Chad Cragle of FormAssembly: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

End-user training should be a must, and requiring it annually will not suffice. Rolling out security awareness training on a monthly basis focusing on broad topics is a game changer. Not only is security awareness important, but phishing simulations have proven to be an effective measure to combat phishing. At FormAssembly, we conduct monthly security awareness and phishing simulations, and our click rate on emails has dropped significantly. Many breaches started with just one click, so having a stellar security awareness program will prove its worth.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Chad Cragle, Director of Security and Compliance at FormAssembly.

Chad Cragle, Director of Security and Compliance at FormAssembly, is a subject matter expert and a proven leader in all things related to IT. He’s achieved some of the most stringent security frameworks in the industry including FedRAMP, PCI DSS, ISO-27001, SOC 1 and 2, HIPAA, GDPR, and many more. In addition, he has a deep understanding of the core security principles around confidentiality, integrity and availability. Chad’s knowledge and skill in his field enables FormAssembly to uphold the highest standards of security and compliance.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in the country and worked on farms at a very young age. There is something about that work that molds good character. The traits and work ethic I picked up from my childhood are still with me today.

Where I grew up, college wasn’t the norm and often people just stayed to what they knew. However, I was a bit different. I was a dreamer and always wanted to make something for myself, so I planned to go to college at Pennsylvania State University. In fact, at the time, I was the first on both sides of my family to graduate from college.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

No matter what my career path, I was going to do it to the fullest. I was actually a Crime, Law and Justice major in college. When I graduated from college, I didn’t really know what I wanted to do. A family member suggested an aptitude test so I could hone in on my strengths and see where my college degree overlapped. Throughout the course, my skills and abilities heavily favored technology, digital forensics, Information Security, auditing, leadership, passion, adaptability and other qualities that align with my career. With this information, I was able to discover and move closer to what I actually cared about — Security.

I found it interesting that my college courses still apply today even though the course structure was focused on law enforcement. Some of my Law courses covered topics that are still applicable to Security and Compliance today.

Can you share the most interesting story that happened to you since you began this fascinating career?

I think my experience and trajectory have been the most amazing and fascinating aspects of my career journey. Sure, I have some good stories about being on a “red team” for a company and breaking into an office with a heavy metal coat hanger, stealing network gear, and going undetected, but my start as an IT Security Auditor is what launched it all.

A Security Auditor has the highest burnout rate in this field because of the workload and stress around achieving compliance. However, this is where I learned the ins and outs of all things Security and Compliance and its role in each department of a business.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I’m especially grateful for my wife, family, colleagues and the Security community. I started my career by moving from Charleston, South Carolina to Cincinnati, Ohio. Many wives, or in my case my soon-to-be wife, would have laughed and said, “We are not moving to Ohio.” However, my wife said, “When should we start packing?”

At that time, I was given an opportunity to see what a “day in the life” of a Security professional actually looked like. That opportunity molded into “years in the life” of a security professional. That was my first Security job where I met several mentors and great leaders. However, that wouldn’t have happened if I didn’t jump at the opportunity or if I wasn’t given a chance.

Sure, we all need some help and guidance at times, but we all pick and choose our paths and are able to map out the plans for our future.

Are you working on any exciting new projects now? How do you think that will help people?

I am always working on something new. The Security and Compliance Landscape is always evolving, so just when you think something is working well, you might need to tweak or revisit the project. One of the most noteworthy projects was achieving FedRAMP Ready authorization. This was a large project that was highly intensive and consisted of writing a Security System Plan that was over 500 pages in length. Having FedRAMP authorizations means we are able to help government agencies leverage the FormAssembly product in a secure and robust way.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I tend to give this advice but don’t live by it like I should. In order to not burn out you need to take a break, because in this day and age our work is tied to us wherever we go. When you leave your remote office you need to leave the work there and not take it with you. Having a healthy work-life balance will keep you fresh and alleviate that burn out factor.

However, it’s important to understand that in order to thrive you need to get close to that burn out factor. I am simply saying, don’t burn yourself out, but you need to push yourself to the next level. If you come into work everyday and do the same tasks while never trying to improve them or take them to the next level, you will become stagnant, which is worse than being burnt out. One can be fixed, and the other is who you are.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. Keeping up with the evolving security landscape. Security and Compliance should be a major business driver and should always be incorporated. As the number of attacks continues to break records, organizations need to seek ways to automate prevention, detection, and mitigation to proactively protect the confidentiality, integrity and availability of customer data. The Landscape will always be evolving and there will always be vulnerabilities, major attacks, and room for improvement.
2. Offense and defensive or purple teaming. It’s a cat-and-mouse game and the offensive seems to have it a bit easier. The offense is typically the threat actor, or a good person simulating bad behavior, also known as the read team. The defense, known as the blue team, is trying to stop the offense. So how do you stop the offense? You need to think like the red and blue team, and from this, you get purple. Purple is considered to be both red and blue, and they sit in the middle between the attackers and defenders. I have always found offense and defense to be fascinating, and both are critical parts of a successful security program. However, if you have individuals that can play both sides, you’ll find you have more coverage and better opportunities.
3. One of the best feelings in this industry is passing an audit. I’ve taken on some of the most stringent and widely known audits such as FedRAMP, ISO-27001, PCI DSS Level, HIPAA, SOC 1, SOC 2 and many others. It’s very rewarding to achieve that attestation and it always lets you know you’re doing the right thing.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

