this is the archive page

Cloud security controls that help mitigate risk

As I mentioned in my previous post on cloud security, depending on the kind of cloud solution you have, you might be the one responsible for implementing any and all security controls.

Woman looking at tablet in server room configuring cloud security controls

All major cloud providers have risks and also have ways of implementing controls to mitigate those risks. There are whole categories of security providers for various part of a cloud security program. As you begin to plan your move to a cloud solution you will see acronyms like CASB, CSPM, CWPP, and SASE.

It can get a little confusing with all the acronyms, but each product has a reason for existing.

Let’s start with CASB or cloud access security broker

A cloud access security broker ensures that the user trying to access a cloud service (think Salesforce or Office 365 or SAP) should be able to access the service, and that they are doing only the things they are supposed to do.

Obviously, there are some fundamental controls that you want to have in place for your cloud applications. You want to be able to see what your users are doing in the cloud (visibility), you want to detect threats to your systems and data, and you want to make sure you maintain compliance with the regulations that apply to your organization.

At the most basic level you want to make sure only the people you allow can access the cloud services you use. In other words, should John be able to access customer data stored in Salesforce?

In addition—and more importantly—you want to make sure they can only do things they are supposed to do. As a security professional, you want to make sure John does not delete or modify data he shouldn’t. CASB provides controls and visibility over what John does when he signs into Salesforce.

The basics just won’t cut it against today’s security challenges

You might think, I already have Active Directory (AD) or some other identity management (IM) tool (Okta, OneLogin, Centrify, etc.), why do I need a CASB solution? Well, your IM solution might only work for local access, or it might not be tied into or connected to your cloud solution. CASB is designed, as the name implies, to broker the access between the IM solution and the cloud service.

For example, think about the steps that go into giving a new hire  access to all the services they need to do their job. You want to give the new hire an e-mail account, access to the payroll system to enter their time, and then—if they are in sales—access to Salesforce or a similar tool to track and follow up on leads. If they are writing or reading reports, they need access to the collaboration tool/Office product (O365 or Google Workspace, etc.).

What is often overlooked is one of the big gaps for a lot of companies: de-provisioning services when someone leaves an organization. Provisioning a new hire with access to the applications they need to do their job is often automated with a well-designed workflow  with few manual steps. De-provisioning access is often not as well–automated;  frequently employees retain access days or weeks after they have left the company, even when the separation (i.e., firing) was not on good terms.

A CASB solution that controls who has access to what cloud services can help simplify both ends of the provisioning workflow. As a result, you can end up with an automated workflow that can very quickly grant and remove access with the click of a button.

Now we will look at cloud security posture management or CSPM

CSPM is a tool or set of tools that ensures that the controls you want to have in place for your cloud environment are correct. Your organization might have to follow a particular security standard like NIST 800-53 or ISO 27000 due to government regulations. A CSPM tool can ensure all your cloud infrastructure stays in compliance with those security standards.

Numerous security breaches have happened due to misconfigured permissions with cloud storage. Mismanaged Amazon S3 buckets have caused major data disclosures. Companies that thought they had good practices in place—like Booz Allen Hamilton and Deep Root Analytics in 2017—leaked data because of misconfigurations.

A CSPM will constantly monitor your cloud environment for configuration changes and settings to make sure that the rules and controls you want to have in place for your environment are in place. Additionally, some solutions will automatically fix incorrect settings to ensure compliance with privacy laws and government regulations regarding data privacy.

Go straightforward with a cloud workload protection platform (CWPP)

Cloud workload protection platform is designed—as the name sounds—to protect what you are doing in the Cloud from attacks by malware or viruses. Just as you run endpoint protection software on servers in your datacenter, you want the same thing happening in  your cloud environment if you are hosting your own servers or virtual machines. Most CWPP solutions offer an agent version, just like you use now, or an agentless version that pulls information from your cloud-hosting environment. While there are advantages to the agent version, you typically get better intelligence from the agent version at the cost of performance in your cloud environment. The agentless version usually has no impact on your cloud workload, but typically you will not get all the details that you get from an agent.

Relative newcomer secure access service edge (SASE) can give smaller business more security attitude 

Secure access service edge, known as SASE (pronounced “sassy”), is a cloud-based information technology model where both the network and the security for the network are offered on demand without having ownership of the hardware or security tools. This kind of solution is growing in popularity for small startup companies and companies that are very flexible because you purchase your networking and security as you need it.

SASE typically has four main components:

  1. A CASB solution to provide security for your cloud applications,
  2. A secure web gateway (SWG) for access to your cloud applications where you can implement
  3. Your zero trust network (ZTN), and finally,
  4. Firewall-as-a-Service.

This is a lot of acronyms and buzz words, but they can and do really work together, with the result that you can implement very good security controls if you design your cloud environment with SASE in mind.

SASE works best and easiest when you have a totally cloud environment. You can see why that would make it appealing to startup companies that do not have legacy hardware and storage and other technology that must have security “bolted” on later to make it cloud-friendly.

I can hear some of you saying, “What is the key takeaway?” 

For CIOs and IT Directors, the key takeaway is that there are advantages to moving on-premises storage and computer systems to a cloud service. However, you need to carefully plan what you are moving, why you are moving it, and what controls will you have in place to make sure the systems and data you move to a cloud service (SaaS, IaaS, PaaS) is as secure as you need it.

For security practitioners, you need to recognize that the security controls you use for on-premises assets are not always the same controls you use for cloud assets.  Consequently, your thinking needs to shift and you need to make sure the controls you use are appropriate for cloud hosted assets.

If your company is relatively new and does not have a significant investment in on-premises computer resources, your move to the cloud could be smooth and painless. On the other hand, if your company is a mature company with lots of assets on premises and in-house, as well as custom applications, your journey will likely be longer and require significantly more planning and preparation.

I hope this has been helpful, reach out and let me know if you have any questions.

