Cybersecurity for Executives

Table of Contents

Teri Radichel
May 8, 2019 · 7 min read

I wrote the draft for my book on this blog, one post at a time. Now you can get the full book on Amazon which has more content, extra chapters, and lots of edits and improvements.

Why did I write this book? I want to help organizations prevent data breaches. I faced my own data breach while running a software consulting business. I had to figure out how to stop it myself and I didn’t know much about security at that time or where to get help. After that event I wanted to understand how this happened and how to stop it from happening again. I went on to get a masters in information security and one of the top cybersecurity certifications in the industry — the GSE. I’ve done years of security research and now run a cloud security training and consulting company. With this book, I hope to help others understand the basics of cybersecurity and what really matters from an executive point of view. Here are the articles I’ve written so far.

Why executives need to care more about cybersecurity Cost-Benefit Analysis | $350 Million Dollars | Time Factor| Personal impact | Board member liability| Cyberwar

Cybersecurity strategy for executives: The big picture Basics | Questions | Reports | Automation | Objectives | Culture

20 cybersecurity questions for executives to ask security teams Asking the right questions | 20 questions to add to your cybersecurity risk reporting

CVEs: Security bugs that bite What is a CVE | How are new CVEs discovered | Responsible disclosure | What motivates security researchers | Malicious motivations | Zero-day malware

How network traffic got me into cybersecurity Radical Software | Spam | A strange security incident | Australia | A WAF before WAFs existed | Being paid to go away by a large hosting company | Networking Gives You Clues

Exponential increases in cyber risk from Internet exposure Network Security in the Cloud Age | How A Breach Works | The New Perimeter | Scan, Attack, and Infected Traffic | Ports, Protocols and the Exponential Problem

High-risk ports: The chink in your network armor What is administrative access? | Remote Administrative Access | Backdoors | Common Administrative Services and Ports | Other high-risk ports | A risk-based approach to locking down your network | Locking down cloud administration

Data Exposure: Protect your gold Where is your data? | Why the S3 bucket problem?| The underlying cause of database exposure| End-user storage | System Integration | Third-party web connections | Trusted vendors

Trust is overrated: Don’t be fooled by threats on your internal network Pivoting | Target breach | WannaCry | The dark web | American Greed | People | Network design | Zero Trust

The aftermath of stolen credentials: Premeditated damage control Blast radius | Credential stuffing | Credential mega-breaches | Authentication and authorization | Non-repudiation | Hashes and cracking | Encryption algorithms | Rainbow tables | Salt | Session attacks | Privilege escalation | Process injection | File-less malware | Segregation of duties | IAM damage control

MFA is a pain: Can we get rid of passwords too? Memory tricks | Password managers | Safes | Phones | Biometrics | Rotating your fingerprint | Sextortion | Surveillance | MFA | Out-of-Band communication | Password spraying | Ineffective sessions | Trusted devices | lookalike pin sites | SIM Jacking | Social engineering | Hardware tokens | TPMs | Authenticators | FIDO | KSPs | Threat modeling

The encryption fallacy: When encryption at rest won’t come to the rescue Encryption at rest | Encryption keys | Laptop encryption | Cloud encryption | Tokenization | Encryption with authentication and authorization | Threat modeling | HSMs | Encryption algorithms | Quantum computing | Best practices

Encryption on the wired and wireless | Who’s listening to your communications and how? Encryption in transit | MITM attacks | IOT protocols | Wi-Fi | VPNs | Private keys | TPMs | SAAS | MAC addresses | Cellular and SS7 | Algorithms | SSL and TLS | Termination

The right cybersecurity training | Teach your team to make decisions that help prevent and detect data breaches It only takes one mistake | Billions of records | Don’t blame the CISO | Training cyber defenders need | What executives need to know | What developers need to know | What the security team needs to know | Different types so security training | A class for your team

Testing your cybersecurity | Penetration tests, assessments, audits, red teams, and bug bounties Validating security controls are in place — and working | Cybersecurity audits | Cybersecurity risk assessments | Penetration tests | Red teams | Bug bounties | What tests you need

Effective security testing | Selecting a partner for penetration testing, assessments, or audits, defining, and initiating a test Types of pentesting | Social engineering | Physical pentesting | Network and wireless pentesting | Application pentesting | Cloud pentesting | Evaluating the evaluator | Certifications | Contracts | Scope | Permission | Process | Insurance | Credentials | Testing | Objectives

