tag:blogger.com,1999:blog-7792499262526989522024-03-17T22:04:01.600-05:00Cloud Audit ControlsThis blog is about understanding, auditing, and addressing risk in cloud environments. Systems and architectures are rapidly converging, hiding complexity with additional layers of abstraction. Simplicity is great for operations - as long as risks are understood and appropriately addressed.Unknownnoreply@blogger.comBlogger179125tag:blogger.com,1999:blog-779249926252698952.post-28320272683102309682024-03-15T10:44:00.002-05:002024-03-15T10:44:17.722-05:00Integrated Threat Modeling: VAST, STRIDE, DREAD, LINDDUN, and PASTA<p>Recently, during an Interview, I was asked about threat modeling. I've been in and around threat modeling for a few decades, identifying and prioritizing risks based on quantitative and qualitative data. It's germane to the principles of Information Security, Assurance, and Trust. The different shifting focus areas over time may require updated approaches, but the objective remains. Find and prioritize threats for risk mitigation based on our risk threshold prior to an exposure. </p><p>Towards that end - I thought it'd be interesting to engage Claude's Opus model in a conversation about a few different approaches. There were several outputs I liked with a little tweaking. Below is just one example that includes VAST, STRIDE, DREAD, LINDDUN, and PASTA. </p><p>Now - Carefully - The output below has some duplicity and can be further refined - a lot - for efficient workflow execution. This demonstrates the overlap and use of each of these models.</p><p></p><h3 style="margin-bottom: 0in; text-align: left;">Example Integrated
Threat Modeling Process:</h3><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Define
Objectives and Scope:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Establish
the goals and objectives of the threat modeling exercise.</li><li>Determine
the scope of the assessment, including the systems, applications, and business
units involved.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Identify
Assets:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Identify
the critical assets within the defined scope that require protection.</li><li>Prioritize
the assets based on their value and importance to the organization.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Create
Architecture Overview. This incorporates the core principle of the VAST model
(Visual, Agile, Simple Threat modeling):</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Develop
a high-level architecture diagram of the system, focusing on key components,
data flows, and trust boundaries.</li><li>Ensure
the diagram is simple, visual, and easy to understand for all stakeholders.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Identify
Threat Actors:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Identify
potential threat actors who may have a vested interest in attacking the system.</li><li>Consider
both internal and external threat actors, such as malicious insiders,
cybercriminals, nation-state actors, and competitors.</li><li>Assess
the motivations, capabilities, and resources of each threat actor.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Decompose
Application and Identify Threats:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Break
down the application into smaller, manageable components and identify trust
boundaries and interactions between the components.</li><li>Identify
potential threats for each component and interaction using the <b>STRIDE</b> model (Spoofing,
Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of
Privilege) to:</li><ul><li><b>Spoofing</b>:
Identify threats related to authentication and impersonation.</li><li><b>Tampering</b>:
Identify threats related to unauthorized modification of data or systems.</li><li><b>Repudiation</b>:
Identify threats related to the ability to deny actions or transactions.</li><li><b>Information
Disclosure</b>: Identify threats related to the unauthorized exposure of sensitive
data.</li><li><b>Denial
of Service</b>: Identify threats related to the disruption or degradation of system
availability.</li><li><b>Elevation
of Privilege</b>: Identify threats related to gaining unauthorized access or
permissions.</li></ul><li>Utilize
attack trees, threat intelligence, and vulnerability data to assist in threat
identification.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Analyze
Threats and Vulnerabilities:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Assess
the likelihood and potential impact of each identified threat using the <b>DREAD</b> model
(Damage, Reproducibility, Exploitability, Affected Users, Discoverability):</li><ul><li><b>Damage</b>:
Assess the potential damage caused by the threat if it were to occur.</li><li><b>Reproducibility</b>:
Determine how easily the threat can be reproduced or exploited.</li><li><b>Exploitability</b>:
Evaluate the level of skill and resources required to exploit the threat.</li><li><b>Affected
Users</b>: Assess the number of users or systems that could be impacted by the
threat.</li><li><b>Discoverability</b>:
Determine how easily the vulnerability or weakness can be discovered by
potential attackers.</li></ul><li>Identify
potential privacy threats using the <b>LINDDUN</b> model (Linkability,
Identifiability, Non-repudiation, Detectability, Disclosure of Information,
Unawareness, Non-compliance):</li><ul><li><b>Linkability</b>:
Determine if data from different sources can be combined to identify an
individual or link their activities.</li><li><b>Identifiability</b>:
Assess if an individual can be singled out or identified within a dataset.</li><li><b>Non-repudiation</b>:
Evaluate if an individual can deny having performed an action or transaction.</li><li><b>Detectability</b>:
Determine if it is possible to detect that an item of interest exists within a
system.</li><li><b>Disclosure
of Information</b>: Assess the risk of unauthorized access to or disclosure of
sensitive information.</li><li><b>Unawareness</b>:
Evaluate if individuals are unaware of the data collection, processing, or
sharing practices.</li><li><b>Non-compliance</b>:
Determine if the system or practices are not compliant with privacy laws,
regulations, or policies.</li></ul><li>Conduct
vulnerability and weakness analysis using scanning tools, penetration testing,
and code review techniques.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Perform
Attack Modeling:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Create and
review attack models using the <b>PASTA</b> model (Process for Attack Simulation and
Threat Analysis) methodology to:</li><ul><li><b>Define
Objectives</b>: Establish the objectives and scope of the attack modeling exercise.</li><li><b>Define
Technical Scope</b>: Identify the key components, data flows, and trust boundaries
of the system.</li><li><b>Application
Decomposition</b>: Break down the application into smaller, manageable components.</li><li><b>Threat
Analysis</b>: Identify and analyze potential threats using attack trees, threat
intelligence, and vulnerability data.</li><li><b>Vulnerability
& Weaknesses Analysis</b>: Assess the system for vulnerabilities and weaknesses
that could be exploited.</li><li><b>Attack
Modeling</b>: Simulate potential attack scenarios to determine the likelihood and
impact of each threat.</li><li>Risk
& Impact Analysis: Evaluate the risk and potential impact of each
identified threat.</li><li><b>Countermeasure
Analysis</b>: Develop and recommend countermeasures to mitigate the identified
risks.</li></ul><li>Analyze
the feasibility of each attack scenario.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Evaluate
Risk and Impact:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Assess
the overall risk posture of the system based on the identified threats,
vulnerabilities, and attack models.</li><li>Determine
the potential impact of each risk on the organization's business objectives and
operations.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Decide
on Countermeasures:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Develop
and recommend countermeasures to mitigate the identified risks.</li><li>Consider
the effectiveness, feasibility, and cost of each countermeasure.</li><li>Prioritize
the implementation of countermeasures based on the risk level and available
resources.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Validate
and Iterate:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Review
the threat model with stakeholders and subject matter experts.</li><li>Validate
the assumptions made during the modeling process and update the model as
necessary.</li><li>Iterate
the threat modeling process regularly to account for changes in the system, new
threats, and emerging vulnerabilities.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Communicate
and Educate:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Communicate
the results of the threat modeling exercise to relevant stakeholders, including
management, development teams, and security personnel.</li><li>Provide
training and awareness sessions to ensure that all stakeholders understand
their roles and responsibilities in mitigating the identified risks.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<h4 style="margin-bottom: 0in; text-align: left;">Implement
and Monitor:</h4><p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"></p><ul style="text-align: left;"><li>Implement
the selected countermeasures and integrate them into the system development
lifecycle.</li><li>Establish
monitoring and logging mechanisms to detect and respond to potential security
incidents.</li><li>Regularly
review and update the threat model and countermeasures based on changes in the
system and the evolving threat landscape.</li></ul><o:p></o:p><p></p>
<p class="MsoNormal" style="margin-bottom: 0in; mso-line-height-alt: 1.2pt;"><o:p></o:p></p>
<p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-21964064833875393512024-03-15T08:57:00.002-05:002024-03-15T10:59:20.287-05:00AI Revolution: Smarter Development, Stronger Security<p>The cloud computing landscape is experiencing a seismic shift driven by the exponential integration of Artificial Intelligence (AI). Recent advancements like Cognition AI's Devin and Microsoft's Copilot for Security showcase AI's potential to revolutionize software development and cybersecurity. </p><p>Pay attention to the oncoming freight train of changes quickly coming to the computing world. </p><h4 style="text-align: left;">Examples include: </h4><p></p><ul><li><b>AI Agents working in teams</b>: Effectively. Perfect? No. Getting better? Quickly. E.g. Cognition AI's Devin</li><li><b>Topically Focused LLMs, LAMs, etc.</b>: E.g. Microsoft's Copilot for Security. Or any topic you can think about. I developed one to teach social skills to a teenage girl in less than an hour.</li><li><b>UI Navigation</b>: Think about how the future of natural language query looks when I don't have to be an expert on the system UI anymore. </li><li><b>Happening for the last year</b>: The knowledge barrier to entry for many tasks continue to drop. Used to be There's an app for that... Now... There's an AI for that.</li></ul><p></p><h3 style="text-align: left;">AI Agents: The Realistic Future of Development</h3><p>Cognition AI's Devin is a groundbreaking AI agent that plans and executes software projects with minimal human input. Operating autonomously in a sandbox environment, Devin learns from experience, rectifies mistakes, and utilizes tools like code editors and web browsers. Devin isn't meant to replace engineers, but rather augment them, freeing human talent for more complex tasks and ambitious goals.</p><p>Imagine AI agents like Devin seamlessly integrated into cloud environments. This could significantly enhance development efficiency and scalability. AI can automate routine tasks, assist in code development, optimize resource allocation, and improve system performance, all while reducing costs and development times. Furthermore, these AI collaborators can provide real-time insights, identify potential issues, and suggest improvements, fostering a truly collaborative approach to cloud-based software development.</p><h3 style="text-align: left;">AI-Powered Security: Every. Single. Tool.</h3><p>Microsoft's Copilot for Security highlights the growing role of AI in tackling cloud security challenges. This AI-powered chatbot, leveraging OpenAI's GPT-4 and Microsoft's security expertise, assists security professionals in identifying and defending against threats. Copilot for Security will utilize the 78 trillion signals collected by Microsoft’s threat intelligence. Copilot provides real-time security updates, facilitates collaboration among teams, and even answers questions in natural language.</p><p>Integrating AI chatbots like Copilot into the cloud security landscape can significantly enhance threat detection and response. By analyzing code and files, providing real-time updates on security incidents, and enabling natural language queries, AI helps organizations stay ahead of threats and respond more effectively to cyberattacks. Additionally, AI chatbots lowers the barrier to knowledge sharing and breaks down silos, fostering a more coordinated approach to cloud cybersecurity.