Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall


Episode #76 - The Almighty Enterprise Cyber Risk Assessment

It's cyber risk assessment season! This is the time of year when many organizations seem to perform their annual cyber risk assessment. Unfortunately, the standard methods often result in limited visibility. This week, the guys discuss a more holistic risk assessment approach to make your cybersecurity program stronger than ever.

Get the show notes and articles at
Pick up your copy of Cyber Rants on Amazon.
Need cybersecurity expertise and support? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Configuration Errors to Blame for 80% of Ransomware

Escanor Malware Delivered in Weaponized Microsoft Office Documents

Exploiting Stolen Session Cookies to Bypass Multi-factor Authentication (MFA)

Hackers Target Hotel And Travel Companies With Fake Reservations

Disk Wiping Malware Knows No Borders

Phishing Attacks Abusing SaaS Platforms See a Massive 1,100% Growth
 Ransomware Dominates the Threat Landscape

GitLab ‘strongly recommends’ Patching Critical RCE Vulnerability

Critical RCE Bug in GitLab Patched, Update ASAP! (CVE-2022-2884)
Ex-Security Chief Accuses Twitter of Cybersecurity Negligence
Hackers Steal Crypto From Bitcoin Atms By Exploiting Zero-Day Bug

Wordpress Sites Hacked With Fake Cloudflare Ddos Alerts Pushing Malware

White Hat Hackers Broadcasted Talks And Hacker Movies Through A Decommissioned Satellite

CISA is Warning of High-severity PAN-OS DDoS Flaw Used in Attacks
Counterfeit Versions of Popular Mobile Devices Target WhatsApp and WhatsApp Business

