Daniel Kennedy

In a recent conversation a cyber assessor asked me how they could get leadership buy-in to using risk quantification. Here are 3 ways I'd suggest doing this. Let me know what you think in the comments. 1. Use Industry Profiles for Context : Show how your organization compares to others in your industry in terms of risk exposure by using industry data. This helps highlight where your organization stands and can spark interest in exploring risk quantification further. 2. Highlight a Recent Attack : Use a recent cyber attack that affected your industry as an example. Show the potential financial impact and likelihood of such an attack on your organization. This makes the concept of risk quantification more real and urgent, helping leaders understand its importance. 3. Clarify Risk Levels : When discussing risk, push for clear definitions of what “high,” “moderate,” or “low” risk means by advocating for a quantified approach. This can help uncover inconsistencies in how risk is evaluated and emphasize the need for a standardized risk assessment method. Have you had success getting leadership buy-in to using risk quantification?

1

2 Comments

I’ve written a number of posts on testing and rolling out security controls safely on my blog including this one from 2020 ~ Better Testing for Better Outcomes. I have a bunch of others in a thread on X (sorry it’s the easiest right now) and on my blog. Taking the time to properly test and building tests into the software itself can prevent a lot of pain later. I explain how to do that in my posts and show examples of things not properly tested as well. https://lnkd.in/gcJ-PeG

10

4 Comments

CMMC Level 2 Assessment Objective: Flaw Remediation for Controlled Unclassified Information (CUI) Data PRACTICE: Organizations must identify, report, and correct system flaws in a timely manner. ASSESSMENT: All software and firmware have potential flaws. Organizations must identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and antivirus signatures. Be prepared! Your assessor could ask to 🔍 EXAMINE system and information integrity policy. 🗣 INTERVIEW system or network administrators. 📝 TEST organizational processes for identifying, reporting, and correcting system flaws. (CMMC Assessment Guide: Level 2 Version 2.11, page 241) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

57

This is funny to me; many have said this for years and now NIST is aligning with it. What companies need to be focusing on is password-less methods, not trying to make a legacy password method "less-bad". Windows Hello for Business, passkey, or other phishing resistant methods are the only real way to increase your security posture. Even with a 24-character password, end users will still write that on a sticky note. 😄

9

Read this important advisory from CISA regarding Operational Technology and Industrial Control Systems vulnerabilities. #ICSsecurity #OTsecurity

13

1 Comment

Thanks to @Scott Small and Wade Baker, Ph.D. and the teams at Tidal and Cyentia. To my fellow cyber risk quant folk you know how strongly we drive our partners and customers to define risk scenarios using specific threat actors and/or specific TTP’s to enhance the accuracy of likelihood determination! The work both organizations are doing to help articulate the TTP’s being used for ransomware attacks can help provide a greater level of defensibility of your results. By executing adversarial simulation using these TTP’s increasingly accurate likelihood can be attained.

4

Useful tips for CUI scope management for CMMC.

4

If you took all vulnerability exploitation attempts targeting your organization and grouped them into three buckets of new, active, and dormant - it might look like this. The blue is the proportion of "active" exploits that your sensors have registered in the recent past. Exploits represented by the teal area have been attacked in the past but have gone dormant for a time (it's been a while since you've seen them). The red undercurrent corresponds to new exploits never seen before. My takeaway? Newly exploited vulns get the most *attention*, but the older ones get the most *action*. #infosec #cyber #cybersecurity #vulnerabilitymanagement #vulnerabilities This comes from a brand new Cyentia Institute study exploring years of exploitation activity. It's available here with no registration required: https://lnkd.in/gBbsgwQM

89

13 Comments

Managing #thirdparty #cyberrisk is hard. But it gets even harder when trying to manage 4th...5th...Nth tier #supplychain relationships because visibility, familiarity, and control tend to decline with each degree of removal. This chart, from a joint Cyentia Institute and RiskRecon, A Mastercard Company report, captures this challenge. Your organization (the square in the center) may be able to track breaches of your direct third parties. But what about all those others? Are you even aware that you're indirectly connected to - and thereby potentially exposed to - breaches of those Nth parties? We explore this topic in "Risk to the Nth-Party Degree." Link to download in comments.