</p><h3 style="text-align: left;">Scalability, Flexibility, and the Cloud's Future</h3><p>The growing demand for adaptable AI solutions is reflected in Microsoft's pay-as-you-go pricing model for Copilot for Security. As AI becomes more embedded in cloud computing, expect to see more consumption-based pricing models, making AI-powered services accessible to businesses of all sizes.</p><p>The convergence of AI and cloud computing promises to drive innovation across industries. AI-driven automation and collaboration will be cornerstones of future cloud computing, enhancing efficiency, security, and scalability. As AI agents and chatbots like Devin and Copilot evolve, we can expect a future where AI seamlessly collaborates with human professionals, unlocking new opportunities for success in the cloud era. </p><h3 style="text-align: left;">Embracing the Future: Be prepared. Be proactive. </h3><p>The introduction of Devin and Copilot for Security exemplifies AI's transformative impact on cloud-based development and security. By embracing AI-driven automation and collaboration, cloud providers and organizations can position themselves at the forefront of this revolution, driving innovation, efficiency, and security. As AI continues to shape the future of cloud computing, businesses that adapt and harness these technologies will be best equipped. Be prepared. Be proactive. </p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-35196424563429146422024-03-12T12:02:00.004-05:002024-03-12T13:11:11.152-05:00Staying Current - Relevant - Continuous Learning<p>Protect your organization. Cybersecurity is a dynamic field where new threats, vulnerabilities, and technologies change, evolve, and emerge. Commit to continuous learning and skill development. Stay informed about the latest security trends, best practices, and tools. </p><h3 style="text-align: left;">Resources for Staying Current:</h3><div>Quick note! There's a lot here. I'd love to read all of this every day. It doesn't happen, and I have my favorites depending on my current role. The resources necessary for your success vary widely. For example, these here focus on security resources. They only scratch the surface of what's available, and they completely gloss over privacy, regulatory compliance, information governance, legal issues, etc.. </div><h4 style="text-align: left;">Vendor-Specific Security Advisories:</h4><p><i>Stay informed about security updates and patches from major technology companies.</i></p><p></p><ul style="text-align: left;"><li>Microsoft Security Advisories: <a href="https://msrc.microsoft.com/update-guide">https://msrc.microsoft.com/update-guide</a></li><li>Cisco Security Advisories: <a href="https://tools.cisco.com/security/center/publicationListing.x">https://tools.cisco.com/security/center/publicationListing.x</a></li><li>Oracle Critical Patch Updates and Security Alerts: <a href="https://www.oracle.com/security-alerts/">https://www.oracle.com/security-alerts/</a></li><li>Apple Security Updates: <a href="https://support.apple.com/en-us/HT201222">https://support.apple.com/en-us/HT201222</a></li><li>Intel Security Center: <a href="https://www.intel.com/content/www/us/en/security-center/default.html">https://www.intel.com/content/www/us/en/security-center/default.html</a></li><li>Amazon Security Bulletins: <a href="https://aws.amazon.com/security/security-bulletins/">https://aws.amazon.com/security/security-bulletins/</a></li><li>Amazon Web Services (AWS) Security Bulletins: <a href="https://aws.amazon.com/security/security-bulletins/">https://aws.amazon.com/security/security-bulletins/</a></li><li>Alibaba Cloud Security Bulletins: <a href="https://www.alibabacloud.com/solutions/security">https://www.alibabacloud.com/solutions/security</a></li><li>Google Cloud Platform Security Bulletins: <a href="https://cloud.google.com/support/bulletins">https://cloud.google.com/support/bulletins</a></li><li>Microsoft Azure Security Advisories: <a href="https://learn.microsoft.com/en-us/azure/service-health/stay-informed-security">https://learn.microsoft.com/en-us/azure/service-health/stay-informed-security</a></li><li>Oracle Cloud Security Advisories: <a href="https://www.oracle.com/security-alerts/">https://www.oracle.com/security-alerts/</a></li></ul><p></p><h4 style="text-align: left;">Government and Non-Profit Security Organizations:</h4><p><i>Follow updates from organizations for authoritative guidance and best practices.</i></p><p></p><ul style="text-align: left;"><li>CISA: <a href="https://www.cisa.gov/about/contact-us/subscribe-updates-cisa">https://www.cisa.gov/about/contact-us/subscribe-updates-cisa</a></li><li>NIST: <a href="https://www.nist.gov/cybersecurity">https://www.nist.gov/cybersecurity</a></li><li>US-CERT: <a href="https://www.us-cert.gov/">https://www.us-cert.gov/</a> | <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED">https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED</a></li><li>CVE & MITRE: <a href="https://www.cve.org">https://www.cve.org</a>, <a href="https://cve.mitre.org">https://cve.mitre.org</a></li></ul><p></p><h4 style="text-align: left;">Cybersecurity News and Blogs:</h4><p><i>Stay informed about the latest security incidents, trends, and analysis through popular blogs and news sites.</i></p><p></p><ul style="text-align: left;"><li>Krebs on Security: <a href="https://krebsonsecurity.com/">https://krebsonsecurity.com/</a></li><li>DarkReading: <a href="https://www.darkreading.com/">https://www.darkreading.com/</a></li><li>SecurityWeek: <a href="https://www.securityweek.com/">https://www.securityweek.com/</a></li><li>The Register: <a href="https://www.theregister.com/security/">https://www.theregister.com/security/</a></li><li>The Hacker News: h<a href="ttps://thehackernews.com/">ttps://thehackernews.com/</a></li><li>CSO Online: <a href="https://www.csoonline.com/">https://www.csoonline.com/</a></li><li>Threat Post: <a href="https://threatpost.com/">https://threatpost.com/</a></li><li>Graham Cluley: <a href="https://www.grahamcluley.com/">https://www.grahamcluley.com/</a></li></ul><p></p><h4 style="text-align: left;">Security Mailing Lists & Vulnerability Databases:</h4><p><i>Subscribe to mailing lists to receive timely information about new vulnerabilities and exploits. You can do this to r</i><i>egularly check vulnerability databases to stay informed about newly discovered vulnerabilities and their potential impact. </i></p><p></p><ul style="text-align: left;"><li>Full Disclosure: <a href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></li><li>National Vulnerability Database (NVD): <a href="https://nvd.nist.gov/general/email-list">https://nvd.nist.gov/general/email-list</a></li><li>Exploit-DB: <a href="https://www.exploit-db.com/">https://www.exploit-db.com/</a></li><li>Openwall: <a href="https://www.openwall.com/lists/">https://www.openwall.com/lists/</a></li></ul><p></p><h4 style="text-align: left;">Security Conferences:</h4><p><i>Attend conferences to learn from industry experts, network with peers, and stay updated on the latest research and trends. Also check out the YouTube channels for each of these to see what talks have been recently published.</i></p><p></p><ul style="text-align: left;"><li>BlackHat: <a href="https://www.blackhat.com/">https://www.blackhat.com/</a></li><li>DEF CON: <a href="https://defcon.org/">https://defcon.org/</a></li><li>RSA Conference: <a href="https://www.rsaconference.com/">https://www.rsaconference.com/</a></li><li>SANS Institute Cyber Security Conferences: <a href="https://www.sans.org/cyber-security-training-events/">https://www.sans.org/cyber-security-training-events/</a></li><li>Infosecurity Europe: <a href="https://www.infosecurityeurope.com/">https://www.infosecurityeurope.com/</a></li><li>BSides (Various locations): <a href="http://www.securitybsides.com/">http://www.securitybsides.com/</a></li></ul><p></p><h4 style="text-align: left;">Online Security Communities:</h4><p><i>Engage with online communities to learn from others, ask questions, and contribute to discussions.</i></p><p></p><ul style="text-align: left;"><li>Reddit r/netsec: <a href="https://www.reddit.com/r/netsec/">https://www.reddit.com/r/netsec/</a></li><li>Reddit r/cybersecurity: <a href="https://www.reddit.com/r/cybersecurity/">https://www.reddit.com/r/cybersecurity/</a></li><li>Information Security Stack Exchange: <a href="https://security.stackexchange.com/">https://security.stackexchange.com/</a></li><li>SANS Internet Storm Center: <a href="https://isc.sans.edu/">https://isc.sans.edu/</a></li><li>OWASP (Open Web Application Security Project): <a href="https://owasp.org/">https://owasp.org/</a></li></ul><p></p><p><b>Again, this isn't a complete, all-inclusive list of resources. </b>Not even close. <i>The objective is to provide exposure to options and importance.</i> Other media I find to be helpful includes YouTube, Claude and other AI chat, and audiobooks. </p><p><b>Continuous learning is essential. </b>Make the choice to stay current, relevant, and effective. Yes, it's hard sometimes. It takes intentionality - and a little goes a long way. You can do it...! There are many, many more than just these sources. The purpose is to develop a comprehensive approach to continuous learning that combines staying informed about the latest security news, following best practices, and engaging with the cybersecurity community. </p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-67267714513117694452024-02-15T11:48:00.004-06:002024-02-15T11:48:47.373-06:00Ransomware Maturity and Kill Chains <p><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgBHbpdGhMi_Qq2L48NvTzFpCG5eGeyK01gPkYaAUVYfmQ3FehSgKN7gpo6jrX6i2V21cGJq5EULuJHrfNv-XCW6oV0sSnmcVWRnEoTjkhK18sVsrF7Tb-j0PI8hh5kcH3058Wy6-LqSdSdk3HHZzPW2kLmaR3hyfXniBTGZpw9UKf_DIHpc8DJ_IvfyCs" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="483" data-original-width="877" height="176" src="https://blogger.googleusercontent.com/img/a/AVvXsEgBHbpdGhMi_Qq2L48NvTzFpCG5eGeyK01gPkYaAUVYfmQ3FehSgKN7gpo6jrX6i2V21cGJq5EULuJHrfNv-XCW6oV0sSnmcVWRnEoTjkhK18sVsrF7Tb-j0PI8hh5kcH3058Wy6-LqSdSdk3HHZzPW2kLmaR3hyfXniBTGZpw9UKf_DIHpc8DJ_IvfyCs" width="320" /></a></p><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Creating a maturity model to measure the effectiveness of remediations in preparing for and addressing common ransomware attacks involves developing a framework that assesses an organization's cybersecurity capabilities and readiness across multiple dimensions. This model typically ranges from initial (least mature) to optimized (most mature) stages, providing a path for continuous improvement. Here's how to create such a maturity model:</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">1. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Define the Maturity Levels to be Used for Measurements (e.g.):</span></h3><ul style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; display: flex; flex-direction: column; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; list-style-image: initial; list-style-position: initial; margin: 0px 0px 1.25em; padding: 0px; white-space-collapse: preserve;"><li style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; display: block; margin: 0px; min-height: 28px; padding-left: 0.375em;"><span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: var(--tw-prose-bold); font-weight: 600; margin-bottom: 1.25em; margin-top: 1.25em;">Initial (Level 1):</span> Basic processes are ad-hoc, and ransomware preparedness is minimal or non-existent.</li><li style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; display: block; margin: 0px; min-height: 28px; padding-left: 0.375em;"><span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: var(--tw-prose-bold); font-weight: 600; margin-bottom: 1.25em; margin-top: 1.25em;">Developing (Level 2):</span> Awareness of ransomware threats exists, with some informal processes and basic defensive measures in place.</li><li style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; display: block; margin: 0px; min-height: 28px; padding-left: 0.375em;"><span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: var(--tw-prose-bold); font-weight: 600; margin-bottom: 1.25em; margin-top: 1.25em;">Defined (Level 3):</span> Formal processes and policies are established, with proactive measures to prevent ransomware attacks.</li><li style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; display: block; margin: 0px; min-height: 28px; padding-left: 0.375em;"><span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: var(--tw-prose-bold); font-weight: 600; margin-bottom: 1.25em; margin-top: 1.25em;">Managed (Level 4):</span> Advanced defensive measures and continuous monitoring are in place, with a focus on managing and mitigating ransomware threats.</li><li style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; display: block; margin: 0px; min-height: 28px; padding-left: 0.375em;"><span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: var(--tw-prose-bold); font-weight: 600; margin-bottom: 1.25em; margin-top: 1.25em;">Optimized (Level 5):</span> The organization continuously improves its ransomware defense mechanisms, leveraging advanced analytics, machine learning, and threat intelligence for predictive defense.