Fake Chrome Extension 'Internet Download Manager' has 200,000 Installs

Cisco Fixes High-Severity Bug in Secure Web Appliance

This Company Paid a Ransom Demand. Hackers Leaked its Data Anyway



welcome to the Cyber rants podcast where we're all about sharing the Forbidden secrets and slightly embellished truths
about corporate cyber Security Programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts microtondo Zach Fuller and Laura
Chavez hello and welcome to the cyberance podcast this is your co-host Zach Fuller joined by microtondo and
Laura Chavez today we are talking about cyber risk assessment season it's that time of year we're going to talk about a
different take on the Cyber risk assessment a more holistic approach with what we call the enterprise cyber risk
assessment so stay tuned we're going to get deep into that but first we're going to kick it off in the usual fashion Mike
hello and welcome to the news configuration errors to blame for 80 of ransomware that's why we do scanning and
Pen tests and ACR all right so the vast majority 80 of ransomware attacks can be traced back to Common configuration
errors and software devices according to Microsoft Believe It or Not uh reporting focuses on the ransomware as a service
Raz model which it claims has democratized the ability to launch attacks to groups without sophistication
or Advanced skills some Ras programs now have over 50 affiliate groups on their books for Defenders and key challenges
ensuring they don't leave systems misconfigurated added ransomware attacks involve a decision based on
configurations of networks and differ for each victim even if the ransomware payload is the same although each attack
is different Microsoft pointed out pointed to missing or misconfigured security products and Legacy configurations Enterprise apps as two
key areas of risk exposure so I guess what they're trying to say is misconfiguration is bad escanor malware
delivered in weaponized Microsoft Office stocking a new remote Administration and rat tool advertising the dark web and
telegram called escanor threat actors offer Android based and PC based versions of the Rat along with hvnc
module and exploit Builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code the tool was
released for sale this year initially as a compact hvnc Implement implant allowing to set up silent remote
connections to the victim's computer and later transformed into a full-scale rat with a feature-rich set escanar has
built incredible reputation in dark web and has over 28 000 subscribe subscribers on their telegram Channel
there's also a mobile version of escanar called escarat it's actively used by cyber criminals to attack online banking
customers by interception of OTP codes the tool can be used to collect GPS coordinates of the victim monitor
keystrokes activate hidden cameras and browse files on the remote mobile devices to steal data
so I got that going for us exporting stolen sessions cookies but to bypass
multi-factor or MFA active adversaries are increasingly exploiting stolen sessions cookies to bypass multi-factor
authentication and gain access to corporate resources according to sofos in some cases the cookie theft itself is
a highly targeted attack with adversaries scraping cookie data from compromise system with the network and
using legitimate executables to disguise the malicious activity over the past year attackers increasingly turned to
cookie theft to work around the growing adoption of MFA attackers are turning to new and improved versions of information
stealing malware like raccoon stealer to simplify the process of obtaining authentication cookie hackers Target
just in time for Labor Day hackers target hotel and travel companies with fake reservations a hacker tracked as ta-558 is running
fishing campaigns that Target multiple hotels and firms and hospitality and travel space possibly linked to the
rebound of Tourism after two years of code 19 restrictions the threat actor uses a set of 15 distinct malware
families usually remote access Trojans rats to gain access to the Target systems perform surveillance and steal
key data and eventually siphon money from customers in 2022 ta-558 switched
from using macro list documents and its phishing emails and adopted raw and ISO file attachments or embedded URLs in the
messages similar changes have been seen with other threat actors and response to Microsoft's decision to block VBA and
Excel for macros in office which hackers have historically used for loading dropping and installing malware via
malicious documents disk wiping malware knows no borders fortunate identify the ransomware threat to that continues to
adapt with more variants enabled by ransomware as a service the substructive threat Trends continue to evolve as
evidenced by the spread of wiper malware as part of adversary tool kits they're also targeting MFA operation technology
and using more reconnaissance of the defensive Asian techniques to increase precision and destruction destructive
weapons across the Cyber attack change and lastly phishing attacks abusing SAS platforms see a massive eleven hundred
percent growth threat actors are increasingly abusing legitimate softwares and service platforms like website Builders and personal branding
spaces to create malicious fishing websites that steal login credentials the advantage of using SAS for phishing
include evading alerts from email security systems enjoying high availability and bypassing the need to
learn how to code to create websites that appear legitimate according to report by Palo Alto unit number 42.
researchers have seen a sharp rise in this abuse with the data collected by The Firm showing a massive 1100 increase
from June 2021 to June 2022. with that Laura let's talk about exploits yeah
let's let's do that um I'm gonna take a I'm going to do something for the exploits today that I don't normally do
I'm going to talk about WordPress yeah there was a big one in the news that I that I uh left off because I figured you
might hit it so here's the thing it's like um I'm not going to get too detailed uh about the the level of
exploits and and the new one that's that's out for WordPress what I'll tell the listeners out there is if okay so if
you if you don't know WordPress has been around a long time almost 20 years right it's it's an open source content management solution so you can use it
