today  
and welcome back we were just talking about cyber  security documentation your policy library and we  
uh we finished previously at the acceptable use  policy and your employee handbook what else what  
else can we what else would be next what would  be your kind of your fourth fourth document in  
order of priority incident response probably and  you know you can throw you can throw continuity  
and disaster recovery planning and that sort of  stuff and that in that document if you want to  
yeah although you know sometimes you want to  break out ir and dr simply for the size of  
the document especially if you do like business  continuity and disasters one and then ir because  
that's more of a focus a different focus whereas  dr and bcp is an enterprise focus so that that  
could be an argument for two documents yeah  because at some point it becomes a manual  
right now the other thing about this document  that's important is that it should be the  
ir document especially and the dr and bcp  documents they do need to be a manual you  
should have them stored online but you know one of  the things that i love to see in documentation is  
all right well having this disaster how do we  contact everyone oh we're going to email them  
all right well what if email's down oh you know  it's kind of like uh no you need to have you know  
sharepoint is down you need to have a hard manual  for the key players and i think it's important  
to have something like that and hard manuals are  made for those of you who are younger out of paper  
that you print stuff out on them and you uh you  read the paper the words on the paper so back in  
the early days you used to tie the papers to the  pigeon's feet right and you send them off exactly  
yeah that was uh email got you and that was part  of your party or incident response plan right  
exactly yeah issues i mean you know issue  everybody pagers no don't do that just just  
get everybody to have a phone a phone list that  they take home with them we used to make one that  
uh would fit on a keychain so it had everybody's  telephone number on it in case something happened  
broke a phone and email's down an early  90s drug dealer you can get a page
yeah but i mean no i still have one i don't  want to admit to that i don't it's in the  
box it's a motorola that's terrible that  i have i have i also have the iphone one  
anyways that i also have the old verizon qwerty  flip phone that came out that had the first cordy  
fad flip never mind anyways back to documentation  incident response right that i think being able to  
hold your people in an incident yeah mike you're  right um seeing an email address in there is not  
is not good enough there's not that's not a  viable form of contact if something goes down  
yeah now yeah if you're sharing something  on slack or you know that's more  
i guess it's more viable but i mean really  you need to print out everybody's phone number  
that's on the emergency response team and you  need to get that off to everybody who's on the  
emergency response team i'll put it on the  fridges everybody still has a refrigerator  
you know maybe a smart fridge but it's still  magnetic for the most part in some places  
yeah don't don't encode it into the smart fridge  because then if the fridge goes out then you lost  
it too so yeah exactly or the iot you know gets  hacked well you know i think one one other thing  
to be kind of talk about maybe about this is  that you know from a hierarchical perspective  
you're gonna put these documents in and um you  know you know the first one's going to be the  
affirmation security policy it's going to it's  going to ground and build a foundation for for  
ongoing cyber security operationalized inside of  your environment from it's a forever machine right  
you open these things they're forever you know  they're just doing part time right so you're gonna  
that's gonna be all on that that first policy the  second one's gonna bring all your data together  
let you understand it let you understand how to  handle it you're gonna have to put requirements  
around it even if it's something like hr data  just like you know bob villa you know is working  
in the you know shipping department and he you  know he's got an account that his his data has  
to something has to happen to it when he leaves  the company right so you have to figure that out  
um acceptable use telling people what to  do and then incident response continuity  
you know disaster recovery breaking that  out and those are those are policies i think  
i think what's important to point out is that from  a higher perspective if you're going to create  
these documents you know you're going to need to  expand the library at a minimum i think these four  
are going to get you a long way from a from a  operationalized cybersecurity perspective but  
they're going to require other things and those  other things are going to be how you configure  
or go forth and build these mechanisms these  policies require how do we you know how do we do  
data destruction right there has to be some  programmatic method that we go through to destroy  
data when you know bobila leaves the company right  so we need to go and have some form of standard on  
you know that program and those may be more  in the weeds right that we want to go today  
as you mentioned mike but those are going  to be foundational documents that are going  
to tell the company how we handle these things  and i think that's something that the auditors  
are going to look forward to right the policies  good right but we're going to want to see the how  