Read more from John Bruggeman:

Weighing the risks and benefits of moving to the Cloud

2022 Cybersecurity Predictions

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

SASE: What is it, why now, and is it right for you?

For many organizations, the pandemic has been a driver for digital transformation. With applications and operations rapidly migrating to the Cloud, security must follow the user and not be tied to the traditional brick and mortar location. Digital transformation is a complex process since organizations now require expertise in both networking and security, and the move to the Cloud can be costly as well.

Woman looking at tablet on network secured with SASE

This is where Secure Access Service Edge (SASE, pronounced “sassy”) comes in. The term is a new concept, originating from Gartner in 2019. In the not-too-distant past, SASE stood for Self-Addressed Stamped Envelope, and the evolution of the acronym exemplifies just how quickly our world is going digital.

With its Network Security as a Service offering, CBTS combines SD-WAN technology with SASE principles to provide efficient, secure, and cost-effective networks for organizations trending towards remote and branch operations. To help you embark on your own digital transformation journey, CBTS has prepared a guide on key SASE benefits, what challenges you should look out for, and why the trend is here to stay.

What is SASE, and how does it work?

In precise terms, SASE is a network architecture that combines software-defined wide area networking (SD-WAN) and security into a singular cloud framework. That means organizations benefit from improved efficiency, heightened security, and simplified WAN deployment.

The SASE framework and philosophy is a novel approach to a cloud enabled enterprise network with many operational, business, and security benefits. For example, converging an organization’s cloud-based networking and security services reduces complexity, boosts network performance, and minimizes the number of vendors and devices IT oversees.

Additionally, there is a considerable reduction in hardware requirements, lessening IT staff’s workload related to deployment and maintenance while expanding actionable security alerting and monitoring.

By implementing SASE, you’ll engage with five core technologies:
  1. Integrated SD-WAN: Optimize network administration and performance by leveraging software and cloud-based technology for enterprise network connectivity.
  2. Cloud access security: Ensure safe use of cloud technology for your enterprise. Improving cloud security prevents malware infections, data leaks, and regulatory noncompliance.
  3. Firewall as a service: Deploy cloud-based firewalls to take advantage of advanced threat protection, URL filtering, DNS security, and intrusive prevention systems.
  4. Secure web gateway: Protect your internal network and users from potentially malicious unsecured Internet traffic.
  5. Zero trust network access: Reduce the risk of attacks and data leaks by verifying the identity of users or devices attempting to access your network.

  6. Learn more about how SASE and Zero Trust Network Access work together to deliver safe, secure, and reliable remote access to your network.

Learn more about how SASE and Zero Trust Network Access work together to deliver safe, secure, and reliable remote access to your network by downloading this e-book: SASE and ZTNA for Dummies

Complete your SD-WAN migration with improved security

Migrating to SD-WAN has become a critical endeavor for enterprises across the globe, and SASE provides the ideal path to a successful implementation.

Due to the swift spread of the coronavirus crisis, many enterprises quickly shifted to a distributed workforce. They soon realized that their existing VPN-based solutions were often unreliable, with limited performance and security measures. We’ve previously covered how SD-WAN security enhances critical business applications, but in short, enterprises benefit from a networking solution offering more affordable, reliable, and faster connectivity.

In the SASE framework, these benefits are realized alongside improved security for a remote workforce. With remote work here to stay, organizations must be able to support increasingly dispersed teams safely, and security is paramount to doing so.

SASE employs a flexible, cloud-based firewall that protects users and computing resources located at the network’s edge. It offers secure web gateways to protect companies from the threat of harmful outside resources. It also implements zero-trust network access, which bases security on identity rather than aspects like an IP address.

Altogether, by leveraging SASE, organizations ensure branch offices can take advantage of ongoing digital innovation efforts and improved security features as they scale.

Also read: Employ cloud-enabled security to safeguard your SD-WAN network

Keep pace in a shifting digital landscape

Our increasing dependence on the Internet of Things (IoT) and edge computing necessitates a trustworthy, homogenized approach to cloud-based services and security. In this environment, SASE is already an essential aspect of a company’s digital makeup.

Remote workforces must be able to rely on sophisticated, tailored cloud services that allow them to perform their duties with confidence. IT staff cannot be held back by legacy hardware or features that are merely stitched together instead of well-integrated.

The digital landscape is constantly evolving, and so are its threats. Our 2022 Cybersecurity Predictions asserted that ransomware attacks will increase. Additionally, nation-state attacks will see an uptick, while the number of states starting to give privacy rights to consumers is on the rise.

Enterprises can best address these concerns by deploying an integrated, complete response to the cloud-based security needs of modern organizations.

Reduce the burden of network and security maintenance

Beyond increased efficiency and reduced complexity, taking the plunge with a combined networking and security offering simplifies operations for an enterprise’s IT staff.

Regardless of where users are located, SASE ensures security policies are standardized. It also simplifies the authentication process by applying the right policies based on what the user requests at sign-in. In fact, IT executives can set these policies centrally using cloud-based management platforms. These procedures massively reduce risk, as the entire system is less complex and offers a universal approach.

Where an enterprise’s IT staff is often overloaded with menial, time-consuming tasks, a combined SD-WAN and security offering frees your team to improve business efficiency, address IT concerns that affect the bottom line, and support the organization.

Why CBTS for SASE?

If legacy infrastructure, increasing complexity, and skyrocketing costs are standing in the way of your team completing your digital transformation journey, CBTS is the right partner for you.

It’s critical that the partner you select has experience in both network and security solutions. CBTS offers a wide range of expertise compared to other managed service providers. As a Check Point Software Technologies 5-Star Partner, it has a long track record of delivering extensive networking and security overhauls. In 2020, CBTS was named a Gartner Magic Quadrant leader for its VMware SD-WAN™ edge expertise. By combining VMware SD-WAN with SASE network security principles, CBTS delivers comprehensive cloud-native network security.  