239

35 Comments

Hmmm how do I leverage the NIST CSF 2.0 www.ncsecourse.com for Compliance and Reporting "How can an organization enhance its cybersecurity governance framework according to the NIST CSF 2.0's Govern function? Include recommendations for establishing roles, responsibilities, policies, and procedures to manage cybersecurity risk effectively." #NISTCSF ICTTF - Cyber Security Community, Academy and Events

2

3 Comments

A cybersecurity services business unit has more revenue than any pure-play cybersecurity company in the public markets today. Yep, you read that correctly. Accenture reported its FY'24 annual earnings yesterday. Security is a strategic business unit they break out revenue for. Guess how much cybersecurity revenue they had? ... Nine billion dollars. With 23% year-over-year growth. Just incredible. Palo Alto Networks is the only pure-play public company who is even close — currently at $8.03 billion of revenue (TTM). Of course, there is also Microsoft's reported $20 billion of cybersecurity products and services revenue, plus some very large business units in other companies that don't regularly report revenue. But any way you compare it, Accenture has a massive cybersecurity business. Product-focused companies get a lot of the hype, but services companies make it all go. This is exactly why Accenture and other large services firms are critical channel partners for almost every large cybersecurity product company. It's also a good reminder that services are an equally impressive and important part of our industry.

1,517

111 Comments

💡 Do I need to report PKI maturity level? Reporting your PKI maturity level isn’t just a checkbox! 🛠️ While not mandated by the PKI Consortium, documenting your PKI maturity level can: 📈 Highlight your current PKI status to stakeholders 🚀 Pinpoint key areas for improvement 📊 Track progress over time effectively Depending on your organization's needs, regulatory requirements, or improvement goals, reporting might be essential. Learn more about PKI Maturity Model: https://pkic.org/pkimm/ #pki #pkimm #pkic #maturity #improvement #assessment #benchmark #guidance PKI Consortium Paul van Brouwershaven Leigh Bailey

9

1 Comment

Welcome back/to NIST 800-53 where we're going through every control for simplification and automation ❤️ Let's continue with: AC-02(05) Account Management | INACTIVITY LOGOUT Simply stated, this control requires: - Require that users log out from inactivity in a timeframe that makes sense for the organization How to simplify control implementation: - Map control to any VPN/ZTNA connectivity timeout periods - Leverage potential inheritance from an Identity Provider (IdP) and Identity Management teams (IdP mapping/inheritance will be pretty repetitive for the AC family as a whole) How to automate control implementation & assessment: - Leverage IdP/VPN/ZTNA timeout periods and token invalidation - Run checks/tests to ensure inactivity logouts are in place ⬇️ Tell me what I missed! ⬇️ #GRCEngineering #NIST #NIST80053 #Cybersecurity #ZeroTrust #GRC #AccessControl #Automation #AI #AccountManagement #OSCAL

28

6 Comments

Built to quickly and effectively close vulnerability exposures in a unified solution, Tenable Patch Management has entered the chat: http://ow.ly/nj0Z105QR2F

5

🔒 Cybersecurity Alert: The Cybersecurity and Infrastructure Security Agency (CISA) recently shared insightful updates on Automated Indicator Sharing and alternative connection methods. Understanding the importance of these protocols is crucial in protecting sensitive data and networks. Stay informed by reading the full article here: [Automated Indicator Sharing: Other Ways to Connect](https://lnkd.in/eMz8m-BW) #Cybersecurity #CISA #DataProtection #InfoSec 🔐🔍 #CISA #IOCs #IndicatorsofCompromise #Cybersecurity

3

Today, Nucleus Security announced our sponsorship of the inaugural EPSS (Exploit Prediction Scoring System) report from Cyentia Institute. This report evaluates EPSS performance over the last few years and drills into questions related to understanding vulnerability exploitation in the wild. I'm adding links to the report and related resources in the comments. #cybersecurity #EPSS #NucleusSecurity #vulnerabilitymanagement

22

3 Comments

EC2 Compromise Leads to S3 Bucket Exfiltration

53

We did something new (for us) in the latest edition of the Information Risk Insights Study (IRIS) that focuses on #ransomware - we projected financial losses. Normally, we restrict ourselves to known publicly-reported losses. But in this case, we felt that wouldn't do proper justice to the true impact of ransomware on the economy. But don’t worry—we didn't abandon our core principles and ride the trolley into the Neighborhood of Make-Believe. We took the data we had on ransomware losses over the last five years, fit a distribution, and then applied properly sampled values to incidents that had no loss info on public record. Using this method, we calculate the total financial losses from publicly known ransomware incidents over the last five years to be about $274 billion dollars. How does that fit with your intuition or analysis? Too high? Too low #cyberrisk #cyberattacks Read the full report, sponsored by CISA, here: https://lnkd.in/eWEnwj8n

91

7 Comments