for web page blogging all sorts of stuff okay it's open source so it's written in
PHP it's got a MySQL back-end and I think you can use Mario DB with it too
here's the thing using open source software is a lot like driving down a public Street and people can use the
public Street just like you can and so a lot of times you'll be driving down your neighborhood and what do you look you look over and you see someone has stuck
out some couches maybe a couple end tables maybe like a real nice boss that would look good with some flowers in it
you're like man it's free stuff you're like it's free like this guy just put this Lazy Boy or cry out here it looks
brand new and you take it home and next thing you know you're infested with fleas or bed bugs or something that's exactly what dealing with WordPress is
like so that while the core while the core product itself doesn't have an entirely over abundance of security
flaws the plug-in Community really just punches the holes in this product by
trying to deliver these um capabilities and features for all the users you out
there and here you go you download this plugin the next thing you know again you picked up you picked up the random sofa
off the side of the street and now you've you've got a bed bug problem in your home so keep in mind when you're
using these these free open source tools they're great yes they look good on the budgets and yes they give you
capabilities without having to spend an entirely over abundance of money but
there's also a trade-off in risk that you take by using these products and so the two biggest products that are
probably some of the riskiest software in the entire world is WordPress and coincidentally Microsoft so remember
try to scrutinize the software that you're using for your business level systems and it's okay to ask for a
budget to buy a a an industry recognized tool that has native security built in it and uh won't get you into the the
situations that WordPress has delivered us uh into for the last almost 20 years
so Zach I think that's probably enough lecturing on exploits today um so yes if you've got WordPress please
check your WordPress plugins there are about 2400 yes 2400 exploits in total right
now for the WordPress community so with that Zach maybe we should talk about the
ecra okay I don't know I want to hear more about WordPress I I tell us how you really
feel you know well I think if you need help getting budget for a real tool just have them listen to Laura's Lance on
WordPress to justify why you need to spend money on you know software yeah I like to say WordPress is good for one
thing and that's starting a fire in the woods so let's uh let's do a compilation a
matchup of Wordpress and Microsoft brands uh for the uh for the show but well
let's let's dive into it but before we do we'll take a quick commercial break want even more cyber rants be sure to
subscribe to the Cyber rants podcast get your copy of our best-selling book cyber
rants on Amazon today this podcast is brought to you by silent sector The Firm
dedicated to building world-class cyber security programs for bid market and emerging companies across the U.S silent
sector also provides industry-leading penetration tests and cyber risk assessments visit and
contact us today all right we are back and guess what time of the year it is it
is cyber risk assessment season why do I call it that because lots and lots of
cyber risk assessments happen late Q3 all the way through Q4 sometimes in the
early q1 but it definitely in our industry people are assessing risk
they're trying to determine their plans for next year and create road maps and
plans of action to move forward so we're going to take a different spin on it though we're going to tell you how you
can do it better more effective and gain more visibility
on your environment and your company as a whole so
my thought curious to hear you guys thoughts but my thought is to start with talking about the different components
of a Enterprise cyber risk assessment how they work together starting with the
framework risk assessment right so a lot of what we do of course is base
our of our clients base their understanding of cyber risk on industry recognized
best practices I don't believe that I know there are people that do this but I don't believe it should ever be a make
it up as you go approach I don't think companies should be running off their own proprietary
risk assessment uh methods or Frameworks I think we
should follow industry recognized standards nist CIS ISO those types what
do you guys think yeah that would be the logical and reasonable approach
well you see it all the time you know where it's oh well this company you know that this this company came in and they
did a cyber risk assessment great what framework was it based on oh well is
there your own thing they they had like 15 different things that they looked at it's like what did you pay for this
so what what is it hobo sex is there I mean maybe there maybe there's it makes
sense in some people's minds but we've talked a lot about Frameworks and such in the past so I won't go into what that
is but um I think that's the first kind of overarching piece of uh of what most
people call cyber risk assessment and usually that's where it stops that's safe to say it's kind of yeah
you go you go well I was just going to say we always have these clients that say well you
know this guy sold me a tool that checks our compliance and you know they run a tool and they
give a pretty spreadsheet and there's really no thought behind it there's no it's just a randomized report with no
human human intelligence behind it and that just doesn't work you really need a third party to sit through interview
talk through a walk through all your processes and procedures explain why they have to happen
um and that that really is the best way to do a cyber risk assessment from a framework perspective I Concur and any
auditor that comes in and doesn't want to substantiate a control state by doing by
interviewing people looking at reviewing process documentation and then actually
looking at the Technologies in in those kind of Trifecta of necessity to to
determine if a control is in place or not if they're just saying oh you know we can you know look at a last compliance report and we'll just give
you a check mark be very leery of that right anybody who is is you know worth
their weight is going to conduct the risk assessment against an industry recognized framework and they're going