yeah and one thing i would add to is uh two of the  policies i would add just on that fifth one is the  
onboarding separation and termination policy just  to make sure you clean everything up if someone  
leaves i'll brilliant yeah absolutely absolutely  i think that's something we don't see enough of  
is we see a lot of dormant accounts yeah and  you know a lot of its tribal knowledge right or  
head knowledge or whatever the correct politically  correct term is these days is that you uh you know  
we know how to terminate someone who's like great  write it down in case you're gone you know in case  
you're the one that gets terminated right exactly  right somebody else needs to pick up in your place  
so that's that's key well there's and i think it's  important for the listeners to know right there  
these are the fundamental documents that's  kind of every organization needs this stuff  
but there are a lot more right of course  there's things like bring your own device  
policies right that's a that's i think  a big one that a lot of organization  
uh organizations struggle with because so many  especially mid market emerging companies so many  
so many of them are dealing with a mix of byod  and company issue devices any thoughts on that  
that policy in particular yeah you got to make one
or is that too much for today am i bringing down  the mood no no no no no for a byod policy one  
of the things that's key is that you have  to define what you are allowed to be why  
um because you can't have you know going back  we're not going to support iphone ones lauro  
sorry solid sector doesn't do that um but you  know iphone 10 11 12 or whatever versions we're  
on now will support that kind of thing so  that needs to be defined in that document  
because it still goes back to your data  security right you need to determine  
you know what devices will be allowed to access  our data and hardware and our data and network  
applications so it's a key policy there needs to  be an approval process attached to it as well now  
of course of course we have have um staff right  this team members for across the organizations  
need to sign off on these things are there  are there um key policies that you would  
say they need to sign off on versus policies  that don't really you know that just kind of  
exists for the organization itself for saktu and  hipaa there's a policy acknowledgement policy
i'm not kidding so yeah um yeah so that i mean  but that can be a sign off in the handbook and  
that kind of thing sort of thing but you  do need to document that you're having your  
you know employees or team members sign off  on the fact that they read the policies so  
yeah they should read them all i mean it's it's  a it's a grueling thing but if you're using  
you know some form of programmatic security  awareness training you know maybe you can you can  
attach those to the end but i think at a minimum  the acceptable use policy and the mobile device or  
bring bring your own device you know policy right  i think those those are going to be critical um  
for especially today with everybody working remote  where the at least a lot more organizations um you  
know allowing that work yeah and then uh you know  speaking of working remote this isn't one of the  
standard policies but a uh office a home office  policy uh should be something that should be  
discussed and it should be things like uh you know  the cable modem that you have shouldn't be the one  
you originally got with when you moved into your  apartment or house or whatever that's 10 years  
old and never been patched it also shouldn't  have your you know phone numbers the password  
admin shouldn't be admin you know those sort of  things so um setting those standards around the  
home office um is important as well yeah we may we  need to have a whole separate conversation around  
that because you make a huge point because you  know there's i think there's a lot of organization  
out there that are depending on people bringing  their own devices like using their personal  
laptops and desktops at home and their their home  computing networks and the tools that they have  
on their own personal computers to interface  with you know the business organization and  
you know yeah maybe you'd be using office 365 or  you know google workspace or something like that  
that doesn't matter if those those individuals  aren't forced to patch those machines and  
keep up to date with security patches and of  course just like you said like the life cycle  
you know maybe maybe they're using the operating  systems that are no longer supported anymore right  
right and so that that has to be enforced some way  uh because it starts to become a big mess when you  
start to ask to deploy tools on um you know on  user endpoint devices like laptops and desktops  
but i know you know microsoft's got the new intune  tool out there or whatever that's kind of being  
um you know kind of a new big thing for for at  least mobile phone management with office 365  
um i i'll be curious to see how how well  it does with you know if they see the  
expansion up into the home personalized  desktop space there's still a little kind  
of crossing a line or you're going to get  resistance anyway if someone you know from  
your office says well i'm going to put these  tools on your personal computer that you own  
i don't know maybe maybe it's just me but i'd have  a problem with that well it's yeah i mean really  
what needs to happen is the the company needs to  just issue the device i mean that's that's really  
what needs to happen and um you know i know that  there's a there's a cost savings and a speed to  