</li></ul><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">2. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Identify Key Domains for Assessment</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Break down the organization's cybersecurity posture into key domains. Take a quick look at the table above and you'll see common expectations such as:</p><ul style="text-align: left;"><li><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">Threat Intelligence</span></li><li><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">Identity and Access Management</span></li><li><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">Endpoint Protection</span></li><li><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">Network Security</span></li><li><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">Incident Response and Recovery</span></li><li><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">User Training and Awareness</span></li></ul><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">3. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Develop Assessment Criteria for Each Domain</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">For each domain, define specific criteria that measure the organization's maturity. These criteria should cover the processes, technologies, and practices relevant to preventing and responding to ransomware attacks. Criteria can include the effectiveness of backup and recovery strategies, the extent of employee training programs, the implementation of EDR solutions, etc.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">4. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Establish Metrics and Indicators</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Define quantitative and qualitative metrics for evaluating maturity in each domain. Metrics could include the frequency of security audits, the speed of patch deployment, the number of successful phishing simulations, or the recovery time after an incident.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">5. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Conduct Assessments</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Perform regular assessments against the maturity model to determine the current level of preparedness and effectiveness of ransomware remediation efforts. This involves gathering data through audits, interviews, and technical testing.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">6. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Analyze Results and Identify Gaps</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Analyze the assessment results to identify gaps in the organization's ransomware preparedness. Compare current practices against the defined maturity levels to determine areas for improvement.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">7. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Develop Improvement Plans</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Based on the gaps identified, develop targeted improvement plans for each domain. Plans should include short-term and long-term initiatives to enhance the organization's resilience against ransomware.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">8. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Implement, Monitor, and Review</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Implement the improvement plans, continuously monitor their effectiveness, and review the organization's progress towards higher maturity levels. Adjust strategies as necessary based on evolving threats and business objectives.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">9. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Stakeholder Communication</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Regularly communicate progress, risks, and achievements to stakeholders, including executive management, to ensure continued support and alignment with the organization's overall risk management strategy.</p><h3 style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 1.25em; line-height: 1.6; margin: 1rem 0px 0.5rem; white-space-collapse: preserve;">10. <span style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: inherit;">Continuous Improvement</span></h3><p style="--tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-color: #fff; --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-offset-width: 0px; --tw-ring-shadow: 0 0 transparent; --tw-rotate: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-scroll-snap-strictness: proximity; --tw-shadow-colored: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-skew-x: 0; --tw-skew-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; background-color: white; border: 0px solid rgb(227, 227, 227); box-sizing: border-box; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; margin: 0px 0px 1.25em; white-space-collapse: preserve;">Incorporate lessons learned from assessments, incidents, and industry developments into the maturity model. Continuously refine the model to address new ransomware tactics and techniques.</p><p><span style="background-color: white; color: #0d0d0d; font-family: Söhne, ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif, "Helvetica Neue", Arial, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: 16px; white-space-collapse: preserve;">Creating a maturity model for ransomware preparedness is an iterative process that helps organizations systematically improve their cybersecurity posture, reduce their vulnerability to attacks, and enhance their ability to respond to and recover from incidents.</span> <br /><br /></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-7534391689320629572023-11-05T14:30:00.002-06:002023-11-06T11:33:14.863-06:00IT Audit Process - Review<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgr6aKpUW3e-juyLhjVfzRn0E8rC6rKTi9ShpLGw-5IB9v92z64VC4Wb8WQU1DNlyYvCaGri3_cYIPzOXTSR46hTb17UddFbgeCy_8filOxbozNscYUW-G5tGmTzpCX9tbdBV9Zc0NB6Nthnc7qc5tO6B2fkg51VfqzDQuKaYiupLMogE6bNIAtgmQcW6g" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="758" data-original-width="1439" height="169" src="https://blogger.googleusercontent.com/img/a/AVvXsEgr6aKpUW3e-juyLhjVfzRn0E8rC6rKTi9ShpLGw-5IB9v92z64VC4Wb8WQU1DNlyYvCaGri3_cYIPzOXTSR46hTb17UddFbgeCy_8filOxbozNscYUW-G5tGmTzpCX9tbdBV9Zc0NB6Nthnc7qc5tO6B2fkg51VfqzDQuKaYiupLMogE6bNIAtgmQcW6g" width="320" /></a></div>Be careful! This flowchart isn't meant to be perfect. Audit isn't a one-size-fits-all answer. It's meant to illustrate an example process we followed when I was in the role of auditor. Several things might be very, very different from what I experienced. <div><br /></div><div>One notable exception to the norm is that the audit team purposefully and proactively created excellent working relationships with operations teams. The extra meetings and check-ins were built into our culture from the top-down. The result? Collaboration and transparency. Business units and data centers came to us with problems. We became an avenue for them to get funding. They benefited from working with us and we made sure it was as positive an experience as possible. A dream? Yes. However, this practice also resulted in attracting top talent from the operations teams asking to rotate through audit for the exposure to the business. The cross-functional experience benefited everyone and created a respected organization with truly excellent outcomes.</div><div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiOE61rZ7UGAPlakhTwHUn2zXhOZ1etJA54ZotrDLEGOx78vyYouOkbkkUqTQzX2zoNAkc5gt_pD3MhJhuG9uKPj4wyJlI8FYDhd7fCuVQ2xywrhQ3Y7lCv__PBHHL0lTS62mI9KiRdF13kiLWgUaUw0WbqEOATIReuue8xyzbbCvb5pD5zcGyhZSEF" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></div><p></p></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-49279255570522557722023-10-19T13:23:00.011-05:002023-11-11T06:05:02.029-06:00Navigating the Waters of Change<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhnWAfkOql1e04jeNDAVeqJOu0ZTkq9mjTDCYNmS4o7105BhsEcf3Tiy3XjEcis49QHxPhZLqqAmAwpxVn0hGV__oBQpLKy-pFxQJ3oL4hWouEm1UcE6k6m6Tr1-sjN4OS7Nh0X4HDdhntHqg99ZBBKL6BWo3REBIcI8hTEWCmEL26kD4eQbzkbcjZdY10" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="389" data-original-width="616" height="202" src="https://blogger.googleusercontent.com/img/a/AVvXsEhnWAfkOql1e04jeNDAVeqJOu0ZTkq9mjTDCYNmS4o7105BhsEcf3Tiy3XjEcis49QHxPhZLqqAmAwpxVn0hGV__oBQpLKy-pFxQJ3oL4hWouEm1UcE6k6m6Tr1-sjN4OS7Nh0X4HDdhntHqg99ZBBKL6BWo3REBIcI8hTEWCmEL26kD4eQbzkbcjZdY10" width="320" /></a></div>I've lived through a lot of change. I know everything will work out despite the challenge of the uncertainty. Learn to struggle and fight well. Stay positive.<p></p><p>This information was gathered to help people at VMware as many prepare for the pending Broadcom acquisition by <a href="https://www.linkedin.com/in/lorelei-g-voorsanger/">Lorelei Ghanizadeh Voorsanger | LinkedIn</a>. Thank you, Lorelei, for sharing with so many others that need this information. You are a blessing. And thank you to the hundreds of people that have reached out to me and my peers with resources and help. You are appreciated.VMware peers, <b>you are seen</b>. Reach out to me. I have a lot of resources that may be helpful.</p><h3 style="text-align: left;"><o:p><b>Update Your LinkedIn Profile</b></o:p></h3><div>Invest in your branding. Review and optimize your <a href="https://www.linkedin.com/feed/">LinkedIn</a> profile. </div><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"></p><ul style="text-align: left;"><li>Consider <a href="https://www.linkedin.com/help/linkedin/answer/a1359065" target="_blank">verifying your LinkedIn profile</a>.</li><li>Get a nice professional looking headshot: Take <a href="https://headshots-inc.com/blog/how-to-take-professional-headshots-at-home/">professional headshots at home</a>.</li><li>Update your tagline using, e.g. "position | keywords | mission (optional)"</li><li>Update your background picture. Consider <a href="http://www.canva.com">www.canva.com</a>. Several free designs.</li><li>Ask for letters of recommendation: <a href="https://www.linkedin.com/learning/linkedin-quick-tips-2022/request-a-recommendation-on-linkedin?u=0">Request a recommendation on LinkedIn</a></li><li>Notify recruiters (and optionally your network) that you are open to opportunities</li><li>Add your resume to your profile: Add profile section | Recommended | Add featured | + | Add media</li></ul><h3 style="text-align: left;">Improve Your Resume </h3><div><b>Pro Tip</b>: <u>Make sure you resume is ATS compliant</u>. Most companies use Applicant Tracking Systems (ATS) to process your resume. These systems cause qualified candidates to slip through the cracks. </div><p class="MsoNormal"></p><ul style="text-align: left;"><li>Rezi: <a href="https://www.rezi.ai/">Rezi - The Leading AI Resume Builder</a></li><li>TealHQ: <a href="https://www.tealhq.com/tools/resume-builder">Free AI Resume Builder (tealhq.com)</a></li><li>Jobscan: <a href="https://www.jobscan.co/resume-templates">Free Resume Templates for 2023 (jobscan.co)</a></li><li>MS Word: File | New | Search for Online Templates | Resume</li><li>Etsy: <a href="https://www.etsy.com/search?q=ATS%20compliant%20resume">ATS Compliant Resume - Etsy</a></li><li>Adobe: <a href="https://www.adobe.com/express/create/resume">Free resume builder</a></li><li>Grammer Check: <a href="https://www.grammarly.com/">Grammarly: Free Writing AI Assistance</a></li><li>NovoResume: <a href="https://novoresume.com/resume-templates">Free Resume Templates for 2023 (novoresume.com)</a></li></ul><o:p></o:p><p></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><o:p> </o:p><b>Cover Letter Writing Resources</b></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"></p><ul style="text-align: left;"><li>OpenAI: <a href="https://chat.openai.com/">ChatGPT</a></li><li>Coverdoc.ai: <a href="https://coverdoc.ai/">AI-powered cover letter writing & research assistant</a></li><li>Indeed: <a href="https://www.indeed.com/career-advice/resumes-cover-letters/free-cover-letter">Free Cover Letter Templates | Indeed.com</a> (great primer/discussion as well)</li></ul><h4 style="text-align: left;">The AWS Cloud Resume Challenge</h4><div><ul style="text-align: left;"><li><a href="https://cloudresumechallenge.dev/docs/the-challenge/aws/">The Cloud Resume Challenge - AWS | The Cloud Resume Challenge</a></li></ul></div><h3 style="text-align: left;"><b>Manage the Job Search </b></h3><p class="MsoNormal"><b>A</b><b>pplication Tracker</b></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"></p><ul style="text-align: left;"><li><a href="https://www.themuse.com/advice/job-search-spreadsheet-track-application">Job Search
Spreadsheet</a> by The Muse on Google Sheets</li><li><a href="https://chrome.google.com/webstore/detail/huntr-job-search-tracker/mihdfbecejheednfigjpdacgeilhlmnf">Huntr Job