to they're going to ask for evidence to substantiate whether or not it controls in place or not so you know like you
said Mike there's a lot of companies that they'll just run a tool and the tool can't determine if the documentation States the control is
necessary or not necessary or in what parameters it is or not and you know it doesn't look at risk registry files and
things like that so business business level risk acceptance those sorts of things so it's really it's really kind
of a hat I hate to say it but it is a half-assed approach to doing a risk assessment just out of the box get some money from you and don't really give you
anything good yeah now there's some good tools like CIS has a tool that will look at the compliance of a specific system and say
this this adheres to CIS on you know that level right I mean it's that agent
they install and there's a centralized you know not I don't want to get too far into it but anyway you get a reporting on whether the specific system is
configured to CIS those tools are great yeah it's definitely the ones that just
run this randomly run into it for stock too we've run into it for nest we've run into it for PCI we run into it for socks
and that's just like this stuff makes no sense I mean it's a great widget that some Venture Capital company has pumped
a bunch of money into but you know in reality it's it's not not doing you any good you're
just checking a box yeah so don't don't be don't be lured in by cheaper prices unfortunately I think
that's where that's where you start you know getting into these these types of um techniques that are used with these
tools so yeah definitely Zach first first and foremost is the com you know the governance compliance framework risk
assessment as part of that that echra yeah yeah and that's that's uh again you know
most people will stop at the Cyber risk assessment piece and that's common practice most organizations will do it
annually or if they're following multiple Frameworks maybe they do it once every two or three years for the
for a specific framework and then they're doing other types of analysis in between regardless
We Believe to really understand cyber risk holistically you need to take it
farther than that and another one one piece that we get a lot of requests for
in addition and it makes sense to do in parallel with the framework risk assessment or the compliance assessments
right obviously if you're doing a risk assessment and you have HIPAA compliance you might as well do HIPAA compliance
assessment as well and that way you have a moralistic look at the organization but you're also determining whether or
not you cover down on your compliance requirements same thing with PCI right
the sock 2 of course is another is another example that people will run in
parallel with a more holistic framework so that's that tends to be uh an obvious
addition if you're doing your risk assessment plug in some compliance work
as well if you have to do that might as well kill two birds with one stone there's going to be overlap there's
going to be crosswalking between those if you're following an industry recognized framework
now so I don't we talk a lot about compliance to want to beat a dead horse there but when we talk about the
Enterprise prize cyber risk assessment as opposed to just a cyber risk assessment we're looking more
holistically and I see it as uh there are two primary sides of coin it's more
like a dice but I'll talk about it in a coin format first so we have your paper analysis you have your interviews your
documentation reviews and such through your framework assessment your compliance analysis then you want to do
the technical analysis side too and that's the first addition that starts to make what you're doing an Enterprise
cyber risk assessment as opposed to just a framework risk assessment so with that
pen testing Laura Mike you want to jump in talk a little bit about the different types of
pen testing what organizations should consider and when when they're wrapping this into a more holistic assessment
uh sure yeah so you know the I think as part of that you know Enterprise cyber
risk assessment and you're you're doing the compliance assessment you're doing you know the the framework assessment
you like you said you wanna you wanna check the Technologies because this is about checking the Enterprise and your
business systems and all the places that you've got uh compute essentially right for weaknesses right for risk
essentially and so the pen tests typically focus on the um you know we have we have a couple um offerings right
but typically it's the external network fabric so if you've got offices or you've got um even you know people
working from home things like that you know we're we're gonna you know want to look at the the external network
footprint of the services and systems and and hosts that are that are facilitating that right the the network
fabric essentially and the host attached to it then we're going to look at the web applications as a secondary layer of
that external pen test and so this will involve you know your actual web application logic and the code itself if
you've got a web app education that has roles and and those types of Realms inside of it for for users to come in
and be an admin or be just a user or um you know display different types of things you'll want to do you know this
essentially a gray box so that we're looking at the web application from an unauthenticated perspective but then
we're also going in and validating that some of the role-based access controls that you've built into the code are in
fact functioning as designed and that data can't arbitrarily be pulled out of an authenticated elevated realm from
just a basic user and then so aside from those the web app and the X the web app
authenticated and unauthenticated and then the the you know the external Black Box Enterprise Network test uh we'll
typically do an internal network uh penetration test as well we're you know in our case we'll send you a device you'll pull it into your network we'll
start you know mapping and reconnaissance the internal pieces um and it's a lot of pin test work and
then so so you're gonna have to use our device yeah you have to use our device yeah that's we've we've yeah I don't
want to get into of the rant here but we've we've tried some other options in the past and let me just tell you it's a