One of my weaknesses for the aptitude test was that I was a futuristic thinker. It was a weakness because allegedly, that meant I wasn’t present. However, you can see that thinking ahead is a major strength in Security. You need to constantly be thinking ahead and creating roadmaps for what’s to come. In terms of security breaches, industry leaders say it’s not if, it’s when. This means that at some point, everyone will be a victim of a security breach whether you’re a small or large company.

As a company, building your business with “Security by Design” in mind will create that defense-in-depth methodology to combat future exploits. Security by design means you’re thinking about what’s possible and how to mitigate those risks before they become an issue.

Ransomware is a major issue today, and most do not want to invest in retroactive measures to combat this growing threat.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I’d like to think we are always stopping and fixing breaches from happening. I have not directly been a part of a major breach, and I hope my track record stays that way. However, experts say, “it’s not if, it’s when.” They’re claiming that at some point, your company will suffer a breach. That sounds scary, but is it true? I don’t think we know that answer, but using security by design, staying up-to-date on the latest concerns, and evolving with the security landscape will put your company in the best light possible.

I’ve worked on security incidents involving a nefarious threat actor luring a victim into doing something, but have a defense in-depth methodology that often halted their efforts.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

1. A SIEM — Security Information and Event Management tool provides real-time analysis of security alerts which is generated by ingesting syslogs or logs from applications such as Slack, Google Workspaces, AWS and network hardware. It gives you a single-pane-of-glass view of all the logs within your environment. These logs should be well tuned and all provide the necessary information to keep a great audit trial.
2. Vulnerability Management — Vulnerability management is the process for identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities, bugs, and misconfigurations throughout your environment. Typically an agent deployed on your server of instance will scan the device for any known vulnerabilities. These tools are great for keeping your hardware and software up-to-date. Threat actors use the same tools to scan internet facing machines, looking for vulnerabilities they can exploit.
3. A governance, risk, and compliance (GRC) framework is a great tool to use to meet your organization’s needs and assist in aligning its information technology with business objectives. The right GRC tool will help manage risk, regulatory compliance requirements, security questionnaires and more. A GRC application will help determine and mitigate risks associated with use, ownership, operation, involvement, influence, and adoption of IT within a company. I use a GRC to evaluate risks, policies and procedures, compliance, governance, and internal and external auditing functions. This is hands down one of the most helpful tools.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Security was built on open source tools, and many of those tools are still free to use today. Many of the open source tools are sufficient enough to help build your security program. Subjects like vulnerability management, intrusion detection, log management, multi-factor authentication, and anti-virus tools have an open source/free solution on the market to mature your security program from the start. However, many of these tools are not configured out-of-the-box, so they’ll take some effort to get them fine-tuned to work correctly. It’s important to configure them to reduce chatter and noise, so you can see actual events and alerts of importance.

A security department should always have a leader or Subject Matter Expert (SME) to ensure the right controls and tools are in place to stop some of the most basic threats. Having a Chief Information Security Officer (CISO) or similar role is imperative, because performing functions haphazardly could result in a costly or damaging breach of your data.

Contracting with a cybersecurity agency is costly, and those firms will typically only monitor a few controls. One of the major uses for outside consulting is log monitoring, where you hire a company to review all your logs and activities. This a very effective log management option, but it’s also costly and doesn’t fit within the budget for most security departments.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

IoC — Indicator of compromise has a high confidence and will indicate a possible issue or takeover of the machine. IoC can be Unusual Outbound Network Traffic (an IP reaching out to another IPaddress in a different country or where you normally do not do business), Anomalies in Privileged User Account Activity (odd login in times such as middle of the night, geographical Irregularities of the login, unknown username, etc.), Or large amounts of data being moved (a SIEM could help you look at the number packets).

There are lots of IoC and researchers will create specific IoCs for known vulnerabilities to help catch anything that seems nefarious.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

You should have an Incident Response Plan (IRP), with the intention of mitigating risk and responding to incidents. The IRP should include roles, responsibilities, and communication strategies in the event of a compromise or breach, as well as a formal process to report incidents and track response activities. An effective IRP should include the following phases: Assessment, Containment Evaluation, Eradication, Recovery, Document and Review, and Follow-up or Lessons Learned.

