SANS MGT514
Vision: an intangible asset for a leader (4:52)
"D.R.I.V.E." Directional: does it help you decide what activities to pursue? Relevant: Takes into account the organizations history, current state, culture, and values, thereby making it visible? Inspirational: Inspired people commit to a shared goal. Captures hearts/minds Vivid: Clear & concrete. Describes future that's easy to imagine Extremely Bold: Audacious. Does it feel unattainable?
Most Critical Assets (1:184)
"crown jewels" - data systems and even processes that are critical to an organization's competitive and strategic advantage; Change based on industry, business model or strategy, time horizon.
Strategy Maps (1:56)
- Links high-level strategic objectives to specific projects, initiatives -Shows how to turn strategy into tangible outcomes -highlights gaps in strategy implementation -helps communicate strategy to entire organization
Strategic objectives (1:56)
-Based on understanding the business model, strategy and competitive forces -Very high level and often vague
twelve ways to win people to your way of thinking (4:16-17)
1. Avoid arguments 2. Show respect for other people's opinions 3. If you're wrong - admit it 4. being in a friendly way 5. Start with questions to which the other person will answer yes. 6. Let the other person do the talking. 7. Let the other person feel the idea is theirs 8. Try to honestly see things from the other peron's POV 9. Sympathize with the other person 10. Appeal to noble motives 11. Dramatize your ideas 12. Throw down a challenge
Five Forms of leadership Power (4:30)
1. Coercive Power - based on fear; employees not likely as commited 2. Reward Power - based on ability to distribute rewards; employees comply with requests to receive special benefits 3. Positional Power - based on position in the organization 4. Expert Power - based on having special skills or knowledge; respect is earned through experience/knowledge 5. Referent Power - based on desirable resources or personal traits; you like the person and enjoy doing things for them.
Four major factors of leadership (4:19)
1. Leader - know who you are, what you know, and what you can do. 2. Follower - Different people require different leadership styles 3. Communication - Lead through verbal and nonverbal communication 4. Situation - use your judgement to decide the best course of action and the leadership style needed for each situation.
IKC - Intrusion Kill Chain (1:200)
1. Recon 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Installation 7. Command & Control (C2)
Bolman and Deal's four frame model (4:22)
1. Structural - analysis, design, facts, implementation 2. Human resource - supporting, advocating, empowering 3. Political - Coalition building, conflict avoidance 4. Symbolic - vision, inspiration, ability to cope with change/uncertantiy
Mission statement - 4 Steps (2:22-26)
1. Tell a story 2. Highlight Keywords 3. Group the big ideas 4. Draft the mission
Understanding the business (1:29)
1. Understand where you've been 2.Understand business Strategy 3.Understand macro factors that affect business 4.understand and develop relationships with key stakeholders
Business Model (1:41)
1. describes how you operate 2. generate revenue and make profit 3. deliver value at a reasonable cost
United States: SOX (Sarbanes-Oxley) (3:21)
11 major elements; Public Company accounting oversight board (PCAOB); Auditor Independence; Corporate/Individual Responsibility; Enhanced financial Disclosures; Analyst Conflicts of interest; Commission resources and authority; studies and reports; corporate and criminal fraud accountability; white collar crime penalty enhancement; corporate tax returns; Corporate fraud accountability.
International: PCI DSS (3:15)
12 specific requirements designed to protect cardholder data and to prevent fraud.
NotPetya - Impact on Maersk (1:164)
20% reduction in global shipping equaling $300 million loss; Central booking down; Software at shipping terminals; IT infrastructure - 45K PC's, 4k servers, 150 domain controllers had to be rebuilt.
NIST Cybersecurity Framework (2:94)
3 Parts: Core, Implementation tiers, and profiles. Defines common language for managing security risk.
Why People become leaders (4:8)
3 explanations on how people become leaders; 1. Trait theory; 2. Great Events theory; 3. Transformational Leadership theory
Roadmap Development (2:126-129)
3-step process; Step 1 - Identify what is being done today, Step 2 - Map Current Capabilities to maturity levels, Step 3 - Prioritize new initiatives to increase maturity
Marketing - SNAP (2:214)
4 key components; Specify - marketing objectives; Niche - identify Value propositition; Audience - Identify target market; Promote - Distribution Strategy
Hierarchy of needs (4:37)
8. Self-transcendence - Achieving a higher goal outside oneself such as enhanced consciousness, altruism or spirituality 7. self-actualizaiton - knowing exactly who you are 6. Aesthetic - At peace, more curious about inner workings of all 5. Cognitive - learning for learning alone, contribute knowledge 4. Esteem - feeling of moving up in world, recognition, few doubts about self 3. Belongingness and love - belonging to a group, close friends to confide in 2. Safety - feeling free from immediate danger 1. Physiological - food, water, shelter, sex.
STIX - Vulnerability (1:208)
A mistake in software that can be directly used by a hacker to gain access to a system or network
Framework Categories - Protect (2:97)
Access Control (PR.AC), Awareness & training (PR.AT), Data Security (PR.DS), Information Protection Processes and Procedures (PR.IP), Maintenance (PR.MA), Protective Technology (PR.PT)
Values - belong in the Security department (2:46)
Accountability, Automation, Business Supporting, Collaboration, Customer focus, Efficiency, Entrepreneurial, Ethical behavior, Excellence, Expertise, Innovation, Integrity, Leadership, Partnership, Professionalism, quality, Respect, Transparency, Trustworthiness, Vulnerability
STIX - Course of action (1:208)
Action taken to either prevent or respond to an attack.
Decisive Leadership (4:29)
Adding value as a leader largely depends on your ability to make decisive decisions. "Decisive" doesn't mean quick decisions
Secure Development Standards (3:151)
After the policy statement that defines the high-level activities that need to be conducted, the next level down defines the standards
Handling Exception Requests (3:165)
All exception requests should include Business Justification, Assessment of risk, and Compensating controls
Innovation (2:83)
Anything new & useful; 3 types are business model, process, product or service.
Team Styles, diversify (4:65)
As a leader you want to have a wide variety of team members, contributors, collaborators, communicators, and challengers.
Vision Statement Keywords (2:13)
Aspires, Preeminent, Strives to achieve, Sustains growth, Best, Center of Excellence, Inspires, Top performing, Fulfilling, Innovative, Excellent
Security Culture Tip-offs (3:105)
Assess the security posture, the amount of progress an organization has made towards implementing a culture of security.
Framework Categories - Identify (2:96)
Asset Management, Business environment, Governance, Risk Assessment, Risk Management Strategy, Supply chain Risk management
Organizational Assumptions, Beliefs, and Values (ABVs) (3:101)
Assumption - premise that is taken for granted, difficult to change; Belief - state in which a proposition or premise is held to be true; Value - Ideal accepted by an individual/group
COA - Deceive (1:221)
Attackers can be deceived by DNS redirects or honeypots that appear to be part of the real system, but are isolated systems specifically monitored to analyze attacks.
Target Attack - Internal Access (1:174)
Attackers were able to access billing system and due to lack of network segmentation, they were able to infiltrate POS system and install BlackPOS on sale terminals.
