Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 5: Defining Proactive Security Posture

This Week, Zach, Lauro, and Mike discuss the steps needed to have online business security, and creating a proactive security posture, especially when creating a cybersecurity program for the first time. In addition, we also provide tips on how to create a custom corporate cybersecurity plan of action when implementing your cybersecurity program to make it the right fit for your company.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 


welcome to the cyber rants podcast where we're  all about sharing the forbidden secrets and  
slightly embellished truths of corporate cyber  security programs we're ranting we're raving  
and we're telling you the stuff that nobody talks  about and their fancy marketing materials all to  
help you protect your company from cyber security  criminals and now here are your hosts mike rotondo  
zach fuller and lauro chavez welcome to the cyber  ants podcast this is your co-host zach fuller  
joined by mike rotondo and lauro chavez and today  we are going to kick it off like we usually do  
with cyber security news mike what's happening  in the world of cyber security today oh there's  
a lot going on right now and uh you know because  it's been like 24 hours we you know we've gone  
a whole 24 hours without another form of malware  being coming out but here we have wellness which  
is started in europe and is now moving to the us  it's a standard mitigation for these but it's uh  
we got a new one so look for that coming to  you today uh there is a there is data out there  
about this you just need to dig it up so um the  next here we go from the next one hacker stole  
government source code from sonar cube instances  uh so the government once again is being hacked  
uh through insecure technology uh mainly through  sonar cube right now um they're working on locking  
it down uh trick bot is back it's working through  a linux variant now so your mac isn't safe your  
linux box isn't safe but it's still wreaking havoc  on microsoft um attacks on io up to one one-third  
it's estimated up to one-third of infected devices  now are iot devices um that's your phone and so on  
um from another side it's not a low-tech it's that  physical security is a lot of catching you have to  
do right now there's some study into what about  physical security um you know they're talking  
about using the old-school ties old-school way  of doing things and now they want to leverage  
new things like biological or bio biometric  data to manage physical security now  
from the world of do do we really want to hear  this the irs is exploring using hacking tools  
because why not it's 20 20 and the irs  might as well start hacking us right  
there's a massive nitro breach that impacts  microsoft google apple and more nitro is a  
pdf format that these companies use it also hit  chase there are a lot of data exposed and finally  
because it hasn't happened soon enough i.e is  dying the microsoft ie browser death march hastens  
so they are starting to shut down i.e access all  over the world which should be interesting for  
companies that support large end user uh  populations uh lauro i can both think of a company  
that used to or several companies that used to be  dependent on uh end users for most of their web  
traffic and uh getting those forcing those guys  to the correct browser was always difficult and  
so one more thing the remote workers are ignoring  training to open suspicious emails between 35  
and 47 percent of all end users are just randomly  opening suspicious emails because they're curious  
which is not a good thing so um we'll leave it  on that high note so lauro nah thanks mike uh  
interesting stuff so you know the biometric  thing is is kind of interesting because i  
always picture the you ever seen the movie GATTACA  um it's a it's a yeah yeah you're right where you  
know he goes in and he's gotta you gotta give a  blood sample to even get in the building right it  
checks your dna on the spot before it even allows  you into the academy and that's every day right  
you just go through a turn style and you drop  a blood and checks you out and you move forward  
so the level of hacking and forgery that had  to occur has just always been that's a really  
cool movie if any of you haven't seen that  yet GATTACA check that out um all right so
internet explorer is going away huh well you  know they're getting rid of flash too so i say  
it's a good weekstart hack and crap software  uh speaking of crap software no offense but  
oracle is on the list of vulnerabilities this week  my gosh i mean i they've got probably 15 or so  
critical and high vulnerabilities and then another  probably 20 or 30 mediums so if you run an oracle  
in any capacity it doesn't matter what version it  is looking at those look at those updates there's  
a lot of remote code execution and uh other types  of other types of dubious activities that can  
happen if if you're running oracle um especially  if you've got it exposed to your uh your perimeter  
in the in the iot uh red hats on the news uh this  week for vulnerabilities uh there's a flash plug  
again for red hat which i think is funny anyways  but uh yeah so before before the end of it all  
goes away go ahead and patch your uh your red hat  for the flash uh so that you know your users can  
check that out for the final month uh and then  uh cisco xr uh the the discovery protocol format  