Search Tracker and Autofill</a> from Google Chrome</li></ul><p></p><p class="MsoNormal"><b>Job Search Sites & Placement services – US-centric</b><o:p></o:p></p><p class="MsoNormal"></p><ul style="text-align: left;"><li><a href="https://www.linkedin.com/jobs/?src=go-pa&trk=sem-ga_campid.15162283135_asid.132290511034_crid.559438513571_kw.linkedin%20jobs_d.c_tid.kwd-1528692947_n.g_mt.e_geo.9032107&mcid=6862098078669914124&cid=&gclid=CjwKCAjwu4WoBhBkEiwAojNdXqNEZMJMRjMSPjPe5jysYZnvMZRupiL9flBhiJvPUZ87W6bJv_8YVhoCM3AQAvD_BwE&gclsrc=aw.ds">LinkedIn</a></li><li><a href="https://www.indeed.com/">Indeed</a></li><li><a href="https://www.glassdoor.com/Job/index.htm?utm_source=google&utm_medium=cpc&utm_campaign=US_B2C_Consumer_Brand_2022&gclid=CjwKCAjwu4WoBhBkEiwAojNdXqUYRoARslh34MBjl3RnEJMvkPKjF_WLDgxLU-TeMZISWqZkDDIX7xoCtncQAvD_BwE">Glassdoor
Jobs</a></li><li><a href="https://hiring.cafe/">HiringCafe</a></li><li><a href="https://www.monster.com/?WT.srch=1&WT.mc_n=olm_sk_srch_ggl_SitelinkApplyNewJobsToday&utm_medium=paid_search&utm_source=google-ads&utm_campaign=monster-candidate_us_ggl_sem_branded_general_exact-phrase_n_prosp~71700000085463932&utm_term=monster+jobs&device=c&utm_content=olm_sk_srch&gclid=CjwKCAjwu4WoBhBkEiwAojNdXgDXI7KAFEAUTwo8NAEigAAxq4dpKM_c9Qngcw76iY2TRIbToTJXZRoCJp4QAvD_BwE&gclsrc=aw.ds">Monster</a></li><li><a href="https://www.ziprecruiter.com/">ZipRecruiter</a></li><li><a href="https://www.simplyhired.com/">SimplyHired</a></li><li><a href="https://www.careerbuilder.com/">CareerBuilder</a></li><li><a href="https://infosec-jobs.com/">Jobs and talents in
InfoSec / Cybersecurity | infosec-jobs.com</a></li></ul><div><h3><b>Practice Interviews</b></h3><p class="MsoNormal"></p><ul><li><a href="https://www.linkedin.com/interview-prep/assessments/urn:li:fsd_assessment:(1,a)/question/urn:li:fsd_assessmentQuestion:(10011,aq11)/">Common Interview Questions | LinkedIn</a> (pay attention to the categories)</li><li><a href="https://interviewprep-ai.com/">InterviewPrep AI</a></li><li><a href="https://app.yoodli.ai/usecases/interview-preparation">Yoodli.AI</a></li></ul><o:p></o:p><p></p><p class="MsoNormal"><o:p></o:p></p><h3>Manage the Offer</h3><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"></p><ul><li>Harvard Business Review’s <a href="https://hbr.org/2014/04/15-rules-for-negotiating-a-job-offer">15 Rules for Negotiating a Job Offer</a></li><li>TheMuse’s <a href="https://www.themuse.com/advice/how-to-negotiate-salary-37-tips-you-need-to-know">How to Negotiate Salary: 37 Tips You Need to Know</a></li><li>MoneyGeek’s <a href="https://www.moneygeek.com/careers/resources/salary-negotiation/">The Ultimate Guide to Negotiating Your Salary</a></li></ul></div><o:p></o:p><p></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><o:p></o:p></p><p>
</p><p class="MsoNormal"><o:p></o:p></p><p class="MsoListParagraphCxSpLast" style="line-height: normal; margin-bottom: 0in; margin-left: 1.0in; margin-right: 0in; margin-top: 0in; margin: 0in 0in 0in 1in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -0.25in;"><o:p></o:p></p><div><p></p></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-38090855850763333622023-09-20T07:55:00.012-05:002023-11-06T11:37:56.174-06:00PCI DSS Vulnerability Scanning and Penetration Testing Hygiene<p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjmfLXhv09aN5HmM4nz9Fe1BKoo4qHKUga3xjbV_inKYnyu2hKEcU-CPNPTP_9tT7X6PqArrSckPn-J_vwcr4tebOaGdDa8W55DLRH8ZKjXPFC9o7FKQWUpXq_etLRueJPmiZYpjcHwMz6Ao7flpq5RjiH9U0Rca77LjwkmP7VBU7c7BZc2mqqNlxLaDO8" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img alt="" data-original-height="805" data-original-width="628" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEjmfLXhv09aN5HmM4nz9Fe1BKoo4qHKUga3xjbV_inKYnyu2hKEcU-CPNPTP_9tT7X6PqArrSckPn-J_vwcr4tebOaGdDa8W55DLRH8ZKjXPFC9o7FKQWUpXq_etLRueJPmiZYpjcHwMz6Ao7flpq5RjiH9U0Rca77LjwkmP7VBU7c7BZc2mqqNlxLaDO8" width="187" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Image: Dalle3</td></tr></tbody></table>The Payment Card Industry Data Security Standard (PCI DSS) is an essential benchmark for businesses that store, process, or transmit cardholder data. The introduction of PCI DSS v4.0 brings several clarifications and new layers of complexity. Today, we’ll take a look at internal and external vulnerability scans and penetration testing. <p></p><h3 style="text-align: left;">Vulnerability Scans (11.3.1.3 and 11.3.2.1)</h3><p>One of the critical security controls that PCI DSS v4.0 emphasizes is the need for internal vulnerability scans. Companies must perform these scans after any 'significant change,' as defined by the standard. Significant changes include things like adding new hardware, software, or making considerable upgrades to existing infrastructure.</p><p>The scans aim to detect and resolve high-risk and critical vulnerabilities based on the entity’s vulnerability risk rankings. Following the scan, any detected vulnerabilities must be resolved, and rescans should be conducted as needed.</p><p>External vulnerability scans are equally important and follow the same triggering mechanism—significant changes in the environment. Here, the focus is on resolving vulnerabilities scored 4.0 or higher by the Common Vulnerability Scoring System (CVSS). As with internal scans, rescans are required as necessary to confirm that vulnerabilities have been adequately addressed.</p><h3 style="text-align: left;">Penetration Testing (11.4.2, 11.4.3)</h3><p>Internal penetration testing is a more aggressive form of evaluation and should be conducted at least once every 12 months or after any significant change to the infrastructure or application. The testing can be carried out either by a qualified internal resource or a qualified external third-party, provided that there is organizational independence between the tester and the entity being tested. Notably, the tester doesn't need to be a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV).</p><p>Much like its internal counterpart, external penetration testing is required annually or after any significant alterations to the system. The testing must also be conducted by qualified resources and should follow the entity’s defined methodology for testing.</p><h3 style="text-align: left;">What Constitutes a 'Significant Change'?</h3><p>PCI DSS v4.0 is pretty broad in what it considers to be 'significant changes,' effectively encompassing any new hardware, software, or networking equipment added to the Cardholder Data Environment (CDE), as well as any replacement or major upgrades to existing hardware and software in the CDE. The list is exhaustive and is aimed at ensuring that any changes, no matter how seemingly minor, are given adequate attention from a security perspective.</p><h3 style="text-align: left;">Summary of Requirements</h3><p>The PCI DSS v4.0 requirements for vulnerability scans and penetration testing provide a structured approach for entities to keep their data environments secure. While these requirements might seem stringent, they offer a well-defined framework for securing cardholder data against the backdrop of ever-advancing cyber threats. Adhering to these requirements is not just about ticking compliance boxes; it’s about taking the necessary steps to protect your organization and its stakeholders.</p><p></p><ul style="margin-top: 0in;" type="disc">
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level1 lfo1;"><b>Internal
vulnerability scans</b>: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="circle">
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">11.3.1.3
<u>Internal vulnerability scans</u> are performed after any significant
change as follows: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="square">
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">High-risk
and critical vulnerabilities (per the entity’s vulnerability risk
rankings defined at Requirement 6.3.1) are resolved. <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">Rescans
are conducted as needed (significant changes..).<span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
</ul>
</ul>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level1 lfo1;"><b>External
vulnerability scans</b>: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="circle">
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">11.3.2.1
<u>External vulnerability scans</u> are performed after any significant
change as follows: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="square">
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">Vulnerabilities
that are scored 4.0 or higher by the CVSS are resolved. <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">Rescans
are conducted as needed (significant changes..).<span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
</ul>
</ul>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level1 lfo1;"><b>Internal
penetration testing</b>: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="circle">
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">11.4.2
<u>Internal penetration testing</u> is performed: <o:p></o:p></li>
<ul style="margin-top: 0in;" type="square">
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">Per
the entity’s defined methodology, at least once every 12 months <o:p></o:p></li>
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">After
any significant infrastructure or application upgrade or change <o:p></o:p></li>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level3 lfo1;">By a
qualified internal resource or qualified external third-party<o:p></o:p></li>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level3 lfo1;">Organizational
independence of the tester exists (not required to be a QSA or ASV).<o:p></o:p></li>
</ul>
</ul>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level1 lfo1;"><b>External
penetration testing</b>: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="circle">
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level2 lfo1;">11.4.3
<u>External penetration testing</u> is performed: <o:p></o:p></li>
<ul style="margin-top: 0in;" type="square">
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">Per
the entity’s defined methodology, at least once every 12 months <o:p></o:p></li>
<li class="MsoListParagraph" style="color: red; margin-left: 0in; mso-list: l0 level3 lfo1;">After
any significant infrastructure or application upgrade or change <o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level3 lfo1;">By a
qualified internal resource or qualified external third party<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level3 lfo1;">Organizational
independence of the tester exists (not required to be a QSA or ASV).<o:p></o:p></li>
</ul>
</ul>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level1 lfo1;"><b>Significant
changes are defined in PCI DSS to include (PCI-DSS-v4_0.pdf page 26)</b>: <span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<ul style="margin-top: 0in;" type="circle">
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">New
hardware, software, or networking equipment added to the CDE.<span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">Any
replacement or major upgrades of hardware and software in the CDE.<span style="mso-fareast-font-family: "Times New Roman";"><o:p></o:p></span></li>
<li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">Any changes in the flow or storage of account data.</li><li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">Any changes to the boundary of the CDE and/or to the scope of the PCI DSS assessment.</li><li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">Any changes to the underlying supporting infrastructure of the CDE (including, but not limited to, changes to directory services, time servers, logging, and monitoring).</li><li class="MsoListParagraph" style="color: black; margin-left: 0in; mso-list: l0 level2 lfo1;">Any changes to third party vendors/service providers (or services provided) that support the CDE or meet PCI DSS requirements on behalf of the entity.</li></ul></ul><p></p><p><br /></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-53545200831405502842023-09-14T11:19:00.005-05:002023-11-06T11:48:13.971-06:00Using Maturity Levels and Qualitative Measurement for Visualizing Technology Implementations<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiP8dCvOaftWXACxPOFDqn_Ix5AMD4PTgkusk06vj2c6RebH-rBzgTh_kcrJwaMxTBFxZnVRNNDdemfNwGI_cAOfFbm65d_De_XIHBKdevWd0RveJ0CumYqdELgh0jYATHryBBtfLXZzdsN8TD4ksu2wcLqz6F6kNRk1k98P5Gu-12Yn_atNG7psikrpRM" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img alt="Example Maturity Model" data-original-height="600" data-original-width="1579" height="135" src="https://blogger.googleusercontent.com/img/a/AVvXsEiP8dCvOaftWXACxPOFDqn_Ix5AMD4PTgkusk06vj2c6RebH-rBzgTh_kcrJwaMxTBFxZnVRNNDdemfNwGI_cAOfFbm65d_De_XIHBKdevWd0RveJ0CumYqdELgh0jYATHryBBtfLXZzdsN8TD4ksu2wcLqz6F6kNRk1k98P5Gu-12Yn_atNG7psikrpRM=w320-h135" title="Example Maturity Model" width="320" /></a></div><p>Check out this maturity model. What does it mean to measure the maturity of a technology implementation qualitatively? And how can maturity levels help visualize the current and future states to meet control requirements? </p><p>Let's unpack these concepts and show how qualitative measures can enrich the maturity model process, particularly with the use of visualization techniques like bar or radar graphs.