COA - Disrupt (1:220)
Attacks can be disrupted using a number of techniques such as in-line Antivirus & NIPS. To disrupt the exploitation phase, software can also be built with Data Execution Prevention - which is a feature that marks certain area of memory as "nonexecutable"
Measure and enforce Compliance (3:52)
Automate the process over time and retain the information in a governance, risk and compliance (GRC) database or an equivalent for your organization.
Policy Awareness & Training (3:160)
Awareness - description of risks, new employee onboarding, annual awareness training, regular quiz on key elements of policy, tip of the day; Training - provide skills so people can follow the policy, outline procedures that support the policy, instruct where to go for additional support.
Blake Mouton Managerial Model (4:24)
Based on two behavioral dimensions - concern for people and concern for results Identifies five different combinations of the two Identifies leadership styles they produce.
How to make people like you (4:15)
Become genuinely intersted in others; remember that a person's name is the sweetest and most important sound; be a good listener; talk in terms of the other person's interest
How to change people without causing resentment (4:18)
Being with praise and honest appreciation Call attention to other people's mistakes indirectly talk about your own mistakes first ask questions instead of giving orders let the other person save face praise every improvement give other person a fine reputation to live up to Encourage him or her by making their faults seem easy to correct Make the person happy about doing what you suggest.
Mission statement Keywords (2:19)
Branding, Consistency, Core, Detail, Dominant player, Enterprising, Innovation, Inspire, Profit, Quality, Research, Service, Social Responsibility, Opportunity
Update Policy to address current risks (3:133)
Business email compromise is an issue that requires a change in business policy.
Business Case (Business Innovation approach) (2:151)
Business opportunities; business requirements; business risk
Compelling Vision (4:52)
Can inspire people to action, change behavior, and cause people to rise to a higher calling and intuitively follow a pathway that's been created as a result of a vision After vision is clear, the "how" almost takes care of itself. Provides motivation & inspiration that can keep us going no matter what lies ahead
Security Culture (3:103)
Cannot be outside cultural norms of organization, or it will not be followed.
Business case (what is it) (2:137)
Captures the reason for an initiative and lays out a problem and the potential solutions. Includes underlying assumptions and rationale,
CIS Security Controls (2:109)
Center for internet security; security controls developed and maintained by the CIS & are a subset of the comprehensive catalog in NIST SP 800-53
Leading others (4:11)
Coaching & developing others, building and maintaining relationships; conflict resolution; innovation and problem solving
Risk Analysis (1:197)
Combination of the impact and likelihood of an event; or to analyze the vulnerability and threat components.
Leading the organization (4:11)
Communicating vision; strategic alignment, talent strategy, leading culture
Business Case (Industry comparison approach - Maturity Comparison) (2:146)
Comparing your security program to others, via Information Sharing & Analysis Centers (ISAC), Community projects, Research and consulting organizations.
Concepts (4:20)
Concepts - define what products or services the organization will offer and the methods and processes for conducting business.
STIX - Indicator (1:208)
Contains a pattern that can be used to detect suspicious or malicious cyber activity
Gap analysis (2:115)
Contains three steps 1 - Identify the future state; 2 - Analyze current situation; 3 - Defining actions/proposals that bridge the gap between current and future state.
Business Case (Different approaches) (2:139)
Cost approach - how much does it cost to recover, Industry comparison approach - what are comparable firms doing, Business innovation approach - what can i gain from this?
Intangible assets (1:183)
Could include customer data - PII, credit cards, contact info; Employee data - PII, HR data and internal email communications; Intellectual Property - any "creation of the mind" such as music, literature, source code, and courseware, also including patents, trademarks, copyrights, & trade secrets; Business proprietary information - business processes, contracts, mergers & acquisitions & even general business know how.
Organizational Position (3:146)
Create a clear and simple position statement
Disruptive innovation (2:84)
Creates a new market eventually displacing old or outdated technology or process: examples - cars (mass produced) digital music, digital photography, PCs, smartphones, telephones, wikipedia
Threat Analysis based on IOC's
Creates intel feedback loop; forces attackers to adjust TTP's; Results in an increased resilience
Business Email Compromise (3:132)
Criminals spoof email communications from executives.
Document History (3:94)
Current version info; Version history; Cancellation / expiration date
Market/communicate to customers (2:237)
Customer recognition; Invite customers to key conferences; security awareness & training.
Email Risks (3:127)
Data loss; fraudulent activity; and improper use that can be caused by a variety of actions such as maliciously or negligently forwarding sensitive documents, phishing/spear phishing, and general inappropriate use.
Tips for using CyberSecurity Framework (2:99)
Defines a comprehensive set of activities that can be conducted by your security program. New programs can use the framework as a guiding light
Measuring Maturity (2:100)
Defines four implementation tiers that represent an "increasing degree of rigor and sophistication in cybersecurity risk management practices. Tier 1 - Partial; Tier 2 - Risk informed; Tier 3 - Repeatable; Tier 4 - Adaptive
Capability Immaturity Model Integration (CMMI) (2:104)
Defines what should be done to improve performance. Defines 5 maturity levels and 3 areas of focus including CMMI for development (CMMI-Dev) for product and service development, CMMI for services (CMMI-SVC) for service establishment and management, CMMI for aquisition (CMMI-ACQ) for product service and acquisition.
Moore's Law (2:77)
Describes a long term trend in the history of computing hardware. The number of Transistors that can be placed inexpensively on an integrated circuit has double approx every 2 years.
Security Policy Governance Life Cycle (3:35)
Develop - initial process to document drafts and revisions of security policies for ratification and adoption; Socialize - distribute policies electronically or through awareness training, employee onboarding; Measure - Ongoing effort to review compliance to policies and to provide enforcement mechanisms to change behavior; Assess - reviewing policies as internal processes evolve, technology changes emerge, or new threats expose the organization to additional risks
PFF -Porter's Five Forces (1:47)
Developed by Micheal E Porter in 1979 who was an authority on competitive strategy and economic development. Method used to develop business strategy by understanding where power lies in a business situation
Security Roadmap (2:126)
Developing plan of action for security program
DRIVE the Vision (2:10)
Directional - where the organization is going; Relevant - Looks at the history, current state, culture, and values ensuring that it's not only visible but authentic and true to the organization; Inspirational - Inspires to commit a shared goal; Vivid - Clear details to make it concrete; Extremely bold - Seems almost impossible to achieve and audacious
Marketing objectives - Promote (2:234)
Distribution strategy - determine how your message will reach your audience.
cone of plausibility (2:74)
Don't have to be pinpoint accurate to gain benefits of visioning sessions, but you have a good chance at being close enough to position our org to what happens to take advantage of perceived opportunity
Clayton Alderfer ERG (4:45)
ERG also states that more than one need may be influential at the same time. Gratification of a higher-level need is frustrated, the desire to satisfy a lower-level need will increase.
European Union: Privacy (3:25)
EU-US Privacy Shield is a framework for transferring data from EU entities to the US.
Dale Carnegie(4:13)
Early Pioneer in Leadership competencies, became famous for showing others how to become successful. "Believe that you will succeed, and you will." and "learn to love, respect and enjoy other people."