string vulnerability is is out there and  so you can kind of um you can you can cork  
that that protocol string and send it back and  it ends up bad so if you're running cisco xr  
go ahead and check that update as well and of  course mozilla firefox lots of stuff going on  
with mozilla so if you're running mozilla browser  go ahead and go ahead and uh and update that and  
while you're at it go ahead and install uninstall  internet explorer and see everybody at the time  
that's it for me should have had uh internet  explorer uninstalled years ago i think in my  
in my humble opinion but uh for those people  who are just joining us for the first time  
or haven't listened in for a couple episodes  we have been doing a series uh that's that's  
actually information from the book cyber rants  but we took a chapter out of it called eight  
steps to implementing your cyber security program  and so this is really designed for those business  
leaders that have that burden of responsibility  to build or implement a cyber security program  
for their organization but haven't done it  before we're doing this for the first time it  
may we don't even have a background in it so we  first talked about obtaining leadership support  
and uh then we talked about understanding your  current risks and vulnerabilities as they stand  
today it's really the first two steps and so  the next step is really just to define a path  
to a proactive security posture right so you  really need a a written documented roadmap  
a plan of action to to get this done right and  and that's the thing about cyber security right  
it's not it's not um you know a magic solution  that people just come up with it's it's um really  
there are a lot of industry standards except the  best practices a lot of good information out there  
so it's not about reinventing the wheel or  just having you know some smart technical  
person just kind of make things up as they go  right it's a very very methodical process um so  
we'll dive into a little bit about that today  building a plan of action a road map forward  
mike or lauro any comments any any best practices  you'd recommend right off the bat yeah get get  
good at writing and smooching smooching  the the tail coats of your bosses because  
this is well it sounds simple and it's really easy  to build a road map or a gantt chart or however  
you choose to to display your information  and needs right on how you're going to  
obtain this proactive posture because where we're  at right is you got leadership support all right  
the bosses are like yeah we need cyber security  of course and you get the risk assessments done  
and now you know where all the holes in the  house are and so now you're going to write  
that that proactive plan that's going to get you  to that secure computing model that you want to  
be at right to a place that again there's no magic  there's no magic recipe it's it's per organization  
and per the amount of risk that every organization  is willing to accept or not accept so you're going  
to find that you're going to kind of find that  that apex in your own home and you're going to  
you're going to try to make that your goal and so  in this piece of it where you're you're building  
out you're you've got the risk assessment findings  and they found all kinds of stuff and you know you  
need people you know you need process you know you  need documentation there's going to be tools that  
you're going to need to buy uh probably if you  don't have them already or you're maybe gonna need  
to source some um um some you know free software  that's out there that might suit your purposes or  
try to structure something in-house with some  maybe resources that are that are crafty with  
excel spreadsheets and sharepoint sites  so um but but this is really where i think  
the when i when i told you to get your to put your  lipstick or your chapstick on whichever you prefer  
is that you're gonna have this this whole chart  laid out and you're gonna need to then take it  
to budget right mike i mean that's kind of the  next step right once you have the whole plan  
it's like okay we gotta do these three things if  we're not gonna you know the three of us can't do  
this in the next it'll take us five years to do  this so we're gonna if we want to do it next year  
we're gonna need these sort of these  certain things these certain technologies  
these practices in place and that's all going  to be stuff you're going to be taking back to  
that board meeting and saying i need money right  exactly and i'm sorry i'm still reeling that from  
the fact that zach said we're not magic because i  think we are so yeah i thought so too like how are  
you gonna insult your teammates like that exactly  i mean just watch risk disappear that's magical  
no hard work for you man trying to be humble  you know i mean i mean i don't wanna i wanna let  
people know that that really is our secret sauce  is magic so apologize for that but now that it's  
40 hours but it really takes us two minutes to  write the spell and yeah yeah just keep depositing  
my golden green gods that's all i asked exactly  because team might write a policy set in five  
minutes flat start to finish from scratch go into  a trance scotch and do trans and it's all good  
your keyboard was so hot after that i couldn't  even touch it with my fingers like remember we  
were remember zach we were roasting sausages over  his keyboard after that five minute document it's  