lot easier if you just plug our device and give us a firewall roll so it goes a lot faster
um but but you've got that internal penetration test right so you've got the external network external web app internal Network internal web app that's
going to happen as part of that internal test and then we're going to look at the wireless if you've got any kind of signal based you know Network extensions
that you're using in 2.45 gigahertz we'll do a wireless penetration test that's we're kind of discussing the the value
of those because we always like 10 out of 10 times we'll get victims on wireless interception always always it's
so you know it's it's one of those kind of arguments where is it better just to tell you how to fix your existing radios
and tune them properly and and you know set the necessary configuration or do you want the test to prove why you need
to do these things but essentially there's a wireless um penetration test in there as well and
then finally we'll have the the physical security assessment um penetration test so we'll we'll come in
um typically for you know specific organizations we don't do this for all of our clients but there are specific ones that request this
um that we'll come in and do a physical penetration test where we'll try to run it in two phases a passive entry and
then a aggressive entry so day one test everybody's responses day two um you know tests the guard specifically
the security parameter responses at the at the location and then we'll use a you know essentially like a rubber ducky or
a similar device uh to essentially emulate the installation of unauthorized
data onto your network and so those are really I guess to sum it up you got external Wireless you've got your
internal pin test you've got your external pin test with your web app and complement that with the physical
security assessment pin test kind of meets that that umbrella or that that you know kind of shield-sided part of
the penetration test yeah so unfortunately what we're seeing a lot of people out there that are selling uh scans uh you know as
penetration does I've seen this a lot with some of our clients and and others that you know oh
yeah I got this pen test that you know cost me two thousand dollars a year and they they pen test me every month and
it's like no dude that's a scam but it's being sold as a penetration test so I'm
going to be really clear on what you're getting when you buy a pen tested you know the the least expensive pen test is
generally just an automated scan that tells you all right here's a bunch of worthless vulnerabilities and here's
some critical ones um yeah yeah definitely yeah you really need to man and if I could
take just a moment Mike I don't mean to cut you off but that's a great segue to talk about um asking your pen test vendor for their
methodology like what methodology are they going to use to conduct their pen test um because we we're all pin testers
we're going to use a scan as part of that reconnaissance portion of you know reconnaissance phase of the pen test work so we're going to conduct that scan
but you're right there's a lot of there's a lot of useless data that's going to come out of that initial scan
and we see a lot of canned pin test reports that are saying oh you've got HTTP um you know you can get the cookie
without https or you're running TLS one there's a you're going to get hacked you're running TLS you know version one
sales happen the poodle attack and yeah the suite 32 and you're you really so
the difference between I think what really gives us the mustard over everybody else is that we're gonna we're gonna not put that in the report for one
but we're going to take the time in the report consultation to explain to you why this didn't make the report why the
scanner believes that this is a vulnerability why it's really not right why it's a nothing Burger so we're going to talk through that we're not just
going to deliver a scan that says here go forth and fix all this stuff that's worthless to you and your time
yeah you know you really don't want their methodology to be that after Skippy the intern gets back from giving
my latte at Starbucks I give them an IP range and he plugs it into the scanner and then kicks out an automated report
that that is not the methodology you want to hear yeah as he farts and Giggles while he's doing it yeah you don't know
it's a good method for for all those I.T professionals out there that have too much time on their hands if you're one
of those then uh but actually I say all those there's maybe one or two in the entire world so if you're one of those
if you're one of the elite few that has nothing to do sitting around hey get a giant list of
vulnerabilities that aren't actually viable attack surfaces and go to work have fun with it you know
you know well so covered we've covered two sides of the coin uh
the the both governance the organizational the reviews and then also
the technical analysis and now we start to kind of turn it into a dice the way I see it with a with the Enterprise cyber
risk assessment because there's other things that we can do as well right so for example
um and I say we I mean Security Professionals right can offer out there in the marketplace but and what we
consider a true Enterprise cyber risk assessment with the term we use there
are other components that we can add as needed so for instance open source intelligence right a lot of
organizations don't understand what is actually out there available about them on the open
internet the the just the general public internet with Boolean searches with simple tools
stuff like multigo that Aggregates data you can find all kinds of stuff about
your organization that you probably didn't know is out there I mean we've had clients that thought their domain
registration was hidden right and pull that up right just through certain simple Google Boolean search you know
we've found organizations that didn't realize they had um a a web presence on a you know
co-tenant environment with a whole bunch of other platforms that actually introduce some
level of risk and didn't know what those platforms were right and so their tools and methodologies to go about doing that
likewise organizations will have their team that are you know well-meaning but
just uneducated on this stuff be posted on Instagram and Facebook and Snapchat
and all the stuff that the kids are using these days nobody uses Facebook anymore no it's it's tick tock on