Political Framework (4:23)
Effective leadership - Leader is an advocate whose leadership style is coalition and building. ineffective leadership - the leader is a hustler whose leadership style is manipulation
Enforcement Responsibilities (3:162)
Empower users to enforce controls on themselves by utilizing services responsibly.
Leading the self (4:11)
Establishing credibitlity; delivering results; embracing flexibility; interpersonal savvy
NotPetya - Attack Tools (1:161)
EternalBlue - takes advantage of unpatched windows Server Message Block (SMB) that allows remote code execution; MimiKatz - automates collection of secrets on Windows including passwords, certificates, LanMAN hashes; NTLM hashes, Kerberos tickets.
Roles, Define (3:157)
Executive Management, Security Personnel(security program managers and security officers); Business Unit Managers; System Administrators/IT Support; Lower-Level Operational Managers/System Users.
Business Case (Elements) (2:153)
Executive Summary - written for key decision makers and summarizes the problem at hand, your assessment of the situation and recommendation; Introduction - provides background info about business drivers and the threat landscape; Analysis - meat of your business case and includes any assumptions that you have made in your model include cost/benefit analysis and dependencies/synergies; Appendix - largely depends on what stakeholders want to see and are interested in.
Metrics Communications Guidelines (2:199)
Executive/Balanced Scoreboards; Operations/Security Dashboards; Technical/Charts and graphs
VERIS Threat Actors (1:133)
External - threats from sources outside the organization; Internal - threats from within organization; Partner - third party business relationships
SWOT: Threats (2:53)
External factors that might be potential sources of failure, place the group's mission or operation at risk, and should be managed or eliminated as soon as possible through contingency planning
F.O.R.M (4:15)
F - family: where you from O - Occupation: what do you do for a living? R - Recreation: what do you do for fun? M - Motivation: what interests do you have, why are they in town.
RTGL - Challenge the Process (4:59)
Find a process that you believe needs to be improved the most
COA - Deny (1:220)
Firewalls, ACLs, NIPS, proxy filtering, and antivirus can provide a means to block attacks. Patching vulnerabilities and running in a "chroot" jail which prevents software from access files outside it's own root directory
Policy Hierarchy (3:124)
First step in policy assessment is to ensure you understand where the policy fits in the hierarchy.
Hedgehog Concept (2:80)
Focus on doing one thing extremely well, and understand 3 things; what are you passionate about; what can you be the best in the world at; what drives your economic engine.
VERIS Community Database(1:132)
Free repository of publicly reported security incidents
Power versus Leadership (4:31)
Goal Compatibility - power focuses on intimidation; leadership requires congruence; Influence - power maximizes the importance of lateral and upward influence; leadership focuses on downward influence Compliance - power focuses on tactics for gaining compliance; leadership focuses on answers/solutions
PEST - P - Political (1:65,69,71)
Government regulations and legal factors that affect the business environment and trade market, and they will likely trickle down impact on your company
STIX - Campaign (1:208)
Grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets
European Union:GDPR(3:23-24)
Harmonizing 27 national data protection regulations into one; improving user control of personal data; making it easier for businesses to work with a single supervisory authority as a "one stop shop" for privacy complaints.
Value statement - purpose (2:39)
Help understand the culture of your org, Critical to current state analysis, Guiding principles to help you achieve your vision, Foundation of organizational culture.
NIST - Framework Core (cont'd) (2:94)
Helps organizations describe the current cybersecurity posture, describe their target state for cybersecurity, Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; assess progress towards the target state; Communicate among internal and external stakeholders about cybersecurity risk.
PEST Analysis - Why (1:66)
Helps you understand macro trends of external environment in which your company operates, and it provides an understanding of risks associated with market growth or decline and your company's position and potential direction
PEST - T - Technological (1:65,81)
How technology can either positively or negatively impact a business and the products and/or services they provide. i.e. technology advancements, life cycle of technologies, technology innovation
BHAG (Big Hairy Audacious Goal) (2:81)
Huge and daunting goal; Defines visionary goals and common envisioned future. Understanding what you can be the best at.
Herzberg's Hygiene & Motivational factors (4:39)
Hygiene (Working conditions - dissatisfied) - people dissatisfied with bad environment; seldom made satisfied by a good environment Hygiene factors operate independently of motivation factors
Define approval process (3:158)
ID stakeholders required for approval; run policy by legal before sending it out for approval; complete the entire policy and submit for review/revisions.
Fazio mechanical services (1:173)
Identified as a Target vendor and exploited via phishing email to an Fazio employee
NIST - Framework Core (2:94)
Identify - Planning activities to understand business needs and threats that can prioritized; Protect - Activities that prevent or contain the impact of security incidents; Detect - Activities that identify security incidents; Respond - Incident response activities; Recover - Activities that restore normal operations and reduce impact of security incidents.
Coercive Management Style (3:107)
Identify management style of your organization
Gather data (3:113)
Identify requirements by gathering organizational data; i.e. interviews, industry trends, Gap analysis, Audit findings, Review of security program and activities.
Create policies for your business (3:48)
Identify the applicable legal, contractual, or regulatory controls for your industry.
Marketing objectives - Audience (2:219)
Identify your target market/audience. People/organizations that are key to your continued success, such as executives, business units, employees, and customers.
SMS - Phase 1(1:98,99)
Identifying stakeholders - hold a meeting with your team of managers and staff to brainstorm who key stakeholders might be
Albert Einstein (2:225)
If you can't explain it simply, you don't understand it well enough.
PFF - Power of Customers (1:47)
Impact Customers have on your business. Force Driven by the # of customers you have, their importance to your business, and cost of switching them from you to another company
Gemba board (2:187)
Includes 5 distinct areas of the security department; Security - data capturing the risk assessments, attacks, incidents, and other threat and business metrics; Quality - performance metrics, such as SLA's; Delivery - metrics about roadmaps, milestones, and complete schedule for security initiatives; Cost - info about budget, costs, and life cycle projects; People - training schedule, on-call contact info, other relevant information.
STIX - identity (1:208)
Individuals, Organizations, or groups, as well as classes of individuals, organziations, or groups
STIX - Threat Actor(1:208)
Individuals, groups, or organizations believed to be operating with malicious intent
Embrace Style & Diversity (4:67)
Interpersonal Skills come from recognizing diversity among people; diversity makes an organization effective. Organization needs controllers, thinkers, dreamers, doers, analyzers, organizers, and team builders to reach goals that make it the best.
Inverted Policy Pyramid (3:40)
Inverted Audience (People) specific pyramid reflects the concept that in an organization, instructions are intended for all employees in a descending manner because the requirements are more specific to the employees responsible for the function/task to be completed.
Risk Analysis (3:118)
Key administrative controls we have at our disposal is to create policy that can help manage the risk. Can be less costly than purchasing and implementing a new technology control.
Consider all use cases (3:119)
Key to writing good policy is to think through all the possible cases.