Our experts work alongside you from the assessment phase to the implementation of your SD-WAN and security capabilities to provide ongoing, full-spectrum support for your organization.

Contact the experts at CBTS to enhance and simplify security for your modernized networking environment.

2022 Cybersecurity Predictions

Hello everyone, I hope 2022 will be a better year for all of us, and like so many others I have some predictions about what is on the horizon for cybersecurity in the coming year.

My predictions are similar to others in the cybersecurity community but I know that folks other than information security professionals read this blog so I want to get this information out to that constituency as well as the info-sec community.

Here are the top seven things I think we can expect in 2022

1. Ransomware attacks will continue to increase, not decrease in 2022.

Cyber security predictions for 2022, what’s on the horizon?

The business of ransomware, i.e., Ransomware-as-a-Service, is just too profitable for it to slow down or stop. The process is too developed, too streamlined, and too easy for criminals and the threat actor community to give it up. For those of us on the Blue team (the defense side in the whole red team/blue team dichotomy), we will continue to defend and protect our data and assets from threat actors on premises (traditional IT) and in the cloud (AWS, Azure, etc.).

Ransomware-as-a-Service is now so mature that there are access brokers, malware developers, hosting platforms, extortion specific websites, and even customer service teams to help victims pay via Bitcoin, plus you can be certain that criminals are making cybersecurity predictions of their own. Stay alert everyone: We are being targeted.

Read more: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/  

2. Supply chain risk will continue to grow.

This is an outgrowth of the first item—ransomware increasing—and the number of vectors where criminals can attack is limited only by the number of companies in your supply chain. So think about who is supporting your business. Are they a secure company? Can they prove it?

If you don’t know your vendor partners well or if you don’t know how secure they are, you need to find out. You are as insecure as they are.  You need to make sure you are as well protected as feasible from risky suppliers.  Third-party risk management will be a critical component of your risk management strategy in 2022 and beyond.

Read more: https://www.securityweek.com/critical-sap-vulnerability-allows-supply-chain-attacks

3. Monitoring endpoints with MDR or XDR will grow to defend against the increase of ransomware.

To defend against ransomware attacks, the need for “eyes on glass” 24×7 will increase in 2022 and beyond.  Demand for managed detection and response (MDR) and eXtended detection and response (XDR) will increase due to management wanting to defend against attacks. Insurance companies as well are requiring companies and organizations to have MDR/XDR in order to qualify for cybersecurity insurance.

Read more: https://www.forbes.com/sites/forbesbusinesscouncil/2021/12/22/with-rising-cyber-insurance-costs-and-requirements-consider-new-alternatives-to-fight-ransomware/?sh=288404226e14

4. Multi-factor access (MFA) for e-mail and other business application access will grow, as will Zero Trust Networks (ZTN).

These security controls will grow to help defend against ransomware attacks. Just like MDR/XDR, MFA will be a requirement to qualify for cyber insurance. Companies like DUO and others will see increased sales as companies move to MFA to meet those cybersecurity insurance requirements.

Read more: https://solutionsreview.com/security-information-event-management/understanding-and-complying-with-the-new-mfa-requirements-for-cyber-insurance/

Zero trust Networks will be more than a buzz word in 2022 as more companies look to reduce their risk and attack surface. Some areas will be easier to move from classic trust frameworks, where the device is trusted because the company owns the device, to Zero Trust where the user, the device, and the applications are not implicitly trusted. Boards and senior executives will be asking and expecting CIOs to make the move to less trust, more verification from the edge on down the chain.

Read more: https://www.forbes.com/sites/forbestechcouncil/2021/12/09/why-zero-trust-and-identity-will-be-boardroom-priorities-in-2022/?sh=5f2670a1d315

5. Cybersecurity insurance premiums will rise by 20%, 30%, and more.

The cost of insurance against cybersecurity attacks, data loss, and other security risks will continue to rise and drive the adoption of other threat detection and prevention tools as mentioned above. Companies looking to renew existing policies will face 30%, 40%, and higher percentage premium increases due to the explosion of attacks in 2020 and 2021. In addition to higher rates, the security controls that have to be in place to purchase insurance will increase (see items 3 and 4 above).

Read more: https://www.forbes.com/sites/theyec/2021/11/02/cyber-attacks-are-on-the-rise—what-executives-and-insurance-providers-can-do/

6. Nation-state attacks will increase.

With Russia testing out cyberattack tools against Ukraine, and North Korea testing out attacks techniques against South Korea and others, nation-states will continue to attack soft targets around the globe. Collateral damage will occur as nation states test and launch attacks against targets with some attacks impacting suppliers to other companies. Third-party and supply chain risks will be identified as vector for these attacks which is how many other companies will be impacted.

A manufacturing company in Indiana won’t be a target but AWS or Azure will be, and the company’s AWS instance will be impacted as well. When nation-states are involved even the biggest vendors can go down.

Read more: https://www.securitymagazine.com/articles/96781-top-15-cybersecurity-predictions-for-2022

7. California Privacy laws will start to impact U.S. businesses the same way that the GDPR impacted the EU.

The California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA) are just the tip of the iceberg in terms of new privacy legislation in the US. More than 30 states in the U.S. have data privacy laws and the number of states starting to give privacy rights to consumers is on the rise. This trend will continue and impact virtually every company that does business in the United States in 2022.

To get a head start on this, find out where your customer data resides, make sure you know everywhere it resides, and then start your data labeling process. You can be the CIO hero if you know where the data resides and how to delete it or correct it so that your customers can be forgotten or updated if they want, and you can prove that you did it.

Read more: https://news.bloomberglaw.com/privacy-and-data-security/top-privacy-law-issues-in-2022-as-congress-debates-a-federal-law

That is what I see on the horizon for 2022. What are you seeing and what predictions for cybersecurity have you made? E-mail me at john.bruggeman@cbts.com and let me know your thoughts on the upcoming challenges and opportunities in 2022.