</p><p>Maturity models serve as diagnostic tools, usually consisting of a sequence of maturity levels that provide a path for improvements. These models are vital for benchmarking and identifying the best practices that need to be implemented for organizational success. In technology implementation, they can gauge how effectively an organization is meeting its control requirements—be it in data security, governance, or software development lifecycle.</p><h3 style="text-align: left;">The Qualitative Dimension</h3><p>While numbers and metrics provide a certain level of clarity, they often lack context. Qualitative measurements step in here to provide nuanced insights into otherwise cold data. Through expert interviews, case studies, and scenario analyses, qualitative assessments can address 'how' and 'why' questions that numbers cannot.</p><p>One of the powerful ways to present the qualitative aspect of maturity models is through visualization. A bar or radar graph can be used to overlay the current and future states of an organization's maturity levels.</p><h3 style="text-align: left;">Current State</h3><p>Imagine a bar graph where the X-axis represents different control requirements like "Data Encryption," "User Access Management," and "Compliance Monitoring," and the Y-axis represents maturity levels from 0 (Non-existent) to 5 (Optimized). The current state can be represented by blue bars reaching up to the current maturity level for each control requirement.</p><p>This visualization allows stakeholders to immediately grasp which areas are well-managed and which need improvement. It's not just about the height of the bar but the story behind each bar—which can be enriched by qualitative inputs like expert opinions, employee feedback, and process reviews.</p><h3 style="text-align: left;">Future State</h3><p>In the same graph, future state scenarios can be represented by a different color—say, green bars—overlaying or adjacent to the current state bars. These future state bars are not arbitrary but are informed by qualitative measures like scenario planning, risk assessments, and strategic discussions.</p><p>The juxtaposition of current and future states in one graph offers a compelling narrative. It shows where the organization aims to be, providing a clear vision for everyone involved.</p><h3 style="text-align: left;">Utility of Qualitative Maturity Models</h3><p>Maturity levels, when fleshed out with qualitative measurements, offer more than a snapshot of the present; they provide a roadmap for the future. Visual representations like bar or radar graphs give life to these qualitative insights, making them easy to understand and act upon.</p><p>So, the next time you consider assessing your organization’s technology maturity, think beyond numbers. Look at the stories those numbers can tell, and use qualitative measures to fill in the gaps. And don't just keep these insights in spreadsheets and reports—visualize them. </p><p>Combine qualitative measures with visualization techniques and build a more meaningful, actionable, and comprehensive roadmap. Aim for a balanced, nuanced, and visually engaging approach to understand the current state and opportunity for improvement.</p><h3 style="text-align: left;">Example Output </h3><p>Here's a quick assessment of an organization's adherence to the NIST Privacy Framework. The beauty of this method - by the way - is that it's fast and easy to create this chart using qualitative measures. Search for the Privacy Framework spreadsheet under the downloads section if you want a copy of this.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjG4W7yS-el_J-uwTWdFBNet1u05Ao9JXuZD4BkTwB3aROntI8BoTy6Un97PqE4BEs7wsRDEWVrdPDuxvKpC9MUf7CoekSP8Cp33--oEH_U3ZN3OGUpSVTCMHJe7CbKyrwbBlDJaFg_exw6wZ5DBfgOGrZgstycprjaZoIiL4viBd1lsKCJ4igD6S4yTEY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1136" data-original-width="2050" height="265" src="https://blogger.googleusercontent.com/img/a/AVvXsEjG4W7yS-el_J-uwTWdFBNet1u05Ao9JXuZD4BkTwB3aROntI8BoTy6Un97PqE4BEs7wsRDEWVrdPDuxvKpC9MUf7CoekSP8Cp33--oEH_U3ZN3OGUpSVTCMHJe7CbKyrwbBlDJaFg_exw6wZ5DBfgOGrZgstycprjaZoIiL4viBd1lsKCJ4igD6S4yTEY=w480-h265" width="480" /></a></div><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-64020341667636800212023-09-05T10:44:00.006-05:002023-09-06T14:51:39.171-05:00NIST.SP.800-66r2.ipd Worksheet - HIPAA Indexed on NIST<p><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgktVNSthGMmKwwQ8VioWNnVTnopMyRR4gSWLXTu4wod8kgvBNBpVALnKPvsrQR-v_1-08gDuW7cFRWJwY5FZZWGKv95yG0MlTv_mFwxmD8QxzDLHE28W3N5O5iZDrCv0xtEjGu8gKGPdV8DC9TtlatwGrjFkY8_m5d5gP4-9APLwYxfk-omnwAVd1NxsU" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="1200" data-original-width="2615" height="147" src="https://blogger.googleusercontent.com/img/a/AVvXsEgktVNSthGMmKwwQ8VioWNnVTnopMyRR4gSWLXTu4wod8kgvBNBpVALnKPvsrQR-v_1-08gDuW7cFRWJwY5FZZWGKv95yG0MlTv_mFwxmD8QxzDLHE28W3N5O5iZDrCv0xtEjGu8gKGPdV8DC9TtlatwGrjFkY8_m5d5gP4-9APLwYxfk-omnwAVd1NxsU" width="320" /></a>HIPAA to NIST and NIST to HIPPA indexed worksheets in a single spreadsheet based on the Initial Public Draft (ipd) are posted on the downloads website. Look for the workbook 2022 HIPAA Crosswalk SP 800-66 ipd Table 12 on:</p><p><a href="http://www.ComplianceQuickstart.com" target="_blank"><b>www.compliancequickstart.com</b></a>.</p><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-76027166283408905232023-09-01T07:56:00.009-05:002023-11-06T11:53:58.503-06:00Numbers and Narratives: The Power of Qualitative and Quantitative Feedback<p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhz31pS1Yk0rSyE2OBrlrXpmJgajxbmfOD3IsbcL6_kV45GVxOlJxlMIPTkk3EH33j4avDjFqFemfJhDGmcRib5SelRgHiNwmHZ_2v0GmfVUWhuX1JlEGgeUbfDN9kw-jPAGey6VVi_9gp5f9EYcOwtFuKb0KteorKndficnlcx6gaM18DaQ4v2wBbKlM8" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="433" data-original-width="760" height="182" src="https://blogger.googleusercontent.com/img/a/AVvXsEhz31pS1Yk0rSyE2OBrlrXpmJgajxbmfOD3IsbcL6_kV45GVxOlJxlMIPTkk3EH33j4avDjFqFemfJhDGmcRib5SelRgHiNwmHZ_2v0GmfVUWhuX1JlEGgeUbfDN9kw-jPAGey6VVi_9gp5f9EYcOwtFuKb0KteorKndficnlcx6gaM18DaQ4v2wBbKlM8=w320-h182" width="320" /></a></div>While technological prowess is crucial for cybersecurity, human factors are often the linchpin that determines an organization's susceptibility to cyber threats. As we navigate this ever-evolving landscape, the role of learning programs in enhancing cybersecurity awareness cannot be overstated. But how do we measure the effectiveness of these initiatives? The answer lies in a meticulous blend of quantitative and qualitative feedback.<o:p></o:p><p></p>
<h3 style="text-align: left;">The Quantitative Dimension</h3><p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">In the realm of cybersecurity learning programs,
quantitative data acts as the backbone that offers empirical evidence of
program effectiveness. This data, collected through various channels—from
real-world cybersecurity incidents and metrics on employee reporting to
targeted simulations and longitudinal studies—provides a measurable barometer
of your organization's cybersecurity posture. It can also help tailor training
materials to specific departments, evaluate ROI, and keep content up to date.
This section will detail the key types of quantitative data that you should
focus on, offering a robust framework for continuously enhancing your cybersecurity
initiatives through actionable metrics.<o:p></o:p></p>
<p class="MsoNormal"></p><ol style="text-align: left;"><li><b>Cybersecurity Incident Data</b> - Utilize real-world data on past incidents to simulate
realistic scenarios in your training programs. For example, if there has been a
rise in phishing attacks, including similar scenarios in your learning modules
can help prepare the workforce better.</li><li><b>Metrics on Incident Reporting</b> - Review how many employees report potential cybersecurity
events pre- and post-training. An increase in reports post-training could
indicate higher awareness.</li><li><b>Simulated Attack Responses</b> - Phishing simulations can provide invaluable data. If 90% of
your employees ignore a phishing email post-training compared to 50%
pre-training, you know you’re on the right track.</li><li><b>Longitudinal Data</b> - Track the program's impact over time to identify trends. Maybe
the initial spike in awareness drops after six months, indicating a need for
refresher courses.</li><li><b>Employee Testing Data</b> - Compare employee cybersecurity test scores before,
immediately after, and three months post-training to assess knowledge
retention.</li><li><b>Performance by Department</b> - Do tech departments outperform sales in cybersecurity
awareness? This could guide department-specific training.</li><li><b>Training Attendance and Completion Rates </b>- Low attendance or completion could indicate that the
training is too cumbersome or not engaging enough.</li><li><b>Quantitative Surveys and Costs</b> - Use closed-ended surveys for quick, quantifiable feedback.
Also, calculate the per-participant cost of developing and delivering the
program for ROI assessment.</li><li><b>Privacy and Technical Metrics</b> - Track the frequency and type of privacy or cybersecurity
events to identify the need for role-based training. Changes following
technical training—like a reduction in accounts with privileged access—can also
be invaluable metrics.</li></ol><p></p><p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<h3 style="text-align: left;">The Qualitative Dimension</h3><p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">While quantitative metrics provide the hard facts, it's the
qualitative data that enriches our understanding by adding context, nuance, and
depth to these numbers. Qualitative feedback captures the human elements that
are often overlooked in cybersecurity initiatives. From capturing employees'
responses about the program's delivery and content to conducting focus groups
for in-depth insights, qualitative data allows us to gauge the intangibles that
make or break a learning program. In this section, we will delve into various
types of qualitative feedback, including presenter evaluations, open-ended
surveys, and even observations from the training sessions, to provide a more
holistic assessment of your cybersecurity education efforts.<o:p></o:p></p>
<p class="MsoNormal"></p><ol style="text-align: left;"><li><b>Presenter and Program Feedback</b> - Encourage employees to share feedback on trainers and
program content to make real-time improvements.</li><li><b>Open-Ended Surveys and Reports</b> - Use these to gather nuanced opinions. Maybe the training
material is excellent, but the pace is too fast?</li><li><b>Focus Groups and Observations</b> - Conduct these with a cross-section of employees to get
richer insights into the learning experience, identifying areas for
improvement.</li><li><b>Suggestion Box</b> - A suggestion box allows employees to
provide candid feedback and innovative ideas for program improvement.</li></ol><p></p><p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<h3 style="text-align: left;">A Marriage of Metrics and Mindsets </h3><p class="MsoNormal">Combining quantitative data with qualitative insights will not only
paint a comprehensive picture of your program's effectiveness but will also
guide data-informed decisions for future improvements. For instance, if your
quantitative data indicates high knowledge retention but qualitative feedback
points to low engagement, you may need to inject more interactive elements into
your program. Because when it comes to cybersecurity, an empowered workforce is your best
line of defense. </p><p class="MsoNormal">And if you haven't already, check out NIST Special Publication <a href="https://csrc.nist.gov/pubs/sp/800/50/final" target="_blank">800-50</a> and look for the upcoming Rev. 1. This is a comprehensive guideline that serves as an invaluable resource for information security education, training, and awareness. Thank you to NIST and the industry authors and contributors for your tireless work in advancing the field and providing a foundational resource for cybersecurity professionals everywhere.</p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-65927268243323254772023-07-24T12:52:00.003-05:002023-09-01T10:45:37.490-05:002023 PCI DSSv4 to NIST 800-53r5<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi4c3bks9JVZlf5X1eL5R9snX3L7YsE_gL3VE9DU31CoNyankn3Tpz05Qqj1fRmRT1aTd4CSs2wcfE_iu7pDRkA3JkfrZLLbBJr1E8_pSSfIGlxIebzqBjwwj6T0NmsJd67wW1oqO0OE7ASS0G4ehgdPLP-DmBpmRqMHiX-xdviBqw2u1O1VVbxpZIrsgk" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="899" data-original-width="2213" height="163" src="https://blogger.googleusercontent.com/img/a/AVvXsEi4c3bks9JVZlf5X1eL5R9snX3L7YsE_gL3VE9DU31CoNyankn3Tpz05Qqj1fRmRT1aTd4CSs2wcfE_iu7pDRkA3JkfrZLLbBJr1E8_pSSfIGlxIebzqBjwwj6T0NmsJd67wW1oqO0OE7ASS0G4ehgdPLP-DmBpmRqMHiX-xdviBqw2u1O1VVbxpZIrsgk=w400-h163" width="400" /></a></div><p></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">I ran across
this again today working on an internal project for VMware. We are a team of
likeminded professionals who enjoy quality work and sharing with the community
to raise the bar for everyone. <o:p></o:p></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">What struck me
when I reopened this workbook is remembering the many very, *very* long days.
Mapping is an incomplete science, filled with subjective relationships.