Enterprise Strategy Group (ESG) Security model (2:103)
Lays out a progression for basic, progressing, and advanced organizaitons in 4 Categories - Philosophy, People, Process, Technology
STIX - Tool (1:208)
Legitimate software that can be used by threat actors to perform attacks
Capability Immaturity Model Integration (CMMI) Maturity Levels (2:105)
Level 1 - initial, Level 2 - Repeatable, Level 3 - Defined, Level 4 - Managed, Level 5 - Optimizing.
PFF - Competitive Rivalry (1:48)
Look at the competition and their capabilities. If no one can do what you do, e.g. products/services, you will have tremendous strength
PEST - S - Social (1:65,78)
Looks at cultural aspects of the market and how they affect the demand for a company's products and/or services; customer needs and determine what incents them to make purchases
SMS - Phase 3 (1:120)
Manage relationships is critical to the success of every project in every organization, so developing a relationship plan can help you manage your relationships
PEST Analysis (1:65)
Management tool to identify external forces that impact a particular market, industry, or country.
McGregor Theory Y (4:43)
Managers believe that most people will want to do well at work. They believe that the satisfaction of doing a good job is strong motivation.
Business Case (How to deliver) (2:158)
Map current capabilities to maturity levels; Prioritize new initiatives to increase maturity.
SMS - Phase 2 - Step 2 (1:114)
Mapping Power and Interest - three levels of power veto, vote, voice; Three levels of interest - High, medium, low
Mapping Controls to the Security Framework (2:110)
Maps the CSC to other commonly used security frameworks, compliance standards, and control guidance.
Market & Communicate to employees (2:235)
Market to current employees to retain talent; market to future employees to attract top talent
Inappropriate Use (sexting) (3:139)
May lead to sexual harrassment lawsuits, public exposure, brand damage, and relationship damage. All these activities fall under the AUP and driven by HR
Technical Metrics (what's wrong) (2:167)
Message is often diluted, not business consumable, do not measure progress and demonstrate value
Measures, Metrics, and Key Performance Indicators (KPIs) (2:169)
Metrics are measurements that use a baseline to establish normal operating levels & uses this baseline to compare when something is off; Measurements provide a snapshot in time view of specific discrete factors. KPIs are performance metrics that illustrate progress towards a stated outcome.
Mobile Device Risks (3:135)
Mobile devices cause a number of issues; use of personal devices without standard, centralized security controls, misconfigured devices that result in a control deficiency, use of insecure mobile applications.
Leadership Models (4:21)
Models help to understand what makes leaders act the way they do in certain situations. Not to lock yourself into a type of behavior discussed in the model, but to realize that every situation calls for a different approach or behavior
Douglas McGregor on Teams (4:64)
Most teams aren't teams at all but merely collections of individual relationships with the boss. Each individual vying with others for power, prestige, and position
Embrace Style & Diversity (4:69)
Most work place problems
Herzberg's Hygiene & Motivational factors (4:40)
Motivators (Satisfiers/recognition) - Provide job enrichment. Long term motivation provided by growth, responsibility, job challenges
Mission Statements, Departmental (2:21)
Must be aligned with the mission of the larger organization
Metric Pitfalls to avoid (2:200)
Not getting leadership support - gain support before you develop your metrics program; too much info too soon - be selective what you display; wrong info - ensure you are displaying the appropriate information to the appropriate audience; inaccurate/misleading and/or incomplete info - always validate information prior to dissemination.
Business Case (Cost approach) (2:140-141)
Numbers include direct and indirect costs, i.e. engaging in forensics experts, credit monitoring, in-house investigations and communication, extrapolated value of customer loss. Issues that may arise, numbers aren't always accurate - over/under estimates
Socialize the Approved Policy (3:159)
Once approved, ensure it's distributed to all parties affected.
External Threat Intel Sources (1:209)
Open: SANS, OSINT, Mitre, CERTs; Private: FS-ISAC, NH-ISAC, REN-ISAC; Commerical: AlienVault, Anomali, Crowdstrike, Dell Secureworks, FireEye/Mandiant, McAfee, OpenDNS/Cisco, Palo Alto, Recorded Future, iDefense/Accenture
CTI - Operational (1:206)
Operational staff look for trends and an adversary's operation or campaign
McGregor Theory X (4:42)
People have an inherent dislike for work and will avoid it when possible People must be coerced, controlled, directed, or threatened with punishment to get them to achieve the organizational objectives People prefer to be directed, do not want responsibility, and have little to no ambition People seek security above all else.
SMS - Stakeholder(1:95)
People or groups with a vested interest in the success of your strategy and who will affect of be affected by your team's work.
Rewards (4:21)
People tend to do what they are rewarded for - and friendship is a powerful reward
Organizational Culture (3:104)
Personality of the organizational, comprised of the assumption, values, norms and tangible signs or organization members and their behaviors.
Policy Enforcement (3:154)
Policies have a statement that failure to follow this policy can result in discipline up to and including termination.
Policy Life Cycle Management (3:168)
Policies must be updated based on evolving business requirements and technology/risks change.
Expiration Date (3:166)
Policies need to be reviewed regularly to determine if the risk is still valid and whether the controls work. Should be reviewed or rewritten when changes occur, annually or biannually.
Responsible Parties (3:98)
Policies should define who is responsible for executing and enforcing the items defined in the policy statements. Responsibility for assessing, monitoring, and auditing various controls should be assigned to certain groups like Info Security or Internal Audit.
Compliance by design (3:33)
Policies should force compliance by design, where the desired behavior of incorporating security best practices is woven into the culture of the organization. Comprehensive security policies include understanding the business value, legal & compliance implications, and security program design.
Policies & Risk assessments (3:56-58)
Policies should require risk assessments; assessment results should drive policy; conduct risk assessments.
Creating Effective Security Policies (3:42)
Policies that reduce risk to organization, not increase liability
Culture & Exception Requests (3:110)
Policy exception requests; sudden spike in requests
SMART - Measurable (3:175)
Policy focuses on high goals; procedure focuses on step-by-step instructions; focus on measurable outcomes.
Policy & Power (3:80)
Policy is a trade off; everytime "should" is used instead of "may" you dilute power of the policy
Enforcement Consequences (3:163)
Policy must include consequences of sanctions in the event of noncompliance
Purpose of Policy (3:209)
Policy protects people so that the extent possible, people should be able to work without fear, establish bounds of behavior; Policy protects the organization - establishes what you must do to protect information stored on computers.
Purpose of Policy (3:4)
Policy protects the organization. Security policy establishes what you must do to protect information stored on computers; will protect company from legal & financial actions.
Secure Development Policy Statement (3:150)
Policy should define various activities that need to be injected throughout the software development life cycle (SDLC)
Policy Assessment (3:203)
Policy statement, or body of the policy, identifies the actual principles of what is to be done. The statement is designed to influence and determine decisions and actions within the scope of coverage.
RTGL - Power & leadership (4:59)
Power refers to a capacity a person has for influencing the behavior of another person so that they act in accordance with certain wishes Leadership Power is much more than the use of force. It's influencing others to truly want to achieve a goal.
United States: HIPAA (3:16)
Primarily focused on securing PHI. A covered entity must adopt reasonable and appropriate policies and procedures to comply with provisions of the Security Rule.