Read more from John Bruggeman:

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Over my past three blog posts, I’ve talked about cyber insurance. The first one covered the topics of what it is and do you need it. The second post discussed what you need to have or know before you make the call to your agent to get a quote. My third post examined in detail what type of questions you’ll be asked and who else besides the information technology group has to be involved in order to answer the questions from the insurance carrier.

Insurance companies may choose to not insure you for various reason. Discover those reasons, how to resolve issues, and alternatives to buying cybersecurity insurance.

Now let’s talk about what to do if you can’t buy insurance, either because the premium is too high or no insurance carrier will cover you. Unfortunately, these days insurance carriers are denying coverage more often due to the very high probability that your company will be attacked and compromised. You want to prepare yourself for that possibility.

In this blog, I’ll cover your options if you are denied. Part one will address the reasons why the insurance company won’t cover you and what you can do to fix those issues. The second part will cover what you can do instead.

Why insurance companies won’t cover you

Insurance companies typically deny cyber insurance because they think you are too risky. Just like a 16-year-old who just got their drivers license is very risky for a car insurance company, your company or organization can be viewed as too risky if you don’t have good cybersecurity practices in place.

How to resolve issues

First, you should try to find out why you were denied. It’s likely that the insurance carrier won’t tell you why, you’ll just be denied. To find out, take a look at the questions in  Cyber insurance, part 2: The insurance company questionnaire and also in Cyber Insurance, part 3: Filling out the questionnaire. When you answer the questions in those two blogs, the areas you need to improve will likely stand out.

But what to do?

More often than not, the problem that is preventing you from qualifying for insurance can be resolved by adopting an information security framework like the NIST Cyber Security Framework or CIS Controls. A framework helps you standardize what you are doing to protect your data, assets, and systems from threats. You can adopt either of these frameworks at no cost to you, other than your time and effort.

Something else you can do that doesn’t cost anything other than time but will help improve your security posture is answering these five questions from Justin Hall. After you answer those question you can take these five steps to make your environment safer.

Alternatives to buying cybersecurity insurance

Second, what can you do instead of buying insurance?

Self-Insurance

Something to consider if you can’t buy insurance is establishing “self-insurance” against a ransomware attack or other cyber incident. Your comptroller or CFO might like this idea. If you take the money equivalent to an annual insurance premium and invest that in your information security program, you can make your environment more secure.

Imagine this scenario:

The insurance premium for a small company (100 employees or less) can range anywhere from $15,000 to $25,000 a year for a $1,000,000 policy. Take that money and implement some of the basic security controls in NIST or CIS and you’ve improved your information security program right away. Strategically do that each year for five years and you will then have a much more secure environment that is resistant to cyber attacks.

Incident Response Services

Another option is to purchase incident response services in case you have a cyber incident. In this case you are purchasing re-active services when something bad happens. It’s not as good as preventing the incident, but you get help recovering from the crisis.

Limited Insurance

A third and final option would be to purchase a scaled down or limited form of insurance that will help you with recovery from an incident but not provide the payout of the ransom. The following services are not insurance but are services you should consider purchasing:

  • Awareness and training services for your staff. This can potentially improve your defense against phishing e-mails or business e-mail compromise attacks.
  • Coaching for your executive team on how to handle a data breach or ransomware attack. Not everyone is prepared to respond calmly when a crisis occurs, so coaching can help.
  • Run a ransomware or data breach tabletop-exercise (TTX). This allows your team to walk through the steps of a data breach or ransomware event and experience some of the steps that you will experience in that kind of event.
  • Hire a ransomware negotiator to act on your behalf in case you are attacked. There are professional ransomware negotiators that assist with the price and payment if you choose to pay the threat actor.

These are just a few of the steps you can take in case you can’t purchase cyber insurance at a price you can afford. One other action to consider is partnering with an expert vendor that specializes in information security and helping companies establish and strengthen their cybersecurity programs.  Contact our security team today to get your security program on the road to insurability.

In my next blog, I’ll talk about what we can expect on the cybersecurity front in 2022.


Read the cyber insurance series from John Bruggeman:

Cyber Insurance, part 1: What is cyber insurance, and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Cyber Insurance, part 3: Filling out the questionnaire

Catch up with these tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

Cyber Insurance, part 3: Filling out the questionnaire

We are on to Part 3 of our Cyber Insurance series. You have read parts one and two, you know you need it, and you have an idea what questions are going to be asked. Now you need to answer them.

Man on computer filling cyber insurance questionnaire
Answers for a cyber insurance questionnaire could be found from teams across the organization. Everyone has a part to play for the organization to be cyber secure.

Hmm… do you (CIO, CISO, IT director, director of information systems) have all the answers?

Not likely. You probably have some of the answers, but not all.

Information security is not just a job for IT, it’s a job for the entire company. Everyone has a part to play for the organization to be cyber secure.

Read more: Top 5 cybersecurity actions to take right now

Some of the questions the insurance carrier will ask are related to data owned by other departments. Your HR department is responsible for safely storing employee information (salary information, tax information [including SSN], and healthcare information). The finance department is responsible for making sure your vendor information, company bank information, investments, and other financial data are stored securely. If you have a software development team or you store customer data, your application development team is responsible for that data.

GRC is an acronym you want to remember if you don’t know it already. Governance, Risk, and Compliance is the team that is typically responsible for making sure you have a plan or framework in place to keep your information safe, secure, and available.

For a small company, the GRC team might be all the vice presidents or managers, for a larger company it could be a dedicated team, and for a Fortune 100 company, it’s a team that reports to the board.

