Cloud Security
Published in

Cloud Security

Cybersecurity for Executives

Table of Contents

I wrote the draft for my book on this blog, one post at a time. Now you can get the full book on Amazon which has more content, extra chapters, and lots of edits and improvements.

Click here to purchase a full copy of the ebook or paperback on Amazon: Cybersecurity for Executives in the Age of Cloud

Why did I write this book? I want to help organizations prevent data breaches. I faced my own data breach while running a software consulting business. I had to figure out how to stop it myself and I didn’t know much about security at that time or where to get help. After that event I wanted to understand how this happened and how to stop it from happening again. I went on to get a masters in information security and one of the top cybersecurity certifications in the industry — the GSE. I’ve done years of security research and now run a cloud security training and consulting company. With this book, I hope to help others understand the basics of cybersecurity and what really matters from an executive point of view. Here are the articles I’ve written so far.

Why executives need to care more about cybersecurity Cost-Benefit Analysis | $350 Million Dollars | Time Factor| Personal impact | Board member liability| Cyberwar

Cybersecurity strategy for executives: The big picture Basics | Questions | Reports | Automation | Objectives | Culture

20 cybersecurity questions for executives to ask security teams Asking the right questions | 20 questions to add to your cybersecurity risk reporting

CVEs: Security bugs that bite What is a CVE | How are new CVEs discovered | Responsible disclosure | What motivates security researchers | Malicious motivations | Zero-day malware

How network traffic got me into cybersecurity Radical Software | Spam | A strange security incident | Australia | A WAF before WAFs existed | Being paid to go away by a large hosting company | Networking Gives You Clues

Exponential increases in cyber risk from Internet exposure Network Security in the Cloud Age | How A Breach Works | The New Perimeter | Scan, Attack, and Infected Traffic | Ports, Protocols and the Exponential Problem

High-risk ports: The chink in your network armor What is administrative access? | Remote Administrative Access | Backdoors | Common Administrative Services and Ports | Other high-risk ports | A risk-based approach to locking down your network | Locking down cloud administration

Data Exposure: Protect your gold Where is your data? | Why the S3 bucket problem?| The underlying cause of database exposure| End-user storage | System Integration | Third-party web connections | Trusted vendors

Trust is overrated: Don’t be fooled by threats on your internal network Pivoting | Target breach | WannaCry | The dark web | American Greed | People | Network design | Zero Trust

The aftermath of stolen credentials: Premeditated damage control Blast radius | Credential stuffing | Credential mega-breaches | Authentication and authorization | Non-repudiation | Hashes and cracking | Encryption algorithms | Rainbow tables | Salt | Session attacks | Privilege escalation | Process injection | File-less malware | Segregation of duties | IAM damage control

MFA is a pain: Can we get rid of passwords too? Memory tricks | Password managers | Safes | Phones | Biometrics | Rotating your fingerprint | Sextortion | Surveillance | MFA | Out-of-Band communication | Password spraying | Ineffective sessions | Trusted devices | lookalike pin sites | SIM Jacking | Social engineering | Hardware tokens | TPMs | Authenticators | FIDO | KSPs | Threat modeling

The encryption fallacy: When encryption at rest won’t come to the rescue Encryption at rest | Encryption keys | Laptop encryption | Cloud encryption | Tokenization | Encryption with authentication and authorization | Threat modeling | HSMs | Encryption algorithms | Quantum computing | Best practices

Encryption on the wired and wireless | Who’s listening to your communications and how? Encryption in transit | MITM attacks | IOT protocols | Wi-Fi | VPNs | Private keys | TPMs | SAAS | MAC addresses | Cellular and SS7 | Algorithms | SSL and TLS | Termination

The right cybersecurity training | Teach your team to make decisions that help prevent and detect data breaches It only takes one mistake | Billions of records | Don’t blame the CISO | Training cyber defenders need | What executives need to know | What developers need to know | What the security team needs to know | Different types so security training | A class for your team

Testing your cybersecurity | Penetration tests, assessments, audits, red teams, and bug bounties Validating security controls are in place — and working | Cybersecurity audits | Cybersecurity risk assessments | Penetration tests | Red teams | Bug bounties | What tests you need

Effective security testing | Selecting a partner for penetration testing, assessments, or audits, defining, and initiating a test Types of pentesting | Social engineering | Physical pentesting | Network and wireless pentesting | Application pentesting | Cloud pentesting | Evaluating the evaluator | Certifications | Contracts | Scope | Permission | Process | Insurance | Credentials | Testing | Objectives

Getting value from security testing | What did you do with that penetration test, audit, assessment, or bug bounty report? The assessment, audit, bug bounty, or pentest report | How long should the report be| Findings | Evaluate risk and assign work | Address the root cause | Measure the results