Policy Pyramid (3:37-39)
Principle, Policy, Standard, Guideline, Procedure, Baseline
SMS - Phase 2 - Step 3 (1:114)
Prioritize Stakeholders - High power/interested people, high power/less interested people, Low power/interested people, Low power/less interested people
Visioning (2:72)
Process of thinking about what the world will be like in the future. Forces you to think about the unknown world
Exception Requests (3:164)
Process that allows the organization to review exception requests enables the organization to make changes over time.
Health care assets (1:190)
Protected Health Information (PHI) - offeres financial, credit, and medical fraud opportunities, Personally Identifiable Information (PII) - contains wealth of customer/patient information, Payment Card Information (PCI) - many rely on credit/debit cards sales for prescriptions, co-pays, cafeteria sales, and gift shop sales; Research data - may have unique research data that attackers may want to exploit, Key Systems - attackers may steal data or cause business disruption due to disagreement
Related Documents (3:99)
Provide references to other documents; include - standard references, compliance requirements, other policies/procedures; online policy library
Business Case (Industry comparison approach - Spending Comparison) (2:144)
Provides a rough understanding of organizational maturity and can indicate whether spending has been focused solely on meeting mandatory requirements, has expanded the necessary requirements.
Components of a Policy Document(3:90)
Purpose or Overview; Related Documents; Cancellation; Background; scope; policy statement; responsible parties; action
Policy Components (3:155)
Purpose/Overview; Related Documents; Cancellation; Background; Scope; Responsibility.
Types of Risk assessments (3:59 - 62)
Quantitative Risk Assessments; Qualitative Risk Assessments; Hybrid Risk Assessments / Nontraditional; components of an assessment may include
COA - Degrage (1:220)
Queuing requests or decreasing the quality of service by using tarpits or purposely delay connections
Levels of policy (3:123)
Regulation/Law; Enterpise-wide/corporate/governing policy; division-wide; local policy; issue-specific; system-specific; procedures
Mission Statement - Purpose (2:14)
Reminds us of our purpose and helps keep the organization on track with what we are and what we do. Keeps from spreading yourself too thin
Elements of Organizational Behavior (4:34)
Rests on management's philosophy, values, vision and goals. Drives organizational culture, which is composed of the formal organization, informal organization, and the social environment.
Mobile Legal Liability (3:138)
Risk of mobile device use while driving
SIPOC - Stakeholder ID Tool
SIPOC (Suppliers, Inputs, Processes, Outputs, & Customers)
Application Security Issues (3:149)
Security Vulnerabilities - Injection, XSS, Broken Access controls; Unpatched dependencies. Identify the issues that can occur if application security is left unaddressed
NIST SP 800-53 (2:108)
Security and Privacy Controls for Federal Information Systems and Organizations: and is a comprehensive control catalog containing a large number of security controls that you can potentially use in your program.
Metric selection (2:175)
Security metrics, financial metrics, Customer/stakeholder satisfaction & business process - value, invisible value. Ultimately needs to be customized for what's important for each respective group.
CTI - Strategic (1:206)
Senior leadership seeks to understand the larger threat landscape to identify risks to make investment and strategic decisions
Stress (4:41)
Serious cause of issues such as employee burnout and an inability to attract and retain talented professionals. May lead to fatigue, depression, and an increased susceptibility to illness. Reducing stress levels will have positive impact on productivity
RTGL - Inspire a shared vision (4:59)
Share your vision for improvement in words your followers can understand
Climate (4:21)
Short-term phenomenon created by the current leadership and represents employee beliefs about the "feel of the organization. is directly related to the leadership and management style of the leader, which is, in turn, based on the values, attributes, skills, actions, and priorities of the leader
Verizon Data Breach Investigations Report (1:14)
Shows the percentages of breaches per threat action, i.e. Hacking, malware, social engineering
Making Ideas stick (2:224)
Simple - find the core of your idea; Unexpected - Grab attention with surprise; Concrete - Make sure they can be grasped & remembered; Credible - make an idea believable; Emotional - Help people see the importance; Stories - use narrative.
Leonardo da Vinci (2:233)
Simplicity is the ultimate form of sophistication
Organizational Adoption (3:51)
Socialize policies with everyone in the organization. To ensure they are followed, you must ensure they are easily read, found, and understood.
SMART Approach (3:170)
Specific - targets specific area; Measurable - can be quantified to show progress; Achievable - is attainable and action oriented; Realistic - Can be achieved using available resources; Time Based - Defines what can be achieved in a given time period
Tips for identifying crown jewels (1:187)
Start with business problem, not IT problem, take an enterprise wide review, engage stakeholders from different business units, product development, and risk along with security & IT
security controls (2:107)
Strong security controls are the foundation of any program. Examples include NIST SP 800-53, Critical Security Controls (CSC), Australian Signals Directorate (ASD) Mitigation strategies
Target Attack - Missed alerts (1:174)
Target employees ignored security alerts that were meant to inform the Security Operation Center.
Organizaged Crime (1:169-179)
Target suffered largest retail attack in US history. After conducting recon, intruders attacked a trusted vendor using a
Authoritarian Leader (4:24)
Task oriented and are hard on their workers (autocratic). make little or no allowance for cooperation or collaboration. Heavily task-oriented people are very devoted to schedules
Team Styles: Contributors (4:65)
Task-oriented members who enjoy providing the team with good technical information and data. They push the team to high standards. Don't always see the big picture. Responsible, authoritative, reliable, proficient, & organized
Groups v teams (4:63)
Team: group of people or linked in a common purpose; Especially appropriate for conducting tasks that are high in complexity and have interdependent sub-tasks. People coming together to collaborate in order to reach a shared goal or complete a task for which they hold themselves accountable. Group: number of individuals having some unifying relationship. Group of people is not a team.
SMS - stakeholder management strategy(1:91)
Technology deployment could impact not only security, but also the enterprise. All stakeholders and impact need to be identified and managed
PFF - Substitute Products (1:48)
The ability for your customer to find substitute products or an easier way to do what you do
PEST - E - Economic (1:65,74)
The overall health of the economy and how these factors influence companies, organizations, and their decisions.
Maturity Models - Types (2:101/2)
These provide a way to measure organizational capabilities and identify areas for improvement. Examples include Capability Maturity Model Integration (CMMI), ESG Maturity Model, Gartner ITScore, CyberSecurity Capability Maturity Model (C2M2), Building Security in Maturity Model (BSIMM), Open Software Assurance Maturity Model (OpenSAMM), Capability Immaturity Model (CIMM) - 4 Levels - Level 0 to 3
Executives Unique - three things (2:220)
They impact or provide oversight and are accountable for nearly every aspect of the work that you do. Executives are busy, required to make rapid decisions with limited information, have a complex enterprise to run.