crazy well yeah mike let out the secret now  it's scotch it's gotta be a good scotch too
to be exact that's the same thing batman uses  to keep him in a good mood so anyway one of  
one of the key things to defining the path of  proactive posture which is going to you know  
branch outside of security is it is also you  need a business impact analysis which is going to  
require conversations with all the stakeholders in  your security posture which is basically everybody  
right so it's from sales to accounting  to you know what else you have marketing  
communications and and you know even the physical  building staff when people weren't working remote
because you got to understand what needs to be  protected what needs to be spun up first what  
needs to be you know what is what are in fact the  key pieces it's uh to make your company run it's  
not necessarily email it's not necessarily your  website their backend systems that are maybe far  
more critical so you need to understand what  to protect first and that's where the business  
impact analysis comes in and that's one of the  things that we need to do um as far as you know  
establishing those for establishing your baseline  it gives you a good place to start so i guess the  
the thing here is that security is a holistic  whole company thing it is not solely based the  
security team is the driver of it um actually top  management is the driver but security team is the  
the people on the ground driving it from that  point forward once they have their marching  
orders but the whole company owns it um and what i  think with a lot of things is forgot it's not the  
cesar that owns it it's the ceo and the board that  owns the risk so that's where that needs to be um  
that's where the effort and the pressure  needs to come from so do the business  
impact analysis and then you'll be able to define  a plan and then you'll be able to go from there  
and you'll be able to be able to track you know  your trajectory as you go forward you know you'll  
be able to say this is gone this is gone this  is this is better this is worse and so on so i  
think that yeah but but well i mean i agree with  you man but i mean they're still going to have  
to ask for stuff at this stage oh no no i'm not  saying that but you gotta have the bia in place  
first oh you gotta have bia oh yeah absolutely  not certainly not um disagreeing there yeah no  
you certainly need to have your bia you need to  have your road map you need to have a gantt chart  
or whatever right when you right you know your  little hot little hand down the hall we have slaps  
and and that's probably what what's a good  segue for um for step four which is build  
alliances across business units because it could  be the middleware team that kai bashes your whole  
your whole security endeavor right yeah one  of the key things too is that you need a solid  
project manager running the thing running the  show and that's a lot of time that's forgotten  
um you need an overall project manager  program manager whatever you want to call them  
to run this show um as far as making sure  milestones are hit but yeah building the  
alliance's piece that is the next it's all these  are kind of like you know step three a and three  
b rather than three and four i mean to be honest  with you the way i see it yeah you almost want  
to do them in parallel because you know having  that having those parallel departments kind of  
on your team for the changes that you're trying  to make because you know let's just get real here  
okay you know cyber security um professionals  are often called cyber cops right i mean we  
you know coming to make changes and it admins  don't like us because now they can't log in with  
their admin accounts and use it all day long and  you know little changes that that are cultural  
really but you know kind of impact everybody's  experience and the holistic culture at work  
and and so the more that you can massage that  message into your your parallel departments that  
you need right i mean you need them on your side  um the better off you're going to be when you go  
to the board with a plan and ask for money because  there might be some places that you can even  
toss tools as an example or toss works though  you know we were talking about the middleware  
team kybosh in your whole your whole endeavor  right so you can have this big goal of making all  
these changes having the secure computing model  put in at your company and you go about i guess  
i don't want to call it campaigning but i mean it  really is it's going to be an internal campaign  
and if you miss certain parties and they feel  left out they're going to douse you with red paint  
or whatever color they're choosing and that's  ultimately end up uh not in your favor and so  
you know there might be cases where if you can  make you know good parlay with these organizations  
then then you can say hey look in this middleware  region we want to we know that you're using you  
know tool a and right now you don't have  the security modules purchased for tool a  
we would like to see you do that we're willing  to you know pay part of it from our budget  
and we'll also monitor and help you configure  it but we just need you to be on our team when  
we go and ask these questions right because we're  going to need money we need to add you need you to  
add that to your budget for requests for the next  quarter um would you say that's kind of accurate  