As the CIO you will likely have to answer these questions, so in a perfect world you call your chief information security officer (CISO) to fill out the questionnaire. On that call, they let you know that because of the proactive steps they have taken below, you can expect to get the best possible quote:

  • Micro-segmentation of the network.
  • NGFW at the perimeter.
  • XDR on all the end points with 24×7 monitoring.
  • SIEM tool implementation.
  • Monthly vulnerability assessments and remediation.
  • MFA implementation for e-mail, VPN, and network access.
  • A third-party security program assessment of your information security program, which is based on the NIST Cyber Security Framework.
  • Adaptive information security and awareness training.
  • Data governance and risk assessment protocols, policies, and procedures.

Congratulations, you are #WINNING!

“But, wait,” you say, “I don’t have a CISO or a person in the CISO role. What do I do?”

Don’t panic; that’s understandable and not unusual.

Not everyone has an adaptive information security program with all the features listed above. I have talked with clients who are at the adaptive level (level 4 on a 1-4 scale), and I’ve talked with those that are risk informed (level 2) and organizations in between.

The list of security practices above can be hard for an organization to implement unless top level management has regulatory requirements (e.g., Sarbanes Oxley, GLBA, PCI-DSS, or other federal regulations) or the organization has experienced a data breach, ransomware attack, or an expensive cyber incident of some kind.

Read more: The basics of Incident Response Planning: how do you do it?

The goal of a good information security program and cyber insurance is to avoid these kinds of cybersecurity incidents:

  • Accidental disclosure or data breach of sensitive or PII type information.
  • Ransomware attack that cripples your organization.
  • Business e-mail compromise (BEC) that causes financial loss.
  • E-mail fraud (fake invoices or similar).
  • Malicious insider threat or other cyber incident.

What can you do if you do not have an adaptive information security program but you know you have risks and you want mitigate those risks as much as possible?

You need to know the basics of your environment, in other words, the who, what, when, where, and how of your information environment:

Who are you collecting data about? Your customers? Your employees? Random people who visit your website? Potential customers? Do you buy mailing lists?

What data do you collect? Personal data? Private data (social security numbers, credit cards, etc.)? Tracking information about your staff or customers?

When do you collect the data? When you make first contact? Every time you engage with them?

Where do you store that data and how?

Why are you storing that data and for how long?

How are you storing that data?

Consider this another way to think about what is important to a cyberinsurance provider. Moreover, I suggest you get some help with this process internally, and probably externally with a vendor partner. The vendor partner could be your auditors, or a company like CBTS that specializes in information security and helping companies set up a good InfoSec program. Contact our security team today to get your security program on the road to insurability.

Read more about Cyber Insurance from John Bruggeman:

Part 1: What is Cyber Insurance and Do I need it?

Part 2: Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Part 4: What do you do if your cybersecurity insurance policy is denied?

More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Ok, so you have read my first post about cyber insurance, and you have determined that you need it.

General guidelines for what you should review before calling your cyber insurance agent

What do you need to know before you call your insurance agent?

Over the past ten years or so, the insurance questionnaire has gotten longer and longer, with more and more detailed questions about the data you keep and the controls you have in place to protect that data.

If you have a good security program in place, then answering the questions won’t be hard. If you have a program in place but you have gaps, you need to know what those are before making that phone call.

If you have no program in place, you might not qualify for insurance at all.

What do you need to know first?

Here are some general guidelines for what you should review before you call your agent.

Start with your information security risk. These questions are similar to what your car insurance agent asks to gauge how risky you are to insure, questions like: How old are you? Are you married? Have you had any accidents recently? What kind of car do you drive?

For cyber insurance the questions are more like these:

Q. Do you or your company collect, store, process, or transmit protected or sensitive data, like credit cards, Protected Health Information (PHI), or social security numbers?

  • If you answer yes to this question, you will have regulatory requirements to maintain, process, collect, store or transmit this data. Those requirements help provide guidance on the controls you need to have in place.
  • Then you will have to check boxes to qualify the kinds of data in your control.
  • Next, you’ll be asked how many records with protected or sensitive data you have or process or transmit: 100? 1000? 10,000? 100,000? More?
  • You will also have to share how many unique individuals you collect protected or sensitive data for. Notice this is similar to the preceding question but is not the same.

Q. Is your company subject to any specific regulation, like GDPR, HIPAA, FERPA, SOX, GLBA, CCPA, PDPA, PCI-DSS?

  • If you answer yes to this question, you will have guides or requirements you need to follow to be compliant with these regulations. You might not know that you have requirements, but you do, so get the appropriate guide(s) that will help you follow those regulations.
  • In this vein, are there any industry security frameworks that you have to follow, like NIST or COBIT?

Read more: Can you be ransomware-proof? Is that even possible?

Q. Do you allow your employees to use portable devices to work on your data, like laptops or their own devices?

  • Portable devices are really nice, but they involve additional risk. Most of the risk is related to loss of data, either by physically losing the device (i.e., data loss) or having data on the device compromised or stolen (other people use the laptop and accidentally infect the machine or copy or delete sensitive data).

Q. Do your vendors or third-party contractors have access to your computer systems?

  • If you grant third parties’ access to your computer systems and data, do you know what kind of security controls they have in place?
  • Could they be infected with malware that then infects your computers? Would you know if that happened?
  • Do you audit your third-party vendors or suppliers?

Q. Do you have a formal information security program?

  • Do you have any information security policies?
  • Do you have a person or role that is responsible for information security at your company or organization?
  • What is the budget for your information security program?

Read more: Essential security practices to protect your business

In addition to those questions about your information security program, be prepared for detailed questions about your network and system configuration, such as:

  • Do you have a firewall? Who is the vendor, and do you keep it updated?
  • Do you have antivirus software on your servers and workstations? Do you keep it updated?
  • Do you have a network Intrusion Protection System (IPS) or Intrusion Detection System (IDS)? Do you keep it updated?
  • Do you have an anti-spam device to block phishing e-mails?
  • Do you require Multi-Factor Authentication for network and e-mail access?
  • Do you require complex passwords?
  • Do you require passwords to expire?
  • Do you have policies and procedures for network access, account creation, and acceptable use policies?