design or whatever you're trying to achieve by  allowing individuals to bring and use their own  
tools from home but you're taking a risk to the  data and the organization by you know not having  
control over the asset so yeah certainly certainly  byod needs to be defined and yeah we can probably  
have a whole conversation on that well there  are a ton of policies i think we could we could  
probably spend hours on all the different stuff  that you could have but i think it's important  
we covered the fundamentals some of the basics  and then and then gave people a taste of kind of  
what else is out there long story short you gotta  tailor your document set to the organization and  
it's not a one size fits all so i think that's  where a lot of people stumble is they go online  
they download some policy set that's just kind of  a you know a half-baked approach but hasn't the  
thought behind it hasn't really really been put  into it for their specific organization and then  
they go through an audit or something and get get  smashed so um lots of stories around this like  
uh that we could go into for sure about you know  malicious employees and companies that didn't sign  
policies and the company has no recourse all kinds  of stuff but we're coming up on time so that said  
any final words of wisdom before we jump off well  definitely uh personalize your policies and maybe  
make them make them fit what you actually do  i can't tell you how many times i go and do  
an audit on hipaa or sock two or whatever you know  even just the cso work that i say are you actually  
doing this and i get someone saying no i don't  really know what that is but we you know needed  
it for the policy or the policy we downloaded had  it um you know that's generally an automatic fail  
so just keep that in mind that you do need  to personalize these not just from an audit  
perspective but you know the majority of companies  that fail that have policies in place are the ones  
that download these policies and then never never  implement them or clean them up or personalize  
them you got to be invested in them if you're  a company as we talked about earlier ransomware  
is attacking smbs and it's up to 1.2 million is  the average cost now for ransomware on a small  
company they're not having mercy on you anymore  yeah no you know so take the time to define  
the controls that you can do today you don't have  to like mike said you know you you need to reflect  
what it is that you're you're actually doing at  an operational perspective right in the document  
so if you're if you're not conducting internal  risk assessments you don't need to say that  
you're doing that um you need to you need  to make sure that you describe what you do  
but you also need to you know that maybe that'll  help you understand what you're missing as well  
you can always add to those documents they're  living documents and and they have change tables  
for a reason if something changes in the business  it needs to change in the document so you know  
and invest that time to to manufacture those  items and what you write is what you need to  
you know buy by the i guess by the governing  sense of corporate law if you write the policy  
that you do something you need to do it  you need to be able to do it or perform it  
or have a method to very quickly be able to work  towards that goal right in a short amount of time  
so don't say if you can't do it if you put in  the policy and you're putting these in and you  
can't do this stuff within the next you know two  to three months it doesn't need to be in there um  
so you know put what you can do um everything  in there needs to be an enforceable control and  
remember that you you write the essentially the  defense that you put around yourself right so  
you get described out of the document so it's a  they're that's why they're fun to us because they  
are extremely important they're pivotal they're  they're the the actual substrate from which  
cyber security programs grow so they're extremely  important in what you put the language you use to  
put in them is very important and so take that  time to do it and once you've done it they're  
easy to manage i think that that over the hurdle  but custom tailored to your org you know you guys  
were right policies are fun so i had fun oh the  listener said fine but i i think we should do  
another five to 15 episodes on policies and  standards and i'm sure we there's there's a  
lot more to uncover here a lot more to unpack but  excellent points and to everybody listening i mean  
it's something that you just just have to do in  today's day and age it's just that's that's the  
price of using technology and technology has been  cheap for a long long time relatively speaking  
to its benefits but um these types of things are  we're seeing they have to go into place right the  
investments have to be made in order to continue  using technology it's just part of business now  
so um i hope this was valuable for everybody  listening if you like the podcast uh by all  
means please subscribe on your favorite podcast  platform uh reach out  
has a form you can let us know your comments uh  questions all of that stuff we're happy to answer  
and um reach out keep in touch and then check  out the book cyber rants on amazon if you  
haven't already have a great day pick up your  copy of the cyber rants book on amazon today  
and if you're looking to take your cyber  security program to the next level visit us  
online at join us next time  for another edition of the cyber rants podcast