mike yeah no no and i and then you know if you can  come to them with a list of tools do an inventory  
of security tools first and say we don't need this  we don't need this this hasn't been logged on in  
three months but we're still paying for three  years and we're still paying for it you come to  
them and say look we can cut savings here we can  create money budget here if you do this this and  
this that helps your case too because uh you know  we've both been in companies and where and i'm  
sure many of the listeners have been in companies  where you got more tools than you know to do with  
and redundant oh yeah redundant and then tools  that are only 10 or 15 or 20 deployed you know  
that have other modules they provide free training  and support and all this kind of stuff and  
you know the the next management team or security  team or you know whiz bang security guy comes and  
said oh we have to have this tool and it never  gets deployed properly nope it never gets deployed  
properly never gets managed properly it never  gets matured properly and now you just got another  
sinkhole of money sitting there right  it might as well it might as well be a  
buzz will be like a you know an 85 fiat sit in  the garage does a project you know right right  
and you know nobody tells accountant to stop  paying for the paying the bill the renewal so  
wait a minute wait a minute but on all of  these tool companies websites they promise the  
tools answer all the problems and make companies  secure are you telling me that's not true well  
well it's true in the case of one particular  product that i'm not going to say the name of  
but it is artificially intelligence driven  and the department of defense is made by a  
wing of the department of defense and it was  actually sent to the department of defense  
for them to put it in and have this piece of  artificial intelligence cyber security technology  
go through their network what it does is it finds  vulnerabilities and patches them for you it makes  
the decisions for you to build a secure system  right it's literally skynet on your network and so  
it has two modes of operations like most intrusion  detection mechanisms that people that technicians  
would be familiar with today right they've got the  the the detect only and they have the prevention  
piece right where now we're stopping attacks  right was do it too um they would never put  
the ai it's been in it's been in the organization  for six months they never turned it to auto mode  
basically it was only in manual so it would find  problems and report back to the team and what they  
needed to do they never let it they never let it  go patch itself so if the department of defense  
is even trust the own technology that they've  built for themselves then yeah i'm pretty sure  
that nobody else in the market is going to be able  to build a tool that anybody's going to trust you  
need people you got to have human expertise right  well and we don't need to usher in the era of sky  
that any sooner than is going to happen right you  know we don't need HAL from 2001 to space odyssey  
you know i have this theory well no i don't know i  mean i don't think the robotic age is going to be  
all i mean have you seen what human  hair does to your vacuum cleaner
can you imagine the robot army of the  future like just in a big hairball yeah  
because they killed like new york city or  something you know what i mean and they  
walk through and they're all just tied up in  their own in their own destruction yeah so i'm  
not too worried about it well i don't know man  it didn't work out well in the movie aliens so  
you know with the robot so who knows man that  it'll be an interesting thing to say for certain  
but you know you talk about bishop bishop was a  nice guy uh and aliens yeah but not an alien oh  
oh yeah that was the first uh that was the  first day i know that guy well he had other  
he was programmed with other um instructions  right right that overrode his ability to be kind  
of humans right he was supposed to keep that life  for him right right and so the the the bishop and  
aliens which i'm i think that's one of the better  movies of the of the series um uh yeah certainly  
he he helped save her at the ends so yeah um  actually did yeah he came to get her when the you  
know she's trying to kill a little queen anyways  tangent sci-fi people apologies so i think we've  
learned uh you know really really back to building  alliances across business units teamwork makes the  
dream work everybody should have that motivate  motivational poster on their wall it'll make  
all the difference i promise is that the one with  the cats um it's well it uh i think it's the one
with the chain links i i don't i don't  remember there's some there's so many of them  
there's some really really great ones out there  but um but yeah but if that doesn't work um you  
know it gets down to a deeper uh a deeper question  what's a corporate culture right is it a is it a  
a me culture or is it or is it about the a team  as a whole you know and more a selfless service  
and that's that's a much deeper discussion than  we have uh time for today but i'm sure we'll  
we'll get more into that in future episodes but um  but uh yeah great stuff today we um we'll be back  
next week uh with some more information we  will continue our series but for now have a  
great week and we will connect again soon