Creating a vision begins w/ a thought (4:45)
Thinking skills can be considered directional skills because they set the direction for your organization. Find vision by reaching for any available reason to change, grow, and improve
SIPOC - Suppliers (1:102,112)
Those people/groups who provide inputs
Winning Organizational Trust & Confidence (4:58)
Three critical areas was the key to winning organizational trust/confidence - Helping employees understand the company's overall business strategy - Helping employees understand how they contribute to achieving key business objectives - Sharing information with employees on both how the company is doing/how an employee's own division is doing, relative to strategic business objectives
Leadership traits, Attributes, and Competencies (4:10)
Traits - ingrained behaviors, difficult to change, leadership traits, strong confident, secure; Attributes - not ingrained but learned over time, as part external experiences, leadership traits, motivation, enthusiasm, visionary Competencies - combination of skills and behaviors, easily identified and measured, leadership competencies: managing change, influence, setting vision and strategy.
Translating Security Vision and Strategy (1:194)
Translate your strategic objectives into information your Security Vision & strategy in order to ensure the output of your Scorecard is meaningful.
Fundamentals for handling People (4:14)
Try to understand the other person - Don't criticize, condemn, or complain; Figure out why the person does what he or she does; give honest and sincere appreciation; Arouse in the other person an eager want.
Security Controls (3:131)
Two Types - Technical/Administrative; Data Loss prevention, Spam filtering, Anti-malware, Encryption/Email signing, Restricting access, multifactor authentication, secure email portal; Awareness/Education & Phishing campaigns.
Policy Enforcement (3:95)
Typical penalty or sanction defined in policy; is this a reasonable penalty; penalties should be even-handed.
SMS - Phase 2 - Step 1 (1:114)
Understand stakeholders - meeting with them will help you better understand what motivates them, what they want/need from you, what interests they have in your work.
How to develop an understanding of threats (1:129)
Understand threat actors - think like your adversaries and understand their motivations, business assets - identify critical business assets, Analyzing threats - Understanding adversary TTP's will help build defense
SMS - Phase 2 (1:114)
Understanding Stakeholder motivation
Threat Analysis (1:198)
Understanding TTP's of threat actors, various indicators of compromise (IOC's) can be identified to create "intel-driven computer network defense"
Define Current state (2:4)
Understanding what the company is trying to achieve - know the vision and mission; Understand how you operate - knowing the organizational values & culture; Understand where you are strong & weak - complete SWOT analysis.
SWOT: Weakness (2:53/61)
Unfavorable conditions of business that put you at a disadvantage or detract from your ability to achieve your desired goal. Should be mitigated as soon as possible
Values (4:20)
Values - reflect the concern the organization has for it's employees, customers, investors, vendors, and the surrounding community
Maslow's Hierarchy of Needs (4:36)
Values, beliefs, and customs differe from country to country and group to group, but all people have similar needs. You must understand these needs because they are powerful motivators
NotPetya (1:156)
Variant of Petya ransomware; encrypted Master Boot Record (MBR); not intended to collect ransom; most expensive cyber attack in history causing $10 billion in damages
COA - Course of Action Matrix (1:220)
Various techniques that can be used against attackers during various phases of the kill chain
Verizon DBIR (1:132)
Verizon Data Breach Investigations Report - standard way to analyze incidents; mapped and recoded incidents from other frameworks
VERIS (1:132)
Vocabulary for Event Recording and Incident Sharing - defines a schema and set of metrics to describe security incidents in a structured and repeatable manner.
COA - Detect (1:220)
Web & Audit logs, along with NIDS/HIDS systems, provide a wealth of information about potential attacker activity.
Goal for Board meeting (2:222)
What do you want from executives; they feel confident in your abilities; provide high level over view.
Business Case (Industry comparison approach) (2:144)
What is reasonable for security based on Industry, size, market position, region; and can be analyzed by Spending and Maturity comparisons
Organizational Structure (2:43)
What part does IT Security play in the organization's strategic plan?; Where should IT security report to within the organization?; How well does IT interface with HR?
Vision Statement - Purpose (2:8)
What the company hopes to be when it "grows up"
Mission Statement (2:7)
What the organization does today - it's current purpose, what it does and for whom
Vision Statement (2:7)
What's the organization want to be in the longer term - it's goals and aspirations. the "Why" they company exists and it's noble , seemingly unreachable goal
Protect Data: Technology Disposal Example (3:10)
When tech assets reach their end of life they should be properly disposed of.
RTGL - Model the way (4:59)
When the process gets tough, get your hands dirty. Bosses tell people what to do, leaders show how it's done
risk capacity (3:69)
absolute maximum risk the organization can incur
Team Styles: Challengers (4:65)
adventurers who question the goals, methods, and ethics of the team. Willing to disagree with the leader and higher authorities and encourage the team to take well-conceived risks. May not know when to shutup/stop and try to push leadership too far. Honest, outspoken, principled, and ethical
IKC - Installation (1:200)
after gaining access via exploited vulnerability, attackers can now install malware on system to maintain persistence
IKC - Exploitation (1:200)
after payload delivery, attachment is executed to exploit a vulnerability on target system
Marketing (2:209)
all the activities you can do internally and/or externally, to build or enhance your brand and promote the value of your security organization. Limited only by activities you decide to take on in your marketing efforts, and the # of people/groups you determine should hear you message.
Delegative (free rein) (4:27)
allows employees to make the decision, but the leader is still responsible for decisions that are made.
SMART - Specific (3:171)
amount of specificity that you put into policy depends on your organization. Level of specificity also depends on the type of policy.
roles (4:20)
are the positions that are defined by a set of expectations about the behavior of any employee on the job. Each has a set of tasks and responsibilities that may or may not be spelled out. have a powerful effect on behavior because money is paid for their performance
Metrics Hierarchy (2:180)
arrangement/classification diagram designed to help you identify the functional relationships among technical, operational, and executive design elements related to your metrics program.
RTGL - Road to great leadership (4:59)
art to leadership, and leadership is a demanding yet rewarding challenge, it requires not thinking only of yourself but also the entire team.
Organizational Transformation (1:8)
as a leader you must strive to lead, motivate, and inspire your team members and colleagues to accomplish their goals of the overall strategic planning process
IKC - Recon (1:200)
attackers conduct research and identify targets. Can be done by searching websites, social media, and mailing lists to harvest information about relationships and technologies used by target
IKC - Delivery (1:200)
attackers deliver payload to the target typically via email or web. May also be delivered via USB
IKC - Command & Control (1:201)
backdoor allows for command and control abilities that enable remote manipulation by the attackers
Instrumentality (belief) (4:46)
belief that the reward will be received after the task is completed (will they notice i put in effort)
CTI - Cyber Threat Intel (1:206)
collection, classification, and exploitation of knowledge about adversaries that helps defenders reduce their likelihood of success with each subsequent intrusion attempt.
Vertical Business Model (1:45)
combines multiple steps in a value chain into one organization e.g. development -> distro
STIX - Observed Data (1:208)
conveys info observed on a system or network (i.e. - IP address_
IKC - Weaponization (1:200)
created payload that can be delivered to the target
Risk Appetite Statement (RAS) (3:67)
critical policy that defines the amount and types of risks that the organization is willing to take to meet business objectives. highest-level approved by board/senior leadership that establishes metrics, exposes limits; and process to ensure that risk is held within acceptable levels.