Preparing for cybersecurity disasters | Strategies to make sure you are ready Backups are not simple | Disaster recovery strategies | Recovery Time Objective (RTO) | Recovery Point Objective (RPO) | Business Continuity Planning (BCP) | Questions executives should ask about DR and BCP

Cybersecurity policies that reduce risk | Why your current cybersecurity policies are probably ineffective What are your policies? | Keeping policies up to date | Communicating the policies | Who writes and enforces these policies? | Tracking policy enforcement | Distributed responsibility

Security exceptions are the norm | Do you know who is causing the most exceptions — and why? Why do we have exceptions? | Evaluating the risk posed by an exception | Cumulative Risk | Tracking exceptions | Who is creating the most exceptions? | Expiration | System changes | Exception Metrics

Deployment systems — danger or defense? How the systems that deploy software can dramatically increase or decrease cybersecurity risk | Deployment systems not DevOps or DevSecOps | Modern software deployment terms and buzzwords | What does your deployment system have to do with security? | Massive cyberattacks involving compromised deployment systems | How your deployment system can help your cybersecurity efforts | Limitations of scanning | Application security resources | Getting started with your secure deployment pipeline | Security teams — make friends with developers

How well do you know your vendors? Vendor due diligence and monitoring Due diligence on vendor products and services | Vendor products — Including and especially network and security products | Why network products are so critical | How to evaluate vendors | Vendor monitoring | Vendor relationships

Efficacy of Security Products and Services | Are you getting a return on your security investment? Researching product effectiveness | Testing products | Software scanning tools | Networking products | Products that identify malware | True and false positives and the need for tuning | Determining return on investment

The attackers are in your network — now what? How will you know and what will you do about it? Security monitoring | Incident handling | Dedicated teams | Events and incidents | The Security Operations Center (SOC) | Logs — All of them | Collecting logs | Monitoring logs | Incident Response | Preparation

This book will have a few more chapters in the final published version available on Amazon soon!

Teri Radichel — Follow me: @teriradichel

© 2nd Sight Lab 2020


Want to learn more about Cloud Security?

Check out: Cybersecurity for Executives in the Age of Cloud.

Cloud Penetration Testing and Security Assessments

Are your cloud accounts and applications secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Cloud Security Training

Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training

Have a Cybersecurity or Cloud Security Question?

Ask Teri Radichel by scheduling a call with IANS Research.


2020 Cybersecurity and Cloud Security Podcasts

Cybersecurity for Executives in the Age of Cloud with Teri Radichel

Teri Radichel on Bring Your Own Security Podcast

Understanding What Cloud Security Means with Teri Radichel on The Secure Developer Podcast

2020 Cybersecurity and Cloud Security Conference Presentations

RSA 2020 ~ Serverless Attack Vectors

AWS Women in Tech Day 2020

Serverless Days Hamburg

Prior Podcasts and Presentations

RSA 2018 ~ Red Team vs. Blue Team on AWS with Kolby Allen

AWS re:Invent 2018 ~ RedTeam vs. Blue Team on AWS with Kolby Allen

Microsoft Build 2019 ~ DIY Security Assessment with SheHacksPurple

AWS re:Invent and AWS re:Inforce 2019 ~ Are you ready for a Cloud Pentest?

Masters of Data ~ Sumo Logic Podcast

Azure for Auditors ~ Presented to Seattle ISACA and IIA

OWASP AppSec Day 2019 — Melbourne, Australia

Bienvenue au congrès ISACA Québec 2019 KeynoteQuebec, Canada (October 7–9)

Cloud Security and Cybersecurity Presentations

White Papers and Research Reports

Securing Serverless: What’s Different? What’s Not?

Create a Simple Fuzzer for Rest APIs

Improve Detection and Prevention of DOM XSS

Balancing Security and Innovation with Event-Driven Automation

Critical Controls that Could have Prevented the Target Breach

Packet Capture on AWS




Cybersecurity in a Cloudy World

Recommended from Medium

{UPDATE} Cool US Navy Wallpapers Hack Free Resources Generator

🔥 #RoboHero Listing INFO 🔥👇

The 20 Best Browser Extensions For Chrome, Edge and Firefox

🦉 @thedapplist Provides The community with a Dapps store having a decentralized reputation system…

Secure access with Secure Shell (SSH) — Part2

“The Internet of Things and Cybersecurity.” (From our Forum.)

This is My First Blog

Prevent Secrets Leaks at Scale in Repositories

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty |

More from Medium

Test Your Cybersecurity Defence Against ATT&CK Attacks with Center of Internet Security(CIS) CDM…

A Sneak Peek at MITRE Engage™ V1

New Engage V1 matrix with icons to denote changes from the 0.9 Beta version of the matrix

Cyber security Trends for 2022

Threat Modeling — The Short Version