What else do the insurance companies want to know?

Because you likely do not operate in a technological silo, you will have to answer questions about any cloud service providers you use for your business.

  • Does your cloud service provider have a security program?
  • Do they audit their security program with a third party?
  • Can they provide a SOC type 2 report?
  • Can they meet your security requirements (like GDPR, SOX, HIPAA, FERPA, etc.)?

Sometimes the insurance questionnaire will ask about the contracts you have with your customers, looking for information like:

  • Do you use contracts with your customers?
  • Do your customer contracts have “hold harmless” clauses?
  • Do your customer contracts get reviewed by your legal team?

There can be additional questions depending on your industry, but these are the kinds of questions you should prepare to answer when you start looking for Cyber Insurance.  In my next blog post I’ll show you how to get prepared if you have gaps or do not have a security program in place.


John Bruggeman’s Cyber Insurance series:

Part 1: What is Cyber Insurance and do I need it?

Part 3: Cyber Insurance, part 3: Filling out the questionnaire


More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Many companies these days either have cyber insurance or are thinking about purchasing it. It’s a smart choice given recent ransomware attacks and the risk to a company locked out of its critical business systems or important business files for hours or days or weeks. If the risk of ransomware isn’t already on the CEO’s and CIO’s minds, a business e-mail compromise (BEC) or funds transfer fraud attack may have popped up on the risk registry in the quarterly Board meeting. 

But what is cyber insurance and does your company need it?  I will tackle these questions and others in a series of blog posts to help you make an informed decision.

What is cyber insurance?

What you get with cyber insurance—or more technically, Cyber-Liability Insurance—is a policy that helps mitigate the fallout or impact of a cyber attack, ransomware incident, or other technology event covered in the policy. Cyber insurance can help transfer the risk of a ransomware attack, BEC, or fund transfer fraud from your bottom line to the insurance company.

Read more: Getting ransomware-proof, continued: CIS controls for medium-size organizations

Do you need cyber insurance?  

The answer to that question is: It depends.

The minimum questions you want to ask yourself are:

  • Do you have PII (Personally Identifiable Information) that has to be protected?
  • Do you have a website that takes orders and stores credit card information (credit card data)? 
  • Do you have PHI (Protected Health Information) that you need to protect? 
  • Do you have intellectual property that needs to be protected?
  • Do you have other protected or sensitive data that needs to be protected (FERPA, CUI, ITAR, EAR, etc.)?
  • Does your company use automation to produce or ship your products?

If you answered yes to any of those questions then you probably need it.

Read more: How do you ensure the security of your supply chain?

What do you get with cyber insurance?

It depends on the policy of course but generally policies provide the following coverage:

  • Cost to recover data or systems—and sometimes losses incurred by your business—from a cybersecurity event, like ransomware or a DDoS attack.
  • Cost to perform forensics if required or needed by you or your legal team.
  • Payment of the ransom for encrypted data or lost funds in transfer fraud.
  • Costs of legal defense if needed after the event.
  • Cost to make customers whole if needed.

Some policies can also assist in these ways:

  • Help create your incident response plan.
  • Provide online training material for your employees to improve cybersecurity awareness and defense.
  • Provide a team that will help if you are hit with a ransomware attack.

What does cyber insurance cost?

The cost varies from insurance providers and for the coverage you choose. A number of variables will impact the cost of insurance: 

If you are a small company with a limited number of customers and limited exposure, cyber insurance could be very affordable. If you are a medium size customer with hundreds or thousands of customers and more exposure, you could be looking at several thousand or tens of thousands of dollars per year.   

In my next blog post I’ll talk about what you need to have on hand to prepare for answering the questions that the insurance companies will ask.

Need more help with your cyber defense? Contact the CBTS cybersecurity team today.


Cyber Insurance series from John Bruggeman:

Part 2: Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Part 3: Cyber Insurance, part 3: Filling out the questionnaire

Part 4: What do you do if your cybersecurity insurance policy is denied?

Stocking your cybersecurity toolbox?  Read more from CBTS Consulting CISO John Bruggeman:

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

The basics of Incident Response Planning: how do you do it?

Since we are in the middle of Cybersecurity Awareness Month, I want to know about your incident response plan or IRP. When you created your cybersecurity program, how did you go about developing an incident response plan for your information security team? What steps did you take? Who did you involve?

Some of you might be thinking, “I don’t have time to create an Incident Response Plan, John!”

Well, ok, I understand that, but think of this analogy: You are the coach of a high school basketball team, and you’re getting ready to play your first league game. Have you practiced at all? Have you run a few drills? Do you know who on your team is good at shooting the ball? Who’s good at passing the ball? Who’s good at defending? Who do you want as the captain of the team? Who do you not want on the team? Who might be best holding a clipboard or keeping score?

Would you put your team on the court without any plan or any practice? I don’t think you would. You would want to be as prepared as possible before you put your team on the court.

So today I want to talk about the basics of creating your IRP, about planning and being prepared for something more dangerous to you and your company than a basketball game.

An IRP can be customized for your specific company or organization of course, but you will want to cover this basic format for three general types of incidents: High, Medium, and Low. Sometimes these are called Priority 1, 2, or 3 incidents and sometimes they are given colors, like red, yellow, and blue. Regardless of the scale you use, the following information below is a general guide for WHAT you want to do when you respond to an incident.