However, starting from scratch, using homegrown tools and my own reading
through the controls, I remapped as accurately as I could the relationship
between the PCI DSS and the body of controls established by NIST SP 800-53r5. <o:p></o:p></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">We have our own
internal agendas and projects related to this work. However, the data here can
help someone else struggling with the volume of frameworks and managing the
complex relationships between all of them. <o:p></o:p></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">I stand by the
mapping as 90% correct. I've learned through the years there are usually ways
to improve the accuracy of subjective data. Please let me know if you find an
error! Use as you see fit. Look for 2023 PCI DSSv4 to NIST 800-53r5 on <a href="https://github.com/davischr2/Cloud-Documents" target="_blank">davischr2/Cloud-Documents
(github.com)</a> or <a href="https://www.compliancequickstart.com/" target="_blank">Blog Downloads (compliancequickstart.com)</a>. <o:p></o:p></p>
<p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;"><b>#pci</b> <b>#pcicompliance</b>
<b>#nist</b> <b>#sp80053r5</b><o:p></o:p></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0in;">Cross Posted on LinkedIn: <a href="https://www.linkedin.com/pulse/reposting-because-its-hard-pci-dss-sp-800-53r5-chris-davis/">PCI DSS to SP 800-53r5 | LinkedIn</a></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-67709585012498390172023-07-21T10:44:00.001-05:002023-07-21T10:53:37.865-05:00NIST Privacy Framework Maturity Model<p><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjW0ksakZ-OW6b-kWHwy0fTZcRdsU-rY3aDUQ_kk4ArZgq3uSNypEVGysX_5Tn72Wi5fG9TmbCLeyVULyq5skgeDVL7Llfo0CkSiw78jZILEXvwMTVUJTo1y1lT2eKc1-ehBJGDEqltKP-0ECTSULmEW9sT516deHftbhF89-ysVeSwgP7b4rGyQ8bSEkk" style="clear: left; display: inline; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="869" data-original-width="1827" height="152" src="https://blogger.googleusercontent.com/img/a/AVvXsEjW0ksakZ-OW6b-kWHwy0fTZcRdsU-rY3aDUQ_kk4ArZgq3uSNypEVGysX_5Tn72Wi5fG9TmbCLeyVULyq5skgeDVL7Llfo0CkSiw78jZILEXvwMTVUJTo1y1lT2eKc1-ehBJGDEqltKP-0ECTSULmEW9sT516deHftbhF89-ysVeSwgP7b4rGyQ8bSEkk=w320-h152" width="320" /></a>The NIST Privacy Framework (PF) is an interesting model for building and assessing a formalized privacy program. Sure - I agree - it's not as detailed as what can be found on ARMA, but it's familiarity with the NIST Cybersecurity Framework (CSF) makes it approachable and easier to share with stakeholders. </p><p>This important distinction can help drive interest and stakeholder involvement.</p><p>The implementation of any model or checklist is only useful as a point in time assessment, and finding a way to extrapolate quantifiable growth is the key to successful implementation and gaining value from the effort. </p><p>And so - along those lines - please enjoy access to a free tool for measuring your privacy framework as it stands currently versus your desired state during the next periodic timetable you choose to set. </p><p>It's unlocked. Use as you see fit: <a href="https://www.compliancequickstart.com/">Blog Downloads (compliancequickstart.com)</a> or <a href="https://github.com/davischr2/Cloud-Documents">davischr2/Cloud-Documents (github.com)</a></p><p>Cross posted on LinkedIn: <a href="https://www.linkedin.com/pulse/nist-privacy-framework-maturity-model-chris-davis/">NIST Privacy Framework Maturity Model | LinkedIn</a></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-53124806065357726022023-07-07T15:30:00.000-05:002023-07-07T15:30:30.206-05:00Interconnected Disciplines: Security | Compliance | Privacy | Audit | Information Governance<div>As the lifeblood of the modern enterprise, information is ceaselessly processed, transmitted, and stored by people, processes, and tools. Have you ever thought about the closely interrelated relationships between each organization that has a vested interest in that data?</div><div><br /></div><div>A considerable part of the enterprise is dedicated to using - consuming - information. Meanwhile, there are others, behind the scenes, laboring to ensure the organization can utilize the information without any repercussions. The data must not only be protected but also be compliant, managed properly, and audited periodically.</div><div><br /></div><div>Introducing: Security, Compliance, Privacy, Audit, and Information Governance organizations.</div><div><br /></div><div>Each of these play a distinctive role, yet they often operate in close concert. </div><div><ul style="text-align: left;"><li><b>Security</b> is about fortifying the enterprise against threats and ensuring the confidentiality, integrity, and availability of its data. </li><li><b>Compliance</b> takes charge of ensuring the organization's adherence to relevant laws and regulations. </li><li><b>Privacy </b>manages personal data responsibly, safeguarding the rights and expectations of the individual. </li><li><b>Audit</b> plays a vital role in conducting systematic reviews of the company's records and operations to ensure transparency and adherence to established protocols.</li><li><b>Information Governance</b> manages information at a strategic level, providing a framework that aligns data handling processes with the overarching goals of the enterprise.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgffHQplBRjOUwUWP6NrQl6O3AlDaQv8gqk995kc6-E6RhPoFgOblI_6tcjMMnpmAe6sKeZ0BwoDtAU0ZGfIYg-V7AJeIJiTthR59paduR-tQ5FIPE09qm61ojh1Iq8iVEWNLMPBNKaSJIknC1bGXVTif4jJBZPJSJ4dI9nHp77jB3UZ4SQfgFv8khCHjI" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="293" data-original-width="767" height="153" src="https://blogger.googleusercontent.com/img/a/AVvXsEgffHQplBRjOUwUWP6NrQl6O3AlDaQv8gqk995kc6-E6RhPoFgOblI_6tcjMMnpmAe6sKeZ0BwoDtAU0ZGfIYg-V7AJeIJiTthR59paduR-tQ5FIPE09qm61ojh1Iq8iVEWNLMPBNKaSJIknC1bGXVTif4jJBZPJSJ4dI9nHp77jB3UZ4SQfgFv8khCHjI=w400-h153" width="400" /></a></div><br /></div></div><h3 style="text-align: left;">Let's dive a little bit deeper into each one of these.</h3><div><div><div><div><b>1. Security Organization:</b></div><div>The Security Organization is the pillar that safeguards the entire process of customer's credit card transactions. The organization employs advanced security protocols and measures, providing a secure environment for data transmission and storage. Without the Security Organization, all the other organizations would be susceptible to significant risks, as their functions entirely rely on the secure foundation built and maintained by the Security Organization.</div><div><br /></div><div><b>2. Compliance Organization:</b></div><div>The Compliance Organization is the critical player in aligning operations with external regulations and internal policies. Without the Compliance Organization's thorough knowledge of laws and regulations such as PCI-DSS, and its tireless efforts to maintain compliance, the company could face substantial legal and financial penalties, reputational damage, and loss of customer trust. This fundamental role places the Compliance Organization at the core of the business's sustainability and success.</div><div><br /></div><div><b>3. Privacy Organization:</b></div><div>In today's digital age, customer trust hinges heavily on how businesses handle their personal data. The Privacy Organization's role in ensuring the use of customer's credit card information adheres to privacy laws is paramount. Without the Privacy Organization's diligent monitoring and management of personal data, the company risks severe legal ramifications and damage to its reputation. Their critical role in maintaining customer trust puts them at the heart of the organization's operations.</div><div><br /></div><div><b>4. Audit Organization:</b></div><div>The Audit Organization, with its responsibility of conducting independent and rigorous reviews, ensures that transactions are being processed accurately and securely. They play an irreplaceable role in detecting irregularities, enhancing process efficiency, and ensuring that the company's financial statements are accurate. The insights they provide enable the company to maintain financial integrity and operational efficiency, making them indispensable to the organization.</div><div><br /></div><div><b>5. Information Governance Organization:</b></div><div>The Information Governance Organization, as the policy maker for information management, is the driving force behind how credit card information should be handled, stored, and deleted. They shape the company's strategy on data usage, storage, and security. Without their directives, other organizations wouldn't have the guidelines they need to perform their roles effectively. They serve as the architect of the company's information management strategy. This team establishes the framework for how information is created, stored, used, archived, and deleted across the organization. They align all information-related processes and policies with the organization's overall strategy and goals, ensuring that data supports and advances business objectives.</div></div></div><div><br /></div><h3 style="text-align: left;">Criticality of Working Together</h3></div><div><div>Diverse information types necessitate the involvement of multiple organizational bodies. A large spectrum of information forms the backbone of our operations.</div><div><br /></div><div>This reality underscores the need for an integrated, collaborative approach in dealing with the varied, yet interconnected, dimensions of information. It's crucial that we create a culture that emphasizes collaborative goals, where each team sees their unique responsibilities as components of the collective success. To that end, fostering cross-functional collaboration and implementing diverse team reviews can engender a richer understanding of each team's contributions and insights.</div><div><br /></div><div>Open communication, underlined by active listening and mutual respect, forms the bedrock of this collaborative culture. The exchange of ideas, challenges, and insights can catalyze solutions that incorporate diverse perspectives and approaches. Establish feedback mechanisms that value different perspectives further enhances your decision-making process and strengthens inter-team relations.</div></div><div><br /></div><div>The information and the organizations that manage it are intricately intertwined, calling for a deliberate and proactive approach to collaboration and open dialogue. This approach is the key to leveraging our collective strength, ensuring the integrity of our operations, and driving our collective success.</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-37906719909251938022023-06-14T15:41:00.009-05:002023-07-07T16:08:50.506-05:00SOC Trust Services Criteria (TSC) AICPA Excel Spreadsheet Workbook<p></p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjxwKk45YFPpMUDtLVZ3NtXmHlutAg7_3VKBW2raEhF5jSgU4gkyprtQ3Gcu-IQTdqVPv0ZN_ftV_PiYQ_3ofrZxS2FQkf_23TPPJNPGlgpGjJmnqTIo0vAqQNRs5PAsD42g-rXPrHKPTGvXGFoaCZSfVXhug4GsXrz7TAwoF-w29lFBa868sjeXyF5" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="1063" data-original-width="3346" height="64" src="https://blogger.googleusercontent.com/img/a/AVvXsEjxwKk45YFPpMUDtLVZ3NtXmHlutAg7_3VKBW2raEhF5jSgU4gkyprtQ3Gcu-IQTdqVPv0ZN_ftV_PiYQ_3ofrZxS2FQkf_23TPPJNPGlgpGjJmnqTIo0vAqQNRs5PAsD42g-rXPrHKPTGvXGFoaCZSfVXhug4GsXrz7TAwoF-w29lFBa868sjeXyF5=w200-h64" width="200" /></a></div></div>I've combined information from multiple sources, created a numbering scheme, and broken down information into a format that is easier to review and digest than what I have seen. Enjoy.<p></p><p>You can find the result under <a href="https://www.compliancequickstart.com/">Blog Downloads (compliancequickstart.com)</a>. </p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-74129108052920529992023-05-31T17:53:00.011-05:002023-06-05T09:33:03.125-05:00Updated Format to New FedRAMP® NIST SP 800-53r5 Controls Workbook <p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjKRC-g91qBXClIy5pETUhZHzESsH2L_DVcs7wO9U2SNy1TjIFwl1Vlq_YDwaZa6Zp1b1poWJlIH04_gXZAtg4G3thEOinwc4R4FFFpKNiO2fq4l4tQL2rdLlqqHoMC8F1lhArDdmO-2nbq_j6LN3Y5Jn0ciZAmtH6YAzeUqOLmUIDgTXjj08OcCPjN" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="143" data-original-width="146" height="51" src="https://blogger.googleusercontent.com/img/a/AVvXsEjKRC-g91qBXClIy5pETUhZHzESsH2L_DVcs7wO9U2SNy1TjIFwl1Vlq_YDwaZa6Zp1b1poWJlIH04_gXZAtg4G3thEOinwc4R4FFFpKNiO2fq4l4tQL2rdLlqqHoMC8F1lhArDdmO-2nbq_j6LN3Y5Jn0ciZAmtH6YAzeUqOLmUIDgTXjj08OcCPjN=w52-h51" width="52" /></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjgqZSJFoDEKhf0hJnJoIXwFtS4KgvuwyVji5sv0G0G6iS_VKMnTc11XY3Az6OT6G3orIlsmlV0-VjG4xoJHl59vz3oZtUuvzYgVd2lwgUyU0n54RfqmLAm8tbN3Ic1bKWx03WdPdXE1JUCMnHEZPLQgkF4SQJKKRe3_IH7e_-r68m-xSe8HwM5GTnJ" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></div>I've updated and cleaned up the posted NIST SP 800-53r5 FedRAMP® controls workbook located under the <a href="https://www.fedramp.gov/documents-templates/">FedRAMP Resources</a>. For example, I've included a worksheet that allows simple filtering and sorting for comparative analysis across control sets.