Your IRP will help you discover what caused the breach, how it happened, the best course of action to stop it, and give you an understanding on how to prevent it from happening again. Discovering the cause and plugging the hole is very important, oftentimes hackers do not want you to know that they were on your system so they will try and hire their tracks.

Using tools such as Security information and event management (SIEM), Vulnerability management, Anti Virus, IDS (Intrusion Detection System), and IPS (Intrusion Prevention System) will help increase network and server Security. These tools monitor traffic and inspect and scan packets for suspicious data. Detection can be based on signatures, which are already known and can be detected and recognized. Make sure signatures are updated and alerts are reviewed on a daily basis. All Intrusion logs should be sent to your centralized logger (SIEM) where they are reviewed on an ongoing basis.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

They haven’t necessarily affected our company. We are always looking at what’s ahead and making sure we are meeting those needs. We have put several industry-leading security and compliance guidelines in place, so when a new guideline is mentioned, we are already meeting most standards, if not all of them.

Following a very robust framework such as NIST 800–53 will help align all your controls to be at the highest level. NIST Special Publication 800–53 provides a catalog of security and privacy controls for government agencies and consists of a few hundred controls. If you follow these guidelines, you will be covered by many other frameworks throughout the industry. Keep in mind, some frameworks such as GDPR and CCPA have specific requirements, so you’ll want to make sure you’re aware of these to avoid being fined or penalized. This is where a Governance, Risk and Compliance (GRC) tool would help identify any gaps or concerns.

The toughest part about adhering to GDPR and CCPA are data erasure requests. You have a certain timeframe to address the request, but you also need to verify the user and be sure you’re deleting all of their information while documenting this request along the way.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Phishing is a major threat to companies and is how some of the biggest breaches happened. Phishing is easy and a major threat. It’s a type of social engineering where an attacker sends an email or message designed to trick a human into revealing sensitive information or to deploy malicious software on the victim’s infrastructure like ransomware.

Utilizing insecure methods such as HTTP or public WI-FI. This gives hackers easy access to your most sensitive accounts, which is where companies may see more cybersecurity mishaps. Also, it’s encouraged that multiple accounts don’t share the same or similar passwords as breaches are more likely to occur in these cases. Using common login credentials can lead to attacks by keystroke loggers who may have the ability to access private information. Lastly, not using multi-factor authentication can lead to holes in security for a company.

Another common mistake is not staying up-to-date with patching or reviewing the latest vulnerabilities. Companies should monitor vulnerability warnings from manufacturers, regulators, and industry sources. Patch Management guidelines should identify what sites are monitored and outline procedures for managing patches. A process should be in place for ranking newly discovered vulnerabilities based on the industry’s best practices, such as The Common Vulnerability Scoring System (CVSS) or the National Vulnerability Database (NVD). Furthermore, all internal and external systems and networking devices should be routinely scanned for new vulnerabilities using an industry and company-approved tool.

A major mistake is allowing unwanted internet traffic into your network and not segmenting your users, systems, and network. All Internet-facing applications should be deployed in a Demilitarized Zone (DMZ). VPN and other secure connections to partners and clients should be routed through your organization’s firewall, web application firewalls or load balancers to establish monitoring and logging controls. All other segments should be separated from production servers through the use of a firewall or access control list, IP tables, Virtual Private Clouds, or Security Groups. This will only allow the IP addresses you want over the ports you wish.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

In a way, yes. Storing passwords in plain sight has become a huge ordeal, especially with companies that have moved into a work-from-home environment. It can be tempting, but it’s best to never record any passwords on paper, in your computer notes or desktop. Because of the high probability of throwing away papers or privacy invasion, these methods of storing passwords make them super easy to spot and steal.

Working from home and not having the correct controls in place. FormAssembly is a fully remote company, so when the pandemic shook the country, we conducted business as normal because we already had MDM, Access controls, Hardened Equipment, Remote Work policies and procedures, etc.