Jobs to be done Theory (2:86)
customers don't just buy products, they hire solutions to get jobs done. Provides insight into what customers actually want and value
Strategic planning (1:8)
deep analysis and understanding of the state of business and the threats faced by the organization
SIPOC - Processes (1:102,106)
defined series of activities;
Intrusion Kill Chain (1:199-200)
defines a seven step process that attackers follow to achieve their goal.
STIX (1:206)
defines the cyber threat information; language that enables you to specify and communicate standardized cyber threat information. Sponsored by DHS as an open community effort
Relationships (4:20)
determined by the tasks involved in playing a role. most are carried out in relationship with others.
Value to the organization (1:8)
develop your objectives based on the organization's vision and mission, stake holder risk appetite and opportunities
Sustaining innovation (2:84)
does not create a new market but simply evolves or improves upon an existing technology or process
Policies Should reduce risk (3:44)
draft security policies that align with the applicable legal, contractual, or regulatory controls for your industry
Symbolic Framework (4:23)
effective leadership - leader is a prophet whose leadership style is inspiration/vision. ineffective leadership - leader is a fanatic or fool whose leadership style is characterized by smoke and mirrors.
Security Metrics (Importance) (2:162)
essential to understanding all aspects of "business of security" and processes, progress toward pre-defined goals addresssing security risks and posture
What type of Policy (3:143)
establishing the boundaries of acceptable behavior. Goal of this policy would be to protect the company.
Driving engagement (1:8)
execute on the plan by navigating the internal values and culture, developing a business case to get support and funding, and promoting your activities
SWOT: Opportunities (2:53/63)
external factors that the organization might leverage or propel to your advantage
SWOT: Strengths (2:53/59)
favorable characteristics of the business that are working well; these will work to your advantage
Mary Ellen Brantley (4:66)
five types of critical team players 1. Icebreakers 2. Sherlocks 3. Gurus 4. Straw bosses* 5. Sherpas
Security dashboards (2:183-184)
focus on analysis and trends that impact the overall health of your security organization; designed with the security leader in mind; Financial metrics, customer & stakeholder satisfaction; business processes; security metrics.
Horizontal Business model (1:45)
focus on one area of the value chain e.g. Product development
China Cybersecurity law (3:27)
focus on personal information protection and critical infrastructure protection, which includes "public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure.
Documentation Baseline (3:114)
foundation of evaluating policy, and is made up of several components. Mission statement defines what customers, suppliers, and employees should be able to expect from the organization. Assessment of the organization's security posture
Planning (2:172)
fundamental and will aid in the assurance of your metrics plan success. Also aligns expectations between your team and organization leadership; State your program goals; Define metrics that will help you reach your goals; determine your method - identify metric owners, define metric classification, business purpose, data source, publication frequency, operational definitions, Establish review process, metrics hierarchy classification.
Report the results (3:54)
gather compliance metrics, prioritize displaying the information in a way that executives, middle management, and individual contributors can see and understand at the level appropriate to them individually.
Team Styles: Collaborators (4:65)
goal-directed members who see the vision, mission, and goal for the team. Flexible and open to new ideas, willing to work outside their defined role, and willing to share the limelight with others
STIX - Intrusion Set (1:208)
grouped set of adversarial behaviors and resources with common properties believed to be orchestrated by a single threat actor
Marketing objectives - Niche (2:218)
having a strong value proposition is of critical importance because it sets you apart from other companies and competition.
Business Case (The why?) (2:136)
helps to estimate costs and benefits of various initiatives; Helps management determine resource allocation.
SWOT: Why (2:55)
highlights areas in which major strengths and weaknesses are evident. Highlights opportunities that you may be well positioned to exploit and threats that you would want to manage and eliminate over time. Allows you to refine and focus your strategy.
PFF - Threats of new entrants (1:48)
how easy is it for people to join the market and can they become a threat and compete with your company
PFF - Power Of Suppliers (1:48)
how easy is it for suppliers to influence and drive up your prices. Uniqueness of their products, their strength/control of you
Marketing (the why) (2:210)
imperative to the successful adoption of your strategy/security initiatives and retaining top talent. MAKE SECURITY RELEVANT TO THE BUSINESS AND THE BUSINESS RELEVANT TO SECURITY.
Secure Development Standards: Protecting Data (3:152)
important mechanism for protecting data is to ensure that production data is never used for development and testing
Participative (democratic) (4:27)
includes one or more employees in the decision making process (determining what to do and how to do it) but maintains final decision making authority. essentially allows the employees to become part of the team and in so doing gains the information needed to make a better decision
United States: SOX (Sarbanes-Oxley) (3:20)
intended to provide policies enforcing ethical and honest accounting practices. primary concerns for SOX are the accuracy and honesty of financial reports from publicly traded companies.
Authoritarian (autocratic) (4:27)
is in action when leaders tell their employees what they want done, how they want it done, without getting the advice of the team
Tangible Assets (1:182)
items such as buildings, data centers, hospitals, transportation infrastructure, water treatment facilities, or even residential centers.
SIPOC - Inputs (1:102,111)
key requirements needed for the process to work. Should represent information/materials the suppliers provide to you.
Russia: Data Protection Law (3:29)
laws apply to data operators who process personal data and similar to other data protection laws, define various restrictions on data processing. Consent is required to process data and data subjects must be informed about the purpose of the collection, the volume of data used, and the duration that is will be used.
Team Leader (4:24)
lead by positive example; foster team environment in which all team members can reach their highest potential as team members/people
Human Resource Framework (4:22)
leader is a catalyst and servant whose leadership style is characterized by supporting, advocating, and empowering employees. An ineffective leadership situation is when the leader is a pushover whose leadership style is abdication and fraud
Impoverished leader (4:25)
leaders use a "delegate and disappear" management style. This style is not committed to either accomplishing tasks or maintaining order, they essentially allow the team to do whatever they want.
Structural Framework (4:22)
leadership style is analysis and design. Most effective when goals and information are clear; when cause-effect relations are well understood; technologies are strong and there is little conflict, low ambiguity, low uncertainty, stable legitimate authority
risk appetite (3:69)
level of risk that the organization will accept to meet business objectives
Culture (4:21)
long-term , complex Phenomenon. represents the shared expectations and self-image of the organization, the mature values that create tradition or the way we do things here. Collective vision and common folklore that define the institution are a reflection of the culture
Security Metrics (Critical Concern) (2:161)
management needs statistics that are important to they know to pay attention. Solution: provide essential metrics that transform and communicate complicated data into business language
Leadership style (4:26)
manner and approach of providing direction, implementing plans, and motivating people.
Internal threat intel sources (1:210)
many internal logs that can be analyzed for intel; Database, directory, DLP, DNS, Email, Firewall, HR info, IDS/IPS, Malware, Physical Access, VPN, Web/WAF
Mapping strategic objectives (2:193)
mapping your strategic objectives to a Balanced Scorecard quadrants will help you tell your story of how value is created within the security organization.
Marketing objectives - Specify (2:216)
marketing plans need objectives, and a way of measuring success to ensure your marketing efforts are not wasted.
Target Attack -BlackPOS(1:174)
memory scraping malware specifically developed that records all credit and debit cards swiped through the system.