High Level Incidents or Priority 1

Suggested steps for response and remediation for High Level Incidents or Priority 1 (Examples: Active ransomware, data exfiltration, or other obvious malicious activity)

Time frame to respond: 2 hours or less

  1. Assess the size and scope of the incident. Investigate alerts from end point security tools or intrusion detection systems and log any new detections.
  2. Isolate affected endpoint(s) from the network to prevent malware from moving laterally throughout the environment using network management tools.
  3. Kill running process(es) associated with malware if possible.
  4. Delete malicious binaries if possible.
  5. Block command-and-control IP addresses at network perimeter firewall.
  6. Ban malicious MD5 or SHA2 hashes with whitelisting tool or other relevant product.
  7. Remove persistence mechanisms (scheduled tasks, autorun keys in the registry, etc.).
  8. Minimize risk of a future attack by identifying vulnerability used in the attack and implement technical or administrative controls.
  9. Review account usage involved in the incident and reset passwords, limit administrative access where possible, and disable unnecessary file-sharing access.
  10. Re-image infected systems and patch identified vulnerabilities
  11. Mark relevant detections and alerts as repaired in Incident tracking tool.

Escalation Procedure

  1. Helpdesk or MSP will contact appropriate incident responder(s) based on pre-determined asset value/department/data owners, who will initiate pre-defined response plan specific to the severity and type of incident.
  2. Complete scoping assessment to determine which systems and data were affected by the incident.
  3. Notify appropriate personnel if scoping assessment determines that the sensitive data was affected by the incident and escalate as needed.
  4. Notify relevant managers when the incident has been successfully resolved/remediated.
  5. Prepare post-incident report documenting response process and distribute to appropriate personnel.

Medium Level Incidents or Priority 2

Suggested steps for response and remediation for Medium Level Incidents or Priority 2 (odd behavior from web browser like redirecting to support website, or desktop application requesting login credentials)

Time frame to respond: 2-4 hours

  1. Assess the size/scope of the incident.
  2. Investigate alerts from network and endpoint security tools and acknowledge any new detections.
  3. Isolate affected endpoint(s) from the network to prevent malware from moving laterally throughout the environment.
  4. Kill running process(es) associated with malware if possible.
  5. For suspicious activity, investigate details within endpoint data and determine if behavior is legitimate or malicious.
  6. Delete any malicious binaries present on the end point(s).
  7. If possible, block malicious files via MD5 or SHA2 hashes with AV or End Point protection tool.
  8. Mark relevant detections and alerts as resolved/remediated.

Escalation Procedure

  1. Helpdesk or MSP will initiate remediation within 2 to 4 hours.
  2. Document response actions and notify management as needed upon repair/remediation.

Low Level Incidents or Priority 3

Suggested steps for response and remediation for Low Level Incidents or Priority 3 (adware, add-on search toolbars, peer-to-peer software)

Time frame to respond: 24–48 hours

  1. Acknowledge detection(s), open a helpdesk ticket.
  2. Kill running process(es).
  3. Contact affected end user.
  4. Uninstall unwanted programs.
  5. Mark as remediated.

Escalation Procedure

  1. Helpdesk or MSP will fix/remove the malware within 24 to 48 hours, depending on SLA.
  2. Document response actions and notify management as needed upon repair/remediation.

If creating an incident response plan still looks like more work than you have time for, remember that cyber attackers spend all of their time looking for your network’s weak spots. Like any good game plan, your IRP will create a stronger, more nimble team with the skills to respond to those attacks and beat your opponents.

After you make you plan with your Information Security Team (even if it’s your regular IT guys who have a dual role doing InfoSec), you need to practice it. Not every day, but once a quarter. Then again, depending on your environment, you might end up practicing it every day because you have a lot of incidents. I hope that’s not the case, and I hope this helps you and your organization on the road to a safer and more secure work environment.

Need more help with your cyber defense? Contact the CBTS cybersecurity team today.

More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

What is Cyber Insurance and do I need it?

Can you be ransomware-proof? Is that even possible?

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!
Zero Trust Networks (ZTN): what are they and how do I implement one?

Essential security practices to protect your business

Merry Cybersecurity Awareness Month! It’s going well, isn’t it? I think we are collectively more aware than we’ve ever been about the risk we face, as consumers and also as professionals.

Why do so many individuals and businesses live in fear of cyber attacks? Many customers I talk to still feel they are vulnerable in a dozen different ways. They might believe parts of their security stack are sufficient but also that attackers nowadays are insidious, capable, and determined. Cyber criminals are motivated by money and power; hacktivists have a cause to champion; state-sponsored attackers’ goals range from espionage to intellectual property theft to political and military impact.

Read more from Justin: Cybersecurity Guidance from the Top

We at CBTS believe that a strong security program that protects your data and assets will involve a basic set of practices that are essential—no matter how large or small, what industry you’re in, or what data you are responsible for. Those practices won’t save you from every attack, but you’ll certainly be better defended against opportunistic, less-skilled adversaries.

The challenge for most organizations is that those practices are tough to start. They require the right tools, people to run them, and rigorous procedures that will ensure their effectiveness. We see businesses start moving in the direction of these practices but over time, devotion to them wanes as other priorities crop up, or other projects demand the attention of the staff.

Outsourcing some of the effort of security operations in response to this challenge has been a helpful approach. It reminds me of an episode of Star Trek: The Next Generation (of course).

In it, the crew of the USS Enterprise is subjected to a virus causing them to slowly devolve into other lifeforms—their behavior begins to resemble that of a primate, a spider, a reptile. One of the crew, Lt. Worf, begins to exhibit violent tendencies. After Worf injures another crewmember, he goes into hiding. In command of the Enterprise, Commander Riker wants to find him, but the effects of the virus are affecting Riker’s brain, and he’s not thinking clearly. When Lt. Cmdr. Geordi LaForge comes and asks to help find Worf, the exchange is pretty funny:

Commander Riker asks Lt. Cmdr. LaForge to take care of that security thing.

LAFORGE: Commander, I’ve got seven security teams out hunting for Worf, but for some reason sensors are having a difficult time locking into him. I’ve called for a level two security alert. Do you think we should go to a Level One?

RIKER: (Pauses, clearly stumped)… I don’t know. What do you think?

LAFORGE: I think we should.

RIKER: Okay. Sounds good. …Then you’ll take care of that…security thing?

