Cybersecurity for Executives
I wrote the draft for my book on this blog, one post at a time. Now you can get the full book on Amazon which has more content, extra chapters, and lots of edits and improvements.
Why did I write this book? I want to help organizations prevent data breaches. I faced my own data breach while running a software consulting business. I had to figure out how to stop it myself and I didn’t know much about security at that time or where to get help. After that event I wanted to understand how this happened and how to stop it from happening again. I went on to get a masters in information security and one of the top cybersecurity certifications in the industry — the GSE. I’ve done years of security research and now run a cloud security training and consulting company. With this book, I hope to help others understand the basics of cybersecurity and what really matters from an executive point of view. Here are the articles I’ve written so far.
Why executives need to care more about cybersecurity Cost-Benefit Analysis | $350 Million Dollars | Time Factor| Personal impact | Board member liability| Cyberwar
Cybersecurity strategy for executives: The big picture Basics | Questions | Reports | Automation | Objectives | Culture
20 cybersecurity questions for executives to ask security teams Asking the right questions | 20 questions to add to your cybersecurity risk reporting
CVEs: Security bugs that bite What is a CVE | How are new CVEs discovered | Responsible disclosure | What motivates security researchers | Malicious motivations | Zero-day malware
How network traffic got me into cybersecurity Radical Software | Spam | A strange security incident | Australia | A WAF before WAFs existed | Being paid to go away by a large hosting company | Networking Gives You Clues
Exponential increases in cyber risk from Internet exposure Network Security in the Cloud Age | How A Breach Works | The New Perimeter | Scan, Attack, and Infected Traffic | Ports, Protocols and the Exponential Problem
High-risk ports: The chink in your network armor What is administrative access? | Remote Administrative Access | Backdoors | Common Administrative Services and Ports | Other high-risk ports | A risk-based approach to locking down your network | Locking down cloud administration
Data Exposure: Protect your gold Where is your data? | Why the S3 bucket problem?| The underlying cause of database exposure| End-user storage | System Integration | Third-party web connections | Trusted vendors
Trust is overrated: Don’t be fooled by threats on your internal network Pivoting | Target breach | WannaCry | The dark web | American Greed | People | Network design | Zero Trust
The aftermath of stolen credentials: Premeditated damage control Blast radius | Credential stuffing | Credential mega-breaches | Authentication and authorization | Non-repudiation | Hashes and cracking | Encryption algorithms | Rainbow tables | Salt | Session attacks | Privilege escalation | Process injection | File-less malware | Segregation of duties | IAM damage control
MFA is a pain: Can we get rid of passwords too? Memory tricks | Password managers | Safes | Phones | Biometrics | Rotating your fingerprint | Sextortion | Surveillance | MFA | Out-of-Band communication | Password spraying | Ineffective sessions | Trusted devices | lookalike pin sites | SIM Jacking | Social engineering | Hardware tokens | TPMs | Authenticators | FIDO | KSPs | Threat modeling
The encryption fallacy: When encryption at rest won’t come to the rescue Encryption at rest | Encryption keys | Laptop encryption | Cloud encryption | Tokenization | Encryption with authentication and authorization | Threat modeling | HSMs | Encryption algorithms | Quantum computing | Best practices
Encryption on the wired and wireless | Who’s listening to your communications and how? Encryption in transit | MITM attacks | IOT protocols | Wi-Fi | VPNs | Private keys | TPMs | SAAS | MAC addresses | Cellular and SS7 | Algorithms | SSL and TLS | Termination
The right cybersecurity training | Teach your team to make decisions that help prevent and detect data breaches It only takes one mistake | Billions of records | Don’t blame the CISO | Training cyber defenders need | What executives need to know | What developers need to know | What the security team needs to know | Different types so security training | A class for your team
Testing your cybersecurity | Penetration tests, assessments, audits, red teams, and bug bounties Validating security controls are in place — and working | Cybersecurity audits | Cybersecurity risk assessments | Penetration tests | Red teams | Bug bounties | What tests you need
Effective security testing | Selecting a partner for penetration testing, assessments, or audits, defining, and initiating a test Types of pentesting | Social engineering | Physical pentesting | Network and wireless pentesting | Application pentesting | Cloud pentesting | Evaluating the evaluator | Certifications | Contracts | Scope | Permission | Process | Insurance | Credentials | Testing | Objectives
Getting value from security testing | What did you do with that penetration test, audit, assessment, or bug bounty report? The assessment, audit, bug bounty, or pentest report | How long should the report be| Findings | Evaluate risk and assign work | Address the root cause | Measure the results
Preparing for cybersecurity disasters | Strategies to make sure you are ready Backups are not simple | Disaster recovery strategies | Recovery Time Objective (RTO) | Recovery Point Objective (RPO) | Business Continuity Planning (BCP) | Questions executives should ask about DR and BCP
Cybersecurity policies that reduce risk | Why your current cybersecurity policies are probably ineffective What are your policies? | Keeping policies up to date | Communicating the policies | Who writes and enforces these policies? | Tracking policy enforcement | Distributed responsibility
Security exceptions are the norm | Do you know who is causing the most exceptions — and why? Why do we have exceptions? | Evaluating the risk posed by an exception | Cumulative Risk | Tracking exceptions | Who is creating the most exceptions? | Expiration | System changes | Exception Metrics
Deployment systems — danger or defense? How the systems that deploy software can dramatically increase or decrease cybersecurity risk | Deployment systems not DevOps or DevSecOps | Modern software deployment terms and buzzwords | What does your deployment system have to do with security? | Massive cyberattacks involving compromised deployment systems | How your deployment system can help your cybersecurity efforts | Limitations of scanning | Application security resources | Getting started with your secure deployment pipeline | Security teams — make friends with developers
How well do you know your vendors? Vendor due diligence and monitoring Due diligence on vendor products and services | Vendor products — Including and especially network and security products | Why network products are so critical | How to evaluate vendors | Vendor monitoring | Vendor relationships
Efficacy of Security Products and Services | Are you getting a return on your security investment? Researching product effectiveness | Testing products | Software scanning tools | Networking products | Products that identify malware | True and false positives and the need for tuning | Determining return on investment
The attackers are in your network — now what? How will you know and what will you do about it? Security monitoring | Incident handling | Dedicated teams | Events and incidents | The Security Operations Center (SOC) | Logs — All of them | Collecting logs | Monitoring logs | Incident Response | Preparation
This book will have a few more chapters in the final published version available on Amazon soon!
© 2nd Sight Lab 2020
Want to learn more about Cloud Security?
Check out: Cybersecurity for Executives in the Age of Cloud.
Cloud Penetration Testing and Security Assessments
Cloud Security Training
Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training
Have a Cybersecurity or Cloud Security Question?
2020 Cybersecurity and Cloud Security Podcasts
2020 Cybersecurity and Cloud Security Conference Presentations
Prior Podcasts and Presentations
Azure for Auditors ~ Presented to Seattle ISACA and IIA
OWASP AppSec Day 2019 — Melbourne, Australia
Bienvenue au congrès ISACA Québec 2019 — Keynote — Quebec, Canada (October 7–9)
White Papers and Research Reports