<div><br /><div>You can download it from <a href="http://www.compliancequickstart.com">www.compliancequickstart.com</a>. Look for 2023 FedRAMP Control Baselines. If I was going to use the information, this is the format in which I would start. Have fun.</div></div><div><br /></div><div>Direct Link <a href="https://docs.google.com/spreadsheets/d/18s0jqt5y4zNMbgV9vkKOJ27sdeGOSSFB/edit?usp=drive_link&ouid=106791680849954012935&rtpof=true&sd=true" target="_blank">here</a>.</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-12938666473682789992023-05-15T13:40:00.004-05:002023-05-22T12:09:37.979-05:00Interest Profilers<p>I've found a profession that fits my personality and passions, and I'm equally passionate about helping others find their own personal fit. I'm watching those close to me grow up and think about the work force in the looming years with some anticipation - and some anxiety. </p><p>Interest profilers are simply a tool that can be used to help identify professions that could be a good fit based on your authentic self. </p><p>This is a list I'll update over time for my own friends and family investigating career choices. </p><div dir="ltr" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><a data-saferedirecturl="https://www.google.com/url?q=https://www.mynextmove.org/&source=gmail&ust=1684262189610000&usg=AOvVaw0Vrqde9veldnJSr0ti9QYl" href="https://www.mynextmove.org/" style="color: #1155cc;" target="_blank">My Next Move</a></div><div dir="ltr" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></div><div dir="ltr" style="background-color: white; color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small;"><a data-saferedirecturl="https://www.google.com/url?q=https://www.mynextmove.org/&source=gmail&ust=1684262189610000&usg=AOvVaw0Vrqde9veldnJSr0ti9QYl" href="https://www.mynextmove.org/" style="color: #1155cc;" target="_blank"></a><a data-saferedirecturl="https://www.google.com/url?q=https://www.mynextmove.org/explore/ip&source=gmail&ust=1684262189610000&usg=AOvVaw3F7hqerGGBD14AXoqgq7kg" href="https://www.mynextmove.org/explore/ip" style="color: #1155cc;" target="_blank">O*NET Interest Profiler</a></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-4603046844306667302023-02-07T09:25:00.001-06:002023-02-07T09:25:17.585-06:00Impact Radar for 2023<p><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhDsTiObX3hKELuePaEZbsuD33BJdXoNmb_nrFom9GBRwp-k8CjkkR9Om03RvBlXSdET7f951kZnoGJdPfDcZ80AlpXDk4swecJCAh9K4fKX2WkXgdPlH60YySl75X3txEm6LRS0c4b76z8eHWhjNKtW7op3xUYL2HU-p__AL2mvh6npk_LnFuLPjTl" style="clear: left; display: inline !important; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="1175" data-original-width="1372" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEhDsTiObX3hKELuePaEZbsuD33BJdXoNmb_nrFom9GBRwp-k8CjkkR9Om03RvBlXSdET7f951kZnoGJdPfDcZ80AlpXDk4swecJCAh9K4fKX2WkXgdPlH60YySl75X3txEm6LRS0c4b76z8eHWhjNKtW7op3xUYL2HU-p__AL2mvh6npk_LnFuLPjTl" width="280" /></a>This brief is an interesting read created by Gartner to discuss emerging technologies over the next decade. I've shared this with a few people inside my organization and the response has been quite interesting. When we get so focused on our own domain, reading forward-looking articles such as this one can seem like science fiction. </p><p></p><p>This particular paper is targeted towards particle leaders to help them understand how emerging technologies and trends are changing. Staying on top of emerging technologies is necessary to decide which technologies or trends are most beneficial for their business, and when it is the right time to invest in them in order to improve their products and services.</p><p>Never lose sight of that fine line between embedded truth and the need for change. Never lose focus of the opportunities that can make you successful.</p><p>In this case, the authors created a simple chart depicting which technologies require focus now, and which ones they believe are imminent. Paying attention to these shifts helps to ensure relevance and longevity. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgIwmOtjukBlbB1TxZNAP5Gow7WKvtg6KUh7OaqQEFbA4p59Ghp_Kjp-SGiTgNNE-stjsWmY0gWLGMcAGjdky7IxzyZxuza2_TwLQsPsDbEtRy0hXXqvG7Ev09fi_XXt8H1Y5xd9PbxN8o2VquOuxdTFOYUEBLqvmWyvTPk6uedPJqSXqI8Ff0SswxL" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="623" data-original-width="1353" height="147" src="https://blogger.googleusercontent.com/img/a/AVvXsEgIwmOtjukBlbB1TxZNAP5Gow7WKvtg6KUh7OaqQEFbA4p59Ghp_Kjp-SGiTgNNE-stjsWmY0gWLGMcAGjdky7IxzyZxuza2_TwLQsPsDbEtRy0hXXqvG7Ev09fi_XXt8H1Y5xd9PbxN8o2VquOuxdTFOYUEBLqvmWyvTPk6uedPJqSXqI8Ff0SswxL" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;">This brief is a short read. You can access it here. <a href="https://www.gartner.com/en/doc/emerging-technologies-and-trends-impact-radar-excerpt">Emerging Tech Impact Radar: 2023 (gartner.com)</a></div><br /><br /><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-87722134426464642662023-01-19T13:24:00.004-06:002023-01-19T13:34:17.537-06:00Is It Worth the Time?<p>Brilliant. Requires no commentary. Just read and digest it.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_NuP3J5REXY3jvIwEp7N6hYO_cZLSXGh0Fo51pZdSqrBMzv6kw9N-7bF-toAh6gU5wHR9Wdj2hl4PD87LSr7VzC6Q3wZz1c4kHFsw9WOE_p0DBq1M2vTUrUjXj-RzDkNpQQ7MK_cavEK_NvpicQaNvkRXKMIgtd0XdT4S5f8FFjBPEoiMiE5ILEeZ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="927" data-original-width="1141" height="325" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_NuP3J5REXY3jvIwEp7N6hYO_cZLSXGh0Fo51pZdSqrBMzv6kw9N-7bF-toAh6gU5wHR9Wdj2hl4PD87LSr7VzC6Q3wZz1c4kHFsw9WOE_p0DBq1M2vTUrUjXj-RzDkNpQQ7MK_cavEK_NvpicQaNvkRXKMIgtd0XdT4S5f8FFjBPEoiMiE5ILEeZ=w400-h325" width="400" /></a></div><br />Source here: <a href="https://xkcd.com/1205/">xkcd: Is It Worth the Time?</a><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-15692080256602074322023-01-05T10:57:00.005-06:002023-01-05T10:58:48.762-06:00Cloud Tech Sales: Emotional Intelligence and Emotional Influence<p><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgPvEBXE10CCn6sZSX3oiALbPKViwraT0xnCuOeeFXjFZCPSVQuMmeSd42larNz10lEmFh5lrTyRxYPYuqCYySs9FG5eDET6cs6CkLKDSEm92LpeQAVm3JqLoIA8ZaXl14In4myZWZFgjPaA1lNVn3j50OcFKMWGzoik9NymRZPL3fUOLtSgNtxL0Us" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="642" data-original-width="1157" height="178" src="https://blogger.googleusercontent.com/img/a/AVvXsEgPvEBXE10CCn6sZSX3oiALbPKViwraT0xnCuOeeFXjFZCPSVQuMmeSd42larNz10lEmFh5lrTyRxYPYuqCYySs9FG5eDET6cs6CkLKDSEm92LpeQAVm3JqLoIA8ZaXl14In4myZWZFgjPaA1lNVn3j50OcFKMWGzoik9NymRZPL3fUOLtSgNtxL0Us" width="320" /></a></p><p>Think of emotional intelligence as empathy and understanding the emotional state of others and how to navigate the emotions. Awareness. Think of emotional influence as deftly using this information to your advantage. Emotional influence then becomes a powerful marketing technique that aims to
persuade potential customers by appealing to their emotions rather than
logical arguments. When it comes to selling cloud computing technologies, some
common emotions that can be appealed to include:</p><p class="MsoNormal"><o:p></o:p></p><p>
</p><ol start="1" style="margin-top: 0in;" type="1">
<li class="MsoNormal">Security:
Many people are concerned about the security of their data and the risk of
cyber attacks. By highlighting the robust security measures in place for
cloud computing technologies, you can appeal to people's desire for peace
of mind and protection.<o:p></o:p></li>
<li class="MsoNormal">Convenience:
Cloud computing technologies offer convenience by allowing users to access
their data and applications from anywhere, at any time. By emphasizing
this convenience, you can appeal to people's desire for flexibility and
ease of use.<o:p></o:p></li>
<li class="MsoNormal">Cost-effectiveness:
For businesses, moving to the cloud can be a cost-effective way to reduce
IT costs and improve efficiency. By highlighting these cost savings, you
can appeal to people's desire to save money and be financially
responsible.<o:p></o:p></li>
<li class="MsoNormal">Innovation:
Cloud computing technologies can enable businesses to be more agile and
innovative by providing access to the latest technologies and enabling
them to scale quickly. By emphasizing the potential for innovation, you
can appeal to people's desire to be at the cutting edge and stay ahead of
the competition.<o:p></o:p></li>
</ol><p>My wife and I became enthralled with the artful selling on a recent trip. She quickly googled to find an excellent article written by <a href="https://fitsmallbusiness.com/author/jillianilao/" style="box-sizing: border-box; color: #1c7db1; transition: all 0.3s ease 0s;"><span style="font-family: inherit;">Jillian Ilao</span></a> found on <a href="https://fitsmallbusiness.com/emotional-selling/" target="_blank">fitssmallbusiness.com</a> titled "<a href="https://fitsmallbusiness.com/emotional-selling/">6 Emotional Selling Techniques to Drive Buying Decisions</a>" </p><p>Jillian powerfully concludes with this: </p><h2 style="background-color: white; box-sizing: border-box; color: #313636; line-height: 1.2; margin-bottom: 16px; margin-top: 0px;"><span style="font-family: inherit; font-size: small;">How Effective is Emotional Selling & What are its Benefits?</span></h2><p style="background-color: white; box-sizing: border-box; color: #313636; margin-bottom: 26px; margin-top: 0px;"><span style="font-family: inherit;">Emotional selling is very effective in terms of revenue generation. Therefore, as part of your <a href="https://fitsmallbusiness.com/sales-management/" style="background-color: transparent; box-sizing: border-box; color: #155e85; font-weight: 700; text-decoration-line: none; transition: all 0.3s ease 0s;">sales management</a> process, you must train new sales reps on the emotion-based sales tactics most effective and appropriate for your products or services.</span></p><p style="background-color: white; box-sizing: border-box; color: #313636; margin-bottom: 26px; margin-top: 0px;"><span style="font-family: inherit;">Some</span><span style="font-family: inherit;"> </span><a href="https://blogginglift.com/emotional-marketing-statistics/" rel="noopener" style="background-color: transparent; box-sizing: border-box; color: #155e85; font-family: inherit; font-weight: 700; text-decoration-line: none; transition: all 0.3s ease 0s;" target="_blank">70% of customers</a><span style="font-family: inherit;"> </span><span style="font-family: inherit;">are likely to buy a product when an advertisement appeals to their emotions. They are also more likely to recommend brands they feel connected to, with 71% of customers recommending a brand based on emotional connection. Furthermore, brand loyalty also increases as</span><span style="font-family: inherit;"> </span><a href="https://www.soocial.com/emotional-marketing-statistics/" rel="noopener" style="background-color: transparent; box-sizing: border-box; color: #155e85; font-family: inherit; font-weight: 700; text-decoration-line: none; transition: all 0.3s ease 0s;" target="_blank">81% of emotionally engaged consumers</a><span style="font-family: inherit;"> </span><span style="font-family: inherit;">say they enjoy giving back to a brand they are loyal to.</span></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-18436699805601649042023-01-04T13:36:00.001-06:002023-01-04T13:37:32.607-06:00The importance of firmware security in cloud computing<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi5WofkOT0ekdEUQfHL1j78_pnpJVWEaNDoXUoR_nFw1k21zDzmi1u2djQP7nBx7wzIN3PRVQElDVW5z2GAl6hH3rsSEbRFosqkk98jgDUBSie0fPXuaETljvGyclGZahTuydCl7IqCthNb5e1sp4goBfTEqgW-pfVU7tOKbO1x9SBL0lXK8PfqiWdA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="385" data-original-width="415" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEi5WofkOT0ekdEUQfHL1j78_pnpJVWEaNDoXUoR_nFw1k21zDzmi1u2djQP7nBx7wzIN3PRVQElDVW5z2GAl6hH3rsSEbRFosqkk98jgDUBSie0fPXuaETljvGyclGZahTuydCl7IqCthNb5e1sp4goBfTEqgW-pfVU7tOKbO1x9SBL0lXK8PfqiWdA" width="259" /></a></div>Firmware is the low-level software that controls a device's hardware, and it is an important part of cloud computing systems. Firmware security is essential because it helps to protect against attacks that can compromise the integrity and availability of cloud computing systems.