Instagram yeah come on boomer come on man nobody uses Facebook anymore it's
essentially it's tick tock and Instagram no Facebook is 55 plus Community okay
it's not nobody all right they need a place to congregate as well so Facebook
it's like Sun City yeah Sun City Arizona Facebook usages
through the roof but um that being said
there are yeah but you're right I was going to say that you're we're
always really surprised at the data that we find from some of the employees of
what they post you know and stuff you wouldn't even really think of like man I'm proud to get my job today check out my new badge and they're taking pictures
of their company badge and yeah you know this this goes into the you know the whole fishing and the kind of the next
gen that I know Zach's about to talk about so yeah well when you get this information this information readily
available online I mean it's it's it it helps you understand what cyber
criminals are going to see when they go looking for the exact same thing so yeah absolutely Laura it goes into staff
awareness training it goes into social engineering prevention and showing people that hey I know you like to share
stuff with the world but here's how it can be used against you and so once you put something on the
Internet it is always on the internet forever it might look like it goes away but it is there so
with exceptions but can't take the way most people post
yeah nobody's gonna drain the internet right so that's that's not that's not
happening anytime soon I hope um that being said another another aspect of this is a
financial exposure analysis right how many organizations actually know what or
have an idea what their cyber risk management program does for them in terms of dollars and cents not very many
most of it look at it as a just a necessary cost kind of a black hole for
money but there are some tremendous benefits and actually taking the time to
understand how your cyber risk management program equates to risk in
terms of dollars and cents helps translate the message to the executive
team to the board to the company in general right and you can also start to determine things like are we insured
adequately right what based on historical factors what can we actually
expect our insurance to pay out right just because you have a five million dollar cyber policy doesn't mean your
insurance provider is going to pay you five million dollars when you get breached right in fact a lot of times they're not even going to cover
everything so you need to understand that need to understand what your what amount your
self-insuring in the event of a breach and then the various factors that are most likely to affect your company and
your industry from a financial basis in the event of an attack well keep in mind
the Cyber insurance company is going to tell you the first person who calls not the technologist it's a lawyer yeah yeah
and if you're if you're extremely negligent or they can determine that you've been extremely negligent with
implementing risk-based management you're probably not going to get a payout exactly
excellent point uh there there's another component with all of this that some organizations
will do some will find Value some not so much but just dark web deep net research
to understand have you been exposed on the dark web is there a breach out there that you don't know about is there data
out there that you don't know about and I can pretty much guarantee you there is so uh all you know very pretty most most
anybody listening there there if you don't already know this there are platforms you can go on like
and those that basically scrape the dark web they look for compromise usernames
and passwords and such so there's a lot of basic information that's readily available from other breaches and it may
not even have been a breach of your system it could be a third-party platform that your employees are using
with their company email addresses and we know how guilty people are of using their same passwords over and over so an
attacker can essentially scrape these lists and then go use them against your own techno apologies with the hope of
getting in so those are a couple areas the the final one that I can think of off the
top my head is the incident response and Disaster Recovery tabletop exercises so this takes it
Beyond this your typical cyber risk assessment right and now we're just diving right into
does our incident response plan make sense and does it work in a realistic
scenario you want to do we have time to share what that looks like what that process
looks like of course we do it involves everybody going
it does no I mean seriously it does so I mean the um you know I think you know
we've we've kind of been doing this for for several years now both for for cyber security program management and also for
this the ecra that we conduct and when we get the technical teams and the leadership team in the room and we start
conducting a real not a PowerPoint presentation like all the fakers want to do but a real incident response tabletop
exercise and we start getting into the to the meat of what's going on and we'll start asking questions and turning it
back over to the team there's usually always a look of shock and I think there's not been a single tabletop
exercise we've run with any client ever in the history of doing it silent sector style that has not ended with at least
five or six very good um key takeaways where the organization is like wow not
only do we need to do this again because this is extremely valuable but now we realize through the scenario through
these exercises that we we also need to work on these five areas too and maybe maybe they find out they need new staff
or I mean there's all types of really good information come out of these exercises uh if they're conducted
correctly and um yeah I don't think we've ever had one that didn't just end with just tons of
value for for not only us but the clients as well especially that the the initial like first two one two and three
one uh those are generally the big ones by the time hopefully I
mean we do it on quarterly by the time we get to the fourth one at the end of the year they should be pretty well
ready although we can continue to throw you know scenarios in there like you know meteor hits your uh data center
um how do you handle that um you know so but um yeah I mean
