Tech Stamps

Start with the basics, stick with the fundamentals, adapt to new technologies

Chili Cheese Charlie

As the threat landscape changes, so too do all the influences that make our job, interesting.

Threat actors have found they can run their operations more like a business and often outsource different functions to more capable “businesses”.

The CISO for your organization just saw an amazing new Gartner branded solution that you have to implement immediately.

The CEO of your company is at a trade-show and that sales guy from the VC funded Cyber Firm USA, which is actually a foreign owned company, has told the CEO that his tool will reduce overhead and increase productivity.

The “always on VPN” is rebranded as SASE; a cloud based VPN to make somebody else more money.

The reality is Cyber begins with the basics:

  • Change vendor provided passwords
  • Segment your network
  • Implement MFA
  • Require strong passwords
  • Review the security settings on your applications
  • Provide your users and team training on what they use
  • Create policies and procedures that protect your business
  • Have a prevention mindset with a DR plan
  • Use Principle of Least Privilege in everything you do

These are just a few things that can be done – BEFORE any vendor calls or solution is implemented.

But my <application name> doesn’t support MFA! Well… is there another application that does? Can your application use OAUTH2 or SAML for authentication? Heck, most “free” applications do if you take the time to read the manual.

But my CEO won’t let me configure strong passwords! I used to tell my girlfriend that I was allergic to condoms. It is less about what they want and more about what is appropriate. If they won’t listen or refuse to change – do you really want to stick around? Who’s head is going to roll when the encryption takes hold of the network?

We don’t have a budget for training! Really? YouTube is free. Find something that applies to what you want to do and share it! Write your own training for your team. If you can’t teach somebody how to do what you do, do you even know how to do it yourself?

Policies and Procedures suck. Do you have any templates? Yes they do. No I don’t.

Prevention? I have dogs. My yard has a fence. It prevents them from getting out. You have data. It should have controls around it. That will help keep others out.

Principle of Least Privilege…

This is meant to be a fun site – and apologies for bringing in so much not-fun stuff. If you ever hear this, think of it as “do they need this to do their job?” If the answer is no, they don’t access to it. Does the janitor need a network login? Does the CFO need admin rights to O365? Do your employees need access to HR documents?

If it is still too difficult to comprehend, or you think it doesn’t apply to your 2 person operation – you are wrong without even knowing it. Do you let your toddlers have keys to the house? If you do, leave.