Many companies had great and well audited environments prior to the pandemic, but when systems and assets started leaving and being used remotely, their controls became weakened. For example, over the past year or so, we’ve seen an uptick in phishing, ransomware, and breaches overall. Some of these issues were caused by lack of controls and education since companies weren’t prepared for the remote lifestyle. Many controls were deployed on premises, so when assets started going remote, these devices lacked everyday tools such as anti-virus, automatic updates, secure VPN, and browser and content filters. Some of these gaps are known to be data exfiltration points, but are also known to be vulnerable.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Enforce password requirements with advanced password controls and multi-factor authentication. A strong and well protected password could make all the difference. Passwords require a minimum length of at least seven characters. They must contain both numeric and alphabetic characters. Parameters are set to require that new passwords cannot be the same as any of the four previously used passwords. Users must change passwords at least every 90 days and user accounts are temporarily locked out after six invalid access attempts. Passwords are also protected with strong cryptography during transmission and storage. Additionally, take measures to help companies stay secure by deploying advanced password controls such as: first-time passwords for new users, resetting passwords for existing users, setting a unique value for each user to be changed after first use, restricting use of an account for a certain amount of time until a system administrator resets the account if a user is locked out, and incorporating a system/session idle time-out feature set to 15 minutes or less. Lastly, all accounts should have multi-factor authentication enabled.
2. Role-based access control (RBAC) or “need to know” access are two types of access granted to systems and applications based on an individual’s role or position within the company. Role-based security is an approach to restrict system access to authorized users only, and allow certain roles such as “admin” only to employees that need that level of access. All access should be dependent on a need-to-know basis, and be limited to the minimum amount of access required to perform the assigned duties. Managers and supervisors should determine the level of access based on job requirements and responsibilities. The approved access must be the minimum level needed to complete the tasks for the job. All access should be reviewed periodically. This is a very important control that limits who has access to what and why, and helps as your organization continues to grow. I usually allow the least amount of access. It’s easier to grant access then take it away if necessary.
3. A company should have a robust set of policies, procedures, standards and guidelines that each employee must attest to at the time of hire and annually. The security leader should develop, document, and disseminate policies and procedures to all executives, system users, managers, and contractors on a yearly basis. Those policies and procedures should adequately address their purpose, scope, roles, responsibilities, management commitment, and coordination among the organization. The policies and procedures should be reviewed at least annually, assuring its satisfactoriness and applicability with the organization’s requirements and objectives. This is probably one of the most daunting tasks, but it’s also one of the most important for any organization.
4. End-user training should be a must, and requiring it annually will not suffice. Rolling out security awareness training on a monthly basis focusing on broad topics is a game changer. Not only is security awareness important, but phishing simulations have proven to be an effective measure to combat phishing. At FormAssembly, we conduct monthly security awareness and phishing simulations, and our click rate on emails has dropped significantly. Many breaches started with just one click, so having a stellar security awareness program will prove its worth.
5. All remote companies, or companies that allow their employees the option to work remotely, must have a mobile device management (MDM) program. Mobile device management should be enforced in all cases since it lets you keep track of every single device in your network regardless of location, and has real-time visibility into your inventory. MDM also has the ability to remotely wipe, lock, or enforce policies such as disabling USB, encryption, password, web content filtering, updates and more. Having a tool to track and manage devices across the organization is critical and very important. A lost asset should not contain sensitive information, but if it does, you have peace of mind knowing you can control any lost asset. If your company allows the use of cellphones for communication, those devices should be enrolled in MDM, too.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

1. We need one overall Security and Compliance framework that is enforced by the federal government. This does not need to be an exhaustive list, but a clear and concise set of controls that would help mitigate most breaches. As a business, you should have to submit your results and have random audits, similar to taxes and the IRS.
2. The government could create a list of 20 controls that must be followed. This would include security awareness, requiring a second factor for passwords, setting minimum password requirements, encryption standards, free auditing tools, and free resources for achieving compliance.
3. For companies that want to take the extra step, this program should include the minimum requirements and a road map with more controls for those that want to advance and to continue maturing their security stance. Applying the minimum controls would be a great step forward in enhancing and changing a business’s security posture throughout.

How can our readers further follow your work online?

Visit FormAssembly.com to learn more about the advanced security measures we’ve embedded in our platform for our current and prospective customers. We ensure and stay up-to-date with advancements in security and technology to remain stewards of the data entrusted to us by our customers. Also, check out a couple of our blogs and external articles inspired by my insight on FormAssembly’s data security standards:

https://www.formassembly.com/blog/world-password-day-2021/?utm_medium=pr&utm_source=authority-magazine&utm_content=blog-landing-page&utm_campaign=world-password-day-blog

https://www.formassembly.com/blog/data-privacy-day-2021/?utm_medium=pr&utm_source=authority-magazine&utm_content=data-privacy-blog-landing-page&utm_campaign=data-privacy-day-blog

https://www.darkreading.com/author-bio.asp?author_id=5240&

https://www.formassembly.com/blog/fedramp-fireside-chat/?utm_medium=pr&utm_source=authority-magazine&utm_content=blog-landing-page&utm_campaign=cragle-feature-authority

https://www.destinationcrm.com/Articles/ReadArticle.aspx?ArticleID=144758

https://www.lastwatchdog.com/guest-essay-world-password-day-reminds-us-to-embrace-password-security-best-practices/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!