they are extremely valuable uh a lot of people like them a lot and uh it is a
great way of finding things that you missed the big problem is that you'll get some of these clients where one
person is the only one that talks so we had to add a risk factor into ours
where we get to knock people out um not literally but you know knock people out of the out of the test so it
forces other people other than the main person to talk and think of three think things through so yeah yeah definitely
yeah that that always throws everybody for a loop and we're like who's your lead technical guy and they're like he's that's him right there we're like cool
he has to sit this one out yeah
but yeah no we we get we get requests for these quite often as part of the ecra and they are absolutely of good
value for for sure yeah and they can be fun most people think of irdr exercises as a drag but
they can be made fun for sure so and they can always be made into drinking games
there you go there you go if you want to really have fun with it well that that's a plausible scenario right your lead
technical guys falling over at the bar and he's getting dragged out by security
right I mean that's I mean that stuff does happen and how we simulate that is that while we're in the table type
exercise we have you go around we have you like drink a picture of beer really fast and then run around your chair
three times and then try to log into the Windows registry to change a specific key
okay well that's now change the reject value on I
on control Set current local machine I don't think we've actually done any of
that stuff yet but uh you're not at all our meetings yet who knows there's that's true I miss I miss some things so
you must now take a shot of scotch yeah
well that being said I I components really of a Enterprise
cyber risk assessment is there anything that I missed that comes to mind any other kind of outliers things that you
could do one thing I would say is don't get caught up on the name I mean we call it an ecra but let me run across people and
say well that's not an ecra and it's like well yeah it is from Silent Central perspective so just be sure what you're
getting no don't just take the name and say okay this is covering everything I need to actually identify what
components there are in the CRA um because you know if someone comes out and says yeah I do the HRA for you for
five thousand dollars they're probably not checking everything so yeah and it takes two days right yeah exactly yeah
don't fall yeah don't fall victim for clever language like two people one cup you know stuff like that like don't
don't fall victim for those those kind of those catchy kind of marketing terms that are being thrown around like Mike
said be sure you know what you're getting right um the you know we call it an Enterprise cyber risk assessment
because we're looking at all aspects of the business that are going to cause cyber risk right from all of your
technical assets and a penetration test to the framework assessment for your internal processes and standards that
you're using your people we're going to do fishing uh we're gonna do fishing trusts to make sure your people are are
trained against that sort of thing and we're going to do tabletop exercises to make sure everybody's prepared for when
an incident does happen and if you're not getting all of those things then you should question that term of what you're
being sold yeah and if it's just they're gonna put a tool in your environment and run it
for two days and then spit out a report that is Enterprise no certainly not
absolutely well a lot a lot of snake oil out there Zach yeah that's my final thought a lot of snake oil yeah
yeah there really is and that that's one of our goals on this is to help educate people on on what's going on you know of
course we have our biased opinions about how things should be done but they're generally right you know
but there's a groundbreaking book out there that you can read I think it's called cyberance that'll explain English
to you as well exactly we haven't spent more than like 30 years doing this to be like oh everybody's got everything perfect today it's no no there's a
there's a completely there's a reason behind our Madness is that we we saw too much BS happening in the industry and we
certainly need to cut that line to make it clear for Business Leaders to make risk-based decisions that matter and
that are cost effective for the budgets that they have oh dinosaurs like Laura and I were
around before a lot of this stuff was built like you know so uh my first interview was here's a stack of floppies
build a server so yeah yeah I remember when I had to run out and get get three
three com network card pcmci network cards and then had a problem finding the dongles to connect to them so yeah
exactly and if you don't know what a brook trout modem is then you don't really know Communications yeah if you
don't know what band and Vines is don't talk to me I think you guys are are dating
yourselves for the younger generation uh back in my day
to be on tablets and have these batteries but abacuses are
hard to build they are very hard to build the mine kept sliding to the one
side exactly yeah well that being said I hope you enjoyed this episode of the cyberance podcast
hope you found some valuable information here about the Enterprise cyber risk
assessment approach and much more holistic approach to the Cyber risk assessment now I understand that not
everybody has the budget allocated the ability to do all these things that's
completely understandable but we want to show you what's out there what's available the main thing is doing
something's better than doing nothing so do as much as you can to help your organization Thrive succeed stay
protected and like Mike mentioned earlier the book cyber Ransom we've had cios that have have come back to us and
bought copies for their entire RIT departments you know so we we joke about it a lot but we've had had some some
great feedback about it so if you read it we'd love to hear your feedback rated on Amazon do all that good stuff and
help us spread the word and make sure you share the podcast hope this was valuable and we will see you on the next
next episode pick up your copy of the cyberance book on Amazon today and if you're looking to
take your cyber security program to the next level visit us online at join us next time for another edition of the Cyber rants