Best moments from “Hacking Security Validation” – Super Cyber Friday

By
Andrew Freels
-

Here is a five minute long highlight reel from Super Cyber Friday “Hacking Security Validation: An hour of critical thinking about verifying the processes you have in place actually work.”

Watch the full video here.

Our guests for this discussion were:

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Pentera

Align validation to the MITRE ATT&CK framework and the OWASP Top 10. By aligning to industry standards, security teams ensure that their testing covers the latest adversary techniques. Most attacks succeed by leveraging the most common TTPs, so challenging the attack surface against these frameworks provides comprehensive coverage of adversary techniques in the wild. In addition, it allows security executives to clearly report to management on security control efficacy and enterprise readiness against potential threats. Find out more at pentera.io

Best Bad Idea

Congrats to Mike Wilkes, CISO, SecurityScorecard for winning this week’s Best Bad Idea.

Other honorable mentions go to:

“Just say ‘We’re the Best!’ often and no additional validation is needed.” – Patrick Benoit, VP, global GRC, BISO, CBRE

“Security and usability are often at odds, so if your user community is angry and frustrated at the security team your controls must be valid.” – Duane Gran, director, information systems and security, Blue Ridge ESOP Associates

“Only validate security controls after you have been hit by ransomware.” – Jay Howard, information technology manager, SPAL Automotive USA

“Only believe controls that a consultant has recommended.” – Ian Poynter, vCISO ,Kalahari Security

10 percent better

“Start with your critical and essential systems/applications and then work in concentric circles for the rest of the enterprise based on risk.” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology

Quotes from the chat room

“Controls are just paperwork if you cannot confirm that they are effective. So continuous validation or continuous verification is important.” – Mike Wilkes, CISO, SecurityScorecard

“Validate your external facing attack surface.. why leave the doors and windows open.” – Renee Guttmann, former CISO, VC advisor

“IT has a big role to play in this to build the credibility that IT systems are not always fragile and it is OK to plan and have downtime.” – TJ Mann, CISO, Children’s Mercy Kansas City

“Turning off monitoring during a maintenance window is one of. my favorite mistakes by an engineering department. Saw that years ago… Great time to attack of course!” – Mike Wilkes, CISO, SecurityScorecard

“Continuous validation/verification should improve code quality overall…. not just security findings/bugs/issues.” – Mike Wilkes, CISO, SecurityScorecard