Here are some highlights from Super Cyber Friday “Hacking Extreme Vulnerabilities: An hour of critical thinking about the confluence of concerns across threat actors’ intentions, industry targets, ransomware, and a company’s unique weaknesses.”
Our guest for this discussion were:
- Doug DeMio, CISO, American Family Insurance
- Ed Bellis (@ebellis), CTO and co-founder, Kenna Security (now part of Cisco)
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor Kenna Security (now part of Cisco)
Best Bad Ideas
Congrats to Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology for winning this week’s Best Bad Idea.
Other honorable mentions go to:
“Sprinkle Doritos Xtreme Nacho dust on all vulnerabilities. If they’re ALL extreme, it’s not a problem!” – Valarie Apperson, digital web copywriter, NowSecure
“Jump up and down yelling'”patch everything’ until you pass out and don’t care anymore.” – John Prokap, leader, IT security & compliance, Success Academy Charter Schools
“Post all vulnerabilities to the dark web and let the hackers help you patch.” – Dustin Sachs, senior manager, information security risk management, World Fuel Services
“Rent a Whack-A-Mole game from Dave & Busters. Assign risks to each mole. Give hammer to CEO. Whatever they hit; you get budget for.” – Dutch Schwartz, principal security specialist, AWS
“Make a list of possible vulnerabilities, seal in time capsule….Open after company has collapsed to see if any vulnerability made the list.” – Kevin Litzau, IT professional
“Only fix vulnerabilities that your CEO emails you about because they saw it on the news.” – Jonathan Waldrop, senior director, cyber security, Insight Global
10 percent better
“Spend the time to categorize your vulnerabilities by risk/severity then look at your ability to address them. Address them based on the outcome of your priortitization.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
“Let the C-Suite know the ‘impact’ to the enterprise so they can task their teams with remediation.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
“To enrich the business review of most critical data, assets, and workflows; Have your teams use Adam Shostack’s four questions: 1/What are we working on? 2/can go wrong? 3/What do we do about it? 4/Did we do it well?” – Dutch Schwartz, principal security specialist, AWS
“Identify critical systems first and then use that to prioritize remediation on exploitable vulnerabilities.” – Jonathan Waldrop, senior director, cyber security, Insight Global
Quotes from the chat room
“It’s easy to find out if CVSS correlates to real severity: Build a correlation of the severity of your tickets plotted against the CVSS score. In the past when I’ve done that, there is defintely a correlation, but it’s around .6 rather than 1.0.” – Jeff Costlow, deputy CISO, ExtraHop Networks
“If we were producing physical products with the amount of vulnerabilities that we tolerate, we would have disasters everywhere.” – Shawn M. Bowen, VP, information security (CISO), World Fuel Services
“Having a SBOM and plan for validating open source can reduce vulns by a large amount.” – Ryan Cloutier, president, SecurityStudio
“SBOMS are not useful to businesses that are not developing software. CMDBs and ITAM are hard enough. Tracking components would be too much. Buyers of software have to be able to trust the software vendors. Knowing who and what to trust is the problem.” – Peter Schawacker, principal, Blinktag Solutions LLC