Metrics prioritized (2:178)
metrics must be Properly designed - must be visually appealing and easy to understand, Economical to collect - automate and create a repeatable process to eliminate variation; high leverage - focus on collecting the most valuable metrics for each department; and encompass a feedback mechanism - .
Porter and lawler (4:46)
model states that the product of valence, expectancy, and instrumentality is motivation
Measuring Policy (3:161)
monitor adherence to policy by auditing and reporting violations.
Protecting PII (3:11)
must protect SSN and PII from unauthorized disclosure and access.
Board of Directors Concerns (2:221)
must understand their role in the organization, provide oversight & governance, not make day-to-day tactical decisions.
Visioning Techniques (4:56)
need to spend focus time away from all the distractions that can occur in a day such as individuals stopping by your office without a meeting scheduled, your cell phones, email, or any number of distractions that typically occur on a daily basis. Choose the perfect time of day Begin by writing down your current reality in as much detail as you can Lastly, commit to yourself that you will visit your vision
IKC - Actions on Objectives (1:201)
now with access, attackers can accomplish their ultimate goals; which may include data exfil, service disruption, or even lateral movement within the network.
Rites (4:21)
organizations have their own culture; combinations of founders, past leadership, and current leadership, crises, events, history, and size
Risk Profiles (3:69)
overall risk at any point and time.
Citadel malware (1:173)
password stealing bot program that is a derivative of Zeus. Attackers were able to harvest credentials Fazio used to access Targets billing system
Country Club leader (4:25)
power of rewards to maintain discipline and encourage the team to accomplish its goals
Technical Measures: CIS Controls (2:163-165)
pre-defined measures for each CIS control
Team Styles: Communicators (4:65)
process-oriented members who are effective listeners and facilitators of involvement, conflict resolution, consensus building, feedback, and the building of informal, relaxed climate. "people person" that are supportive, considerate, relaxed, enthusiastic, and tactful
Security Framework - Need for (2:92)
provide a blueprint for building security programs, managing risk, and communicating about security using a common vocabulary. Examples are ISO 2700, COBIT, ENISA Evaluation Framework, FFIEC Cybersecurity assessment tool, NIST Cybersecurity framework.
Act & advice (4:27)
provides a bit more managerial control, with employees making a recommendation and taking actions unless the manager countermands their decision within a certain period of time.
One Sentence Position Statement (3:128)
purpose of a policy can be best represented by the one-sentence position statement. Email can be utilized as an informal communication mechanism, but the recipient of an email can construe it as an official corporate communication.
SIPOC - Customers (1:102,110)
recipients/users of the outputs produced at every step in the process.
Update policies regularly (3:55)
regularly meet with stakeholders for each of the policies in the organization.
BSIMM Maturity Comparison Model Radar Chart (2:149)
represents organizational maturity level compared to your overall industry for various security capabilities in the protect area of NIST Cybersecurity Framework.
Identify Problem/Risk (2:115)
requirements would be identified via regular processes that we have instituted as part of the security program, such as vulnerability assessments, pen testing, and tabletop exercises.
Security planning - Need (1:11)
requires an understanding of not only security threats and capabilities but also a deep understanding of the business environment & organizational goals.
United States: Gramm-Leach-Bliley (GLBA)
requires financial service organizations "insure security and confidentiality of customer records and information.
Europen Union: NIS Directive (3:26)
requires members states to develop a national strategy on the security of network and information systems (including a governance framework), designate computer security incident response team (CSIRT), and cooperate at a national level.
Protect the organization - comply with laws/regulations (3:14)
review common legal, regulatory, and compliance frameworks.
Balanced scorecard (2:191)
select high value data that will tell your story in the most compelling manner. Financial Stewardship/Perfomance, Customer/Stakeholder Satisfaction, Internal Business Process/Efficiency, Learning and growth / Knowledge & innovation.
RTGL - Encourage the heart (4:59)
share the glory with your followers' hearts: keep the pains in your heart
Vendors and Third parties (3:30-32)
shared assessments, BITS framework; SSAE 16 (SOC 1, SOC2 Type I and Type II); ISO/IEC 27000 Series; Privacy Shield; Standard Contractual Clauses and Binding corporate rules; Pen testing; Vuln scans; IT general controls; strong contracts; other considerations.
CTI - Tactical (1:206)
shows foundational consumption and sharing of IOC's and attacker TTP's
TAXII (1:207)
standardizes the automated exchange of cyber threat information; Hub & Spoke - one organization serves as the central hub of information while others can consume or provide info; Source/Subscriber - One organization provides info to subscribers; Peer-2-Peer - two or more organizations share information directly.
One Sentence Position Statement (3:144)
state the core of the organization's position in a single sentence.
Vroom's Expectancy Theory (4:46)
states that an individual will act in a certain way based on the expectation that the act will be followed by a given outcome and on the attractiveness of that outcome to the individual. Motivation consists of (Valence x Expectancy x Instrumentality)
Expectancy (performance) (4:46)
strength of the belief that work-related effort will result in the completion of the task( how hard will i have to work to accomplish my goal)
SWOT Analysis (2:53)
strengths, weaknesses, opportunities, threats
Organizational behavior (4:34)
study and application of knowledge about how people, individuals, and groups act in organizations - by taking the system approach
Reasonable Person Rule (3:6)
takes into account the foreseeable risk of harm actions create versus the utility of actions; extent of the risk so created; likelihood such risk will actually cause harm to others; any alternatives of lesser risk and the cost of those alternatives.
SIPOC - Outputs (1:102,108)
tangible results of the process steps.
Security Metrics (2:160)
the ability to communicate value and risks to your leadership in a manner that is easy to consume, and relevant enough to make well-informed decisions
Valence (reward) (4:46)
the amount of desire for a goal, the emotional outcome (what is the reward the employee values: Money, promotion, time-off, benefits)
Air Force leadership (4:14)
the art of influencing and directing people in a way that will win their obedience, confidence, respect, and loyal cooperations in achieving a common objective
Clayton Alderfer ERG (4:44)
three groups of needs 1. Existence: concerned with providing the basic requirements for material existence, such as physiological and saftey needs 2. Relationships: centers on or is built on the desire to establish and maintain interpersonal relationships 3. Growth: met by personal development. a person's job, career, or profession provides for significant satisfaction
risk tolerance (3:69)
thresholds that allocate risk appetite to certain types of risk.
Decision Matrix analysis (2:130)
too utilized to rank initiatives and inform decisions. Categories include Cost, Ability to execute, stakeholder support, threat defense.
Policy protects information (3:12)
two types of information; that which is approved for public release and everything else.
STIX - Attack Pattern (1:208)
type of TTP's that describe ways threat actors attempt to compromise targets
STIX - Malware (1:208)
type of TTP, AKA malicious code or software used to compromise the CIA triangle of a victims data or system
Cyber threat intel key elements (1:211)
what should you look for from a threat intel source: Can be consumed & parsed automatically, use of standard framework, IOCs that can be shared, capability to normalize indicators
Metrics Visualization Considerations (2:198)
your reports must be relevant and persuasive. Data must be portrayed in a manner that is visually appealing, logical and tells your story.