<br /><br />One of the main risks of insecure firmware is the potential for attackers to gain unauthorized access to a system. For example, an attacker could exploit a vulnerability in the firmware to gain access to a device's network, allowing them to intercept data or launch further attacks. Insecure firmware can also make it easier for attackers to plant malware or backdoors, which can be used to maintain ongoing access to a system. <br /><br />Firmware security is also important because firmware updates can introduce new vulnerabilities. If an organization fails to properly test and validate firmware updates, they may be introducing new vulnerabilities into their systems. This is particularly problematic in cloud computing environments, where multiple tenants may be sharing the same hardware. <br /><br />To address these risks, it is important for organizations to implement robust firmware security measures. This can include performing regular security assessments to identify vulnerabilities, implementing robust change management processes for firmware updates, and implementing safeguards to prevent unauthorized access to firmware. <br /><br />In addition to these measures, organizations should also consider using secure boot and trusted platform module (TPM) technologies to help ensure the integrity of their firmware. Secure boot helps to prevent unauthorized software from being run on a device, while TPM allows for the secure storage of cryptographic keys and other sensitive information. <div><br /></div><div>Firmware security is an important consideration for organizations that use cloud computing. By implementing robust firmware security measures, organizations can help to protect against attacks that can compromise the integrity and availability of their systems.</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-29831603249857683512023-01-04T13:25:00.000-06:002023-01-04T13:25:38.513-06:00The evolution of the Lockheed Martin kill chain<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi0GJ_vkJ1dYJTYXncDb6npF81DNGOXXGciF_tok-rmI6LaEoL_pJ4X7tPYBjTDxGptndMVzV7vJy3CKACbQ6WpX53vUrhNlz_Flvi2aJJSW6Ep70jDqikiHCyk0D61kQny5cox3eONqVY-uxtsQ-WTo9o-PQuRUlgX9scqhF3w0V9XtqZDEg-YhA8D" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="620" data-original-width="530" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEi0GJ_vkJ1dYJTYXncDb6npF81DNGOXXGciF_tok-rmI6LaEoL_pJ4X7tPYBjTDxGptndMVzV7vJy3CKACbQ6WpX53vUrhNlz_Flvi2aJJSW6Ep70jDqikiHCyk0D61kQny5cox3eONqVY-uxtsQ-WTo9o-PQuRUlgX9scqhF3w0V9XtqZDEg-YhA8D" width="205" /></a></div>The <a href="https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html" target="_blank">Lockheed Martin Kill Chain</a> is a framework used to describe the stages of a cyber attack, from initial compromise to exfiltration of data. The concept of a kill chain has been around for decades, but the specific model developed by Lockheed Martin has become widely adopted in the cybersecurity industry.<p></p><p>The Lockheed Martin Kill Chain has evolved over time as the tactics and technologies used by attackers have changed. Initially, the focus was on traditional network attacks, but the rise of mobile devices and the Internet of Things has led to the inclusion of additional stages to cover these types of attacks.</p><p>The original Lockheed Martin Kill Chain consists of seven stages:</p><p></p><ol style="text-align: left;"><li>Reconnaissance: This is the first stage of the attack, where the attacker gathers information about the target. This may include researching the target's employees, network infrastructure, and potential vulnerabilities.</li><li>Weaponization: In this stage, the attacker creates a means of delivering the payload (e.g., malware or exploit) to the target.</li><li>Delivery: The payload is delivered to the target, usually via email or a malicious website.</li><li>Exploitation: The payload is executed, allowing the attacker to gain access to the target's system.</li><li>Installation: In this stage, the attacker installs any necessary tools or malware on the target's system to maintain control and access.</li><li>Command and control: The attacker establishes a means of communicating with the compromised system and issuing commands.</li><li>Actions on objectives: The attacker carries out their intended objectives, such as stealing data or disrupting services.</li></ol><p></p><p>In addition to the seven core stages, the Lockheed Martin Kill Chain model also includes three additional stages that can occur before or after the core stages:</p><p></p><ol style="text-align: left;"><li>Pre-attack: This stage includes activities such as supply chain attacks or the insertion of hardware backdoors.</li><li>Post-attack: This stage includes activities such as data exfiltration and the destruction of evidence.</li><li>Reroute: This stage includes activities such as redirecting the attack to a different target or disrupting the kill chain.</li></ol><p></p><p>The Lockheed Martin Kill Chain model is a valuable tool for understanding the different stages of a cyber attack and for identifying potential points of intervention. By understanding the different stages of the attack, organizations can implement targeted defenses and responses to mitigate the risk of a successful attack.</p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-31236660655584776602023-01-03T10:49:00.000-06:002023-01-03T10:49:03.061-06:0021 skills that will pay you forever<p>This was shared with me. Posting so that I remember this and share with others.</p><p><b>21 skills that will pay you forever </b></p>1. Ability to sell and negotiate.<br />2. Ability to convey what you think and feel. <br />3. Ability to break a process down into smaller steps. <br />4. Ability to shut up, listen and learn from others. <br />5. Ability to adapt, improvise and overcome obstacles. <br />6. Ability to read, understand and memorize. <br />7. Ability to walk away. <br />8. Ability to manage time effectively. <br />9. Ability to stay positive and optimistic. <br />10. Ability to make decisions based on facts not based on emotions. <br />11. Ability to speak in front of large audience. <br />12. Ability to keep trying even after failure. <br />13. Ability to invest money on yourself. <br />14. Ability to take action regardless of your situation. <br />15. Ability to self-analysis. <br />16. Ability to learn how to learn. <br />17. Ability to understand what others feel. <br />18. Ability to remain consistent. <br />19. Ability to master your thoughts. <br />20. Ability to write words to persuade and influence others. <br />21. Ability to ask for help. <br /><br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-49254719766688547202022-11-03T15:01:00.003-05:002022-11-03T15:01:35.601-05:00Most Requested Compliance Documents<p>Indicator of what’s important around the world.</p>
<p class="MsoNormal">Current: <a href="https://www.unifiedcompliance.com/MonthlySelectedAuthorityDocuments-September2022/">Monthly
Selected Authority Documents - September, 2022 - Unified Compliance</a><o:p></o:p></p>
<p class="MsoNormal">Monthly Updates & History: <a href="https://www.unifiedcompliance.com/category/monthly-updates/">Monthly
Updates Archives - Unified Compliance</a></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgW7TRFYfwRUm8C0Rtp1c32aIYTUJN0xpE1yqvp-Ftv-Z5avWoWhCEPTrmyWeUDDR9grYsLYxgS-IzF_5bH8qYthSr5T1woJvRHN6H1alYtW1wVETYhKh0gC82NncjrZtx8RW9yYSJln-byQYCh6Ltz_Luw-vyeHV7KNyBtr2ezOSc__GF9CNrzw7wE" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="743" data-original-width="1442" height="206" src="https://blogger.googleusercontent.com/img/a/AVvXsEgW7TRFYfwRUm8C0Rtp1c32aIYTUJN0xpE1yqvp-Ftv-Z5avWoWhCEPTrmyWeUDDR9grYsLYxgS-IzF_5bH8qYthSr5T1woJvRHN6H1alYtW1wVETYhKh0gC82NncjrZtx8RW9yYSJln-byQYCh6Ltz_Luw-vyeHV7KNyBtr2ezOSc__GF9CNrzw7wE=w400-h206" width="400" /></a></div><br /><b>Top 10:</b><p></p><p class="MsoNormal"></p><ol style="text-align: left;"><li>NIST CSF 1.1</li><li>CIS Controls, V8</li><li>ISO 27001-2013</li><li>EU General Data Protection Regulation (GDPR)</li><li>NIST SP 800-53 R5</li><li>Sarbanes-Oxley Act of 2002</li><li>PCI DSS v3.2.1</li><li>ISO/IEC 27701:2019</li><li>Cloud Controls Matrix, v4.0</li><li>ISO 27002 </li></ol><p></p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-15396827655703689962022-10-25T13:38:00.008-05:002022-10-25T15:16:35.157-05:00Summary of All Data Breaches 2004-2022<p>The pictures speak for themselves. It's interesting..... Looking at the average data sensitivity for all records lost each year, ranked according to the simple scale below, you get this chart. </p><p><b>Data source</b>: <a href="https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity">World’s Biggest Data Breaches & Hacks — Information is Beautiful</a></p><b>Data sensitivity</b><br /><br />1. Just email address/Online information<br />2 SSN/Personal details<br />3 Credit card information<br />4 Health & other personal records<br />5 Full details<div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjx650UBxZ6HuwoNjroGEInj6M1JviBbXMXYAhIrFiSlXuPKGgUMvvQVK0ZTGp2BexP-nF1txHBKZsPWSBYxPD4MxGzilCdEtCpH52pCKax45v7HjDU2rvpao6i0tlNunVUNb9hSHvwMduSN5dinnSwfPlvGhy6hk3YsiD0kO_UnNVMM8bYvyXssMh-" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="370" data-original-width="615" height="193" src="https://blogger.googleusercontent.com/img/a/AVvXsEjx650UBxZ6HuwoNjroGEInj6M1JviBbXMXYAhIrFiSlXuPKGgUMvvQVK0ZTGp2BexP-nF1txHBKZsPWSBYxPD4MxGzilCdEtCpH52pCKax45v7HjDU2rvpao6i0tlNunVUNb9hSHvwMduSN5dinnSwfPlvGhy6hk3YsiD0kO_UnNVMM8bYvyXssMh-" width="320" /></a></div></div></div><br /><b>By number of records lost</b></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhrk0WsI5Uu9XLzyHJquPjRktFjCxtOmMwzoJnYgWlACD3guAb28_xn0vAYPQd8N-HfeuXprOIntAjLFjkHMypX0pwRtorFfBWCbgUEUZqfDwuPM9oT2QrcrdSI26hMEzDXlsYS_fwWYVD2YP_NDfX8TcpC34GsVQBQF4mr99Ve1gU_vuQ5PsNku1Np" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="370" data-original-width="615" height="193" src="https://blogger.googleusercontent.com/img/a/AVvXsEhrk0WsI5Uu9XLzyHJquPjRktFjCxtOmMwzoJnYgWlACD3guAb28_xn0vAYPQd8N-HfeuXprOIntAjLFjkHMypX0pwRtorFfBWCbgUEUZqfDwuPM9oT2QrcrdSI26hMEzDXlsYS_fwWYVD2YP_NDfX8TcpC34GsVQBQF4mr99Ve1gU_vuQ5PsNku1Np" width="320" /></a></div></div></div><br /></div><div><b>Putting it together</b></div><div><b><br /></b></div><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjN3OnzGEKPZa0JP1jSQFKzygHz96d2U11yQrlOxMJQhEPFT3xkGVICfJysFevLdBaAQ6oSpbT7JODdeeQp_Yj8eSOPpcfZEbL1WbYi0VEWmkrC-vLwv0FbEz2-C3LAY4DZmxYw4Bjayz8Cx_n0JlBqeHL-S1d7Eu8tcQxuCj1GaIPGSEkOBMJtlbPq" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1017" data-original-width="1956" height="166" src="https://blogger.googleusercontent.com/img/a/AVvXsEjN3OnzGEKPZa0JP1jSQFKzygHz96d2U11yQrlOxMJQhEPFT3xkGVICfJysFevLdBaAQ6oSpbT7JODdeeQp_Yj8eSOPpcfZEbL1WbYi0VEWmkrC-vLwv0FbEz2-C3LAY4DZmxYw4Bjayz8Cx_n0JlBqeHL-S1d7Eu8tcQxuCj1GaIPGSEkOBMJtlbPq" width="320" /></a></div></div></div><br /><br /></div></div><br /></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-779249926252698952.post-69154336639166130422022-10-11T09:52:00.008-05:002022-10-11T10:20:09.834-05:00IT Audit Process: Identify blind spots & streamline operations<p>I created this to use as a backdrop for discussions around the IT audit process with a focus on identifying blind spots and streamlining operations.</p><p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLQepwEMfMlD-_bTdOgV2re7U3Lg9YAcMzxcX4GBCNu4YvL5392ArDT_VyIRqq80YTdQR5xV7e7zA36qWi7ygfTzQAF-3TR6MxGJlPFrIq-zeWF_y1uem-kN2cHyKtbQC23FYflQTeq_SuvhLFwHgQDKlMeuZwM6U7htLaTw_BmJRPkCJqgN-I7fvd/s1600/IT%20Audit%20Process%20-%20Identify%20blind%20spots%20and%20streamline%20operations.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="820" data-original-width="1600" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLQepwEMfMlD-_bTdOgV2re7U3Lg9YAcMzxcX4GBCNu4YvL5392ArDT_VyIRqq80YTdQR5xV7e7zA36qWi7ygfTzQAF-3TR6MxGJlPFrIq-zeWF_y1uem-kN2cHyKtbQC23FYflQTeq_SuvhLFwHgQDKlMeuZwM6U7htLaTw_BmJRPkCJqgN-I7fvd/w400-h205/IT%20Audit%20Process%20-%20Identify%20blind%20spots%20and%20streamline%20operations.png" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div></div></div></div></div><p></p>Unknownnoreply@blogger.com