Getting value from security testing | What did you do with that penetration test, audit, assessment, or bug bounty report? The assessment, audit, bug bounty, or pentest report | How long should the report be| Findings | Evaluate risk and assign work | Address the root cause | Measure the results

Preparing for cybersecurity disasters | Strategies to make sure you are ready Backups are not simple | Disaster recovery strategies | Recovery Time Objective (RTO) | Recovery Point Objective (RPO) | Business Continuity Planning (BCP) | Questions executives should ask about DR and BCP

Cybersecurity policies that reduce risk | Why your current cybersecurity policies are probably ineffective What are your policies? | Keeping policies up to date | Communicating the policies | Who writes and enforces these policies? | Tracking policy enforcement | Distributed responsibility

Security exceptions are the norm | Do you know who is causing the most exceptions — and why? Why do we have exceptions? | Evaluating the risk posed by an exception | Cumulative Risk | Tracking exceptions | Who is creating the most exceptions? | Expiration | System changes | Exception Metrics

Deployment systems — danger or defense? How the systems that deploy software can dramatically increase or decrease cybersecurity risk | Deployment systems not DevOps or DevSecOps | Modern software deployment terms and buzzwords | What does your deployment system have to do with security? | Massive cyberattacks involving compromised deployment systems | How your deployment system can help your cybersecurity efforts | Limitations of scanning | Application security resources | Getting started with your secure deployment pipeline | Security teams — make friends with developers

How well do you know your vendors? Vendor due diligence and monitoring Due diligence on vendor products and services | Vendor products — Including and especially network and security products | Why network products are so critical | How to evaluate vendors | Vendor monitoring | Vendor relationships

Efficacy of Security Products and Services | Are you getting a return on your security investment? Researching product effectiveness | Testing products | Software scanning tools | Networking products | Products that identify malware | True and false positives and the need for tuning | Determining return on investment

The attackers are in your network — now what? How will you know and what will you do about it? Security monitoring | Incident handling | Dedicated teams | Events and incidents | The Security Operations Center (SOC) | Logs — All of them | Collecting logs | Monitoring logs | Incident Response | Preparation

This book will have a few more chapters in the final published version available on Amazon soon!

Teri Radichel — Follow me: @teriradichel

© 2nd Sight Lab 2020

__________________

Seeking Cloud Security Training or Classes?

Join students like those from large multi-national organizations, startups, technology, retail, and financial companies, and government organizations that have attended classes taught by Teri Radichel. 2nd Sight Lab offers on-site cybersecurity and cloud security training. Author Teri Radichel, GSE #240, formerly taught for SANS Institute and helped with the cloud security curriculum and has helped multiple companies move to the cloud.

SANS Institute awarded her the 2017 Difference Makers award for cybersecurity innovation for her work in cloud security. She is an AWS Hero, IANS faculty member, and speaks around the world about cybersecurity and cloud security. She doesn’t just talk about cloud security — she helped two companies move to the cloud as a member of the Capital One cloud team and as a director and cloud architect responsible for moving a security company’s product to AWS. She now researches and implements technology for pentesting and security management that she includes in her 5-day cybersecurity class.

Her 25+ years of experience and master’s degrees in both software and security results in class content that can help teams both learn new material and work together more effectively. All 2nd Sight Lab instructors are certified in cloud and security.

Curriculum: 2nd Sight Lab cloud Security Training

Image for post
Image for post

__________________

Some of the events where Teri Radichel will be or has spoken on cybersecurity and cloud security:

Please visit the 2nd Sight Lab website cloud security training and events:

https://2ndsightlab.com

Past Cloud Security Presentations (Videos and Podcasts)

RSA 2020 ~ Serverless Attack Vectors

RSA 2018 ~ Red Team vs. Blue Team on AWS with Kolby Allen

AWS re:Invent 2018 ~ RedTeam vs. Blue Team on AWS with Kolby Allen

Microsoft Build 2019 ~ DIY Security Assessment with SheHacksPurple

Masters of Data ~ Sumo Logic Podcast

Other past events:

AWS re:Invent and AWS re:Inforce 2019 ~ Are you ready for a Cloud Pentest?

Azure for Auditors ~ Presented to Seattle ISACA and IIA

OWASP AppSec Day 2019 — Melbourne, Australia

Bienvenue au congrès ISACA Québec 2019 KeynoteQuebec, Canada (October 7–9)

Cloud Security

Cybersecurity in a Cloudy World

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store