LAFORGE: Yes, sir. I will

Often this is what we face as a security services company: Customers having trouble knowing what security practices to implement and how to implement them. This is why we’ve built our Managed Security team—to provide a set of essential security practices to our customers, consumed on an as-a-service basis.

These essential practices—security monitoring, vulnerability management, endpoint protection, multifactor authentication, and backups—should be a part of every company’s core security function. Can you imagine a front door without a lock, or a bank without security cameras? Going into 2022, any business with information that resides on computers connected to a network must invest in these practices or face serious risk of theft, ransomware, and other threats. Interested, but don’t know where to start? We hosted a webcast to talk more about these practices, as well as some tools that work well to map out a strategy to start doing them.

Read more: A suite of essential security services is the foundation every business should have.

Watch the Security Practices & Tools Webcast


Need more help with your cyber defense? Contact the CBTS cybersecurity team today.

Read more blogs from Justin:

Top 5 cybersecurity actions to take right now

5 questions you’ll need to answer for an improved security posture in 2021

You Virtualized My CISO! Security leadership with a virtual CISO

Zero Trust Networks (ZTN): what are they and how do I implement one?

One of the many buzz words in Information Security media today is Zero Trust Networks or ZTN. I like a good acronym as much as the next person (it is easier to type for sure), but it can be hard to understand how you as a CIO can implement a ZTN.

In a sense, a ZTN is what most of us do every day when we walk or drive to an unfamiliar place. Imagine you live in a city or suburb and you’re heading to a new restaurant but you don’t know the neighborhood for this hot new place.  

What do you do?

Do you treat this new neighborhood like your own, where you know everyone and know who and what you can trust? No, of course not.

You take some time to get context ( in other words, understanding) about this new place to see if you can safely and easily park your car or lock up your bike or walk to it for dinner. You scope out the area to figure out how safe things are in this new environment.

The new bistro has to scope you out, too. Are you safe? Are you someone who can be trusted to pay the bill at the end of the meal? Do you present a threat to them?

You don’t trust the new neighborhood randomly and they don’t trust you right away either.

How does this play out in the information security space?

The average company today has multiple vendors that either provide a service or are customers that need access to your network/services. As the CIO you have created a very secure, private network, that typically has a VPN for remote access, and you have vendors providing services or consuming services that are outside of your trusted network. See this basic diagram below:

An example network diagram

You can make this diagram more complicated with a DMZ, load balancers, web application firewalls, cloud services, and other things, but this covers the basic environment.

Where are the risks to you and your vendors?

There are three basic threat vectors for modern networks.

  1. A user may have compromised credentials that can be used in an attack to gain access to your network or your vendor’s network.
  2. A device may be compromised on your internal network, your vendor’s network, or the remote network. That compromised device can then attack you and/or your vendor(s).
  3. A software system—like an API—can be compromised and that can impact or infect data on your network, the vendor’s network, or the remote workers.

If you think about the number of devices you have, the number of users, and the number of vendors, you can see how the risk to you and your vendor partners has increased exponentially.

Where does Zero Trust come into this story?

Remember how I started this post by saying you want to go to a cool, new bistro in a neighborhood that is new to you? You (and your vendor partners) need to figure out who you can trust and what is accessing your network. In this case the new bistro is virtually everyone and everything connecting to your network. You have to treat your users, your computer systems, and your vendors as if you do not know them.

How do you do that?

Often this is accomplished with tokens (or a security certificate) that are assigned to a user, or a device, or even a program, after identity and authorization have been determined.

How do you create trust and where does this happen?

Imagine a network configuration that says, “I don’t trust any computer, user, or process until that computer, user, or process has provided credentials (for example, username and password or X.509 certificate) that has been validated (usually with some kind of second factor, an SMS text, authenticator push, or Certificate Authority) as authentic.” Only then does the network confirm that the computer, user, or process is authorized to do what they want to do. Yes, this includes traditionally “trusted” assets, like your own workstations!

The requirement to provide credentials and have them validated and then check for authorization is the basis for Zero Trust. The phrase that is often used is, “Trust nothing, verify everything.”

Because we can’t rely on the IP address of a machine to give us some measure of “identity” (in other words, “I trust this PC because it has our internal IP address”), the machines have to be validated. Typically this validation is with a certificate that is pushed out to the device from a centralized Certificate Authority. There are solutions that automate this process and can provide context before issuing a certificate to a device. Context in this case means, “Have I seen this PC before? Do I recognize the MAC address, serial number, or does it have an IP address I recognize?” The more context you have about a device, the more confidence you have that the device can be trusted. Keep in mind, the trust extended to that device is for that session only, or for a predetermined length of time.

Because we can’t rely on the user to provide just a username and password to prove that they are who they say they are, users have to be validated twice. Usually they identify with a username and password, then we confirm their identity a second time with some other method (an SMS or an authorization application like Duo, Microsoft Authenticator, or others).  This multi-factor authentication (MFA) helps provide a level of trust that the person is who they say they are. Just like with the device, the authentication of the users is for that session only and the user will have to re-authenticate once they disconnect or end the session.

As your security program matures you can also verify the software or applications that are running on your systems. Here you would most likely have lists of the applications that you trust and you have a hash value of the executables to make sure that the application has not been modified. This can be a bit complicated, but it is possible.

The main takeaway from this blog is that Zero Trust means—as the name implies—that you don’t trust anyone without some method (or methods) of authentication. For those of you thinking strategically, you might want to hold off on upgrading your VPN this budget year or next, and think instead of a Zero Trust solution for your remote work force.

Need more help with your cyber defense? Contact the CBTS cybersecurity team today.


More from CBTS Consulting CISO John Bruggeman:

What is Cyber Insurance and do I need it?

What do new TSA requirements mean for the security of your critical infrastructure?

How do you ensure the security of your supply chain?

Can you be ransomware-proof? Is that even possible?

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!