Red Lion would like to announce the new hiring of Joshua Marpet to the position of Co-Founder / COO. A bit about Josh:
“Joshua Marpet is an accomplished speaker, long time information, and physical security practitioner, as well as a startup CEO and serial entrepreneur. He has presented on topics ranging from Facial Recognition to National Security, to audiences from government agencies and multinational private companies. His research encompasses Digital Forensics, business security maturity, and how not to start an information security business. His conference, Security BSides Delaware, is one of the oldest and largest BSides conferences (shameless plug!!), and he’s exceedingly proud of it. In the venture capital and entrepreneurship world, Josh is also a super-connector. Josh strives to push himself to new heights with every venture and helps all that he can along the way.”
If you want to know more or reach out to Josh, you can email him at email@example.com
Peter Hesse of 10Pearls wrote an article about the future and failure of information security. From Security Today, “Why is the Security Industry Failing?” is a wonderful recitation of the problems besetting the information security industry.
Peter describes the money-hungry vendor culture, where every problem is seen as a potential billion dollar product or service. He talks about how companies aren’t paying attention to the Top 10, 12, 15, or even 20 security control failures, from whichever creator of those lists you wish to name.
Hesse’s solution is to build security into software. Specifically, he says we need to, “focus on building security into our software applications and technology platforms.” In other words, create secure software and platforms during the development process, do not bolt security on top or add it in hindsight.
You’re right. As it stands now, the typical software application is built to be sold, to send that code out the door as fast as possible so it can generate money for the company. Developers are instructed, “Deploy code quickly,” not “Deploy secure code quickly!” That one word, “secure,” makes all the difference in the world. Bolting on security ex post facto is always worse than building it in. Using sane frameworks, where input sanitization and code/data separation are part of the process? Genius! Using secure hardware with hardware security modules (HSMs), locked-down memory addressing, and very well-tested methodologies for encryption, messaging, and error handling just makes sense.
Now, Peter works for a software development company so his views fit his situation. I bet 10Pearls has fantastic code security policies and tests the heck out of its code. But are all development teams from myriad types of companies that way?
They are not, so… Peter, you’re also wrong, unless you think that all companies will use secure frameworks, will factor in code/data separation, will prioritize user security over immediate profit. To illustrate the point, how many camera companies issued firmware updates after the Mirai botnet was made public? One? Eight? None?!
With the venture capital backed system we have now, coupled with stockholder priorities, it’s a rare company that thinks beyond the end of the current fiscal quarter and the magic “numbers” the company “needs to hit.” It’s difficult for most companies to develop a long-term view of the organization’s growth strategy. Yet a longer term view is absolutely necessary to prioritize security in software, systems, applications, and consumer electronics.
How do we fix the problem? We bake security into the processes, into procedures. We build structures which we slot systems and applications into. We perform that most horrible of rituals, compliance. (But it works, so that’s cool.) We use devices with Mobile Device Management systems, and lock down users’ profiles. Smart admins never log in as an admin and then surf the internet.
In other words, we focus on the fundamentals. We lock things down. We patch. We scan and test. We automate to make systems reproducible, and we segment to localize problems. We follow established standards, perform compliance audits, and prepare for $DEITY knows what, because it will happen.
Peter, until all software is written to a standard, and a standard that you and I can agree on and work with, I know you and I will keep recommending to our clients that they focus on the fundamentals. You know what? Even then, I bet we’ll still keep doing the basics. They work, after all.
If a small business CEO thinks about compliance, he or she might think it’s relegated to big businesses. Who else has the funding, the personnel, and of course, the time to attend to compliance? And does it really matter anyway? Who’s going to come after a small business that doesn’t have a compliance department or deep pockets to sue?
Unfortunately, that’s not the problem. The issue is that a small company has suppliers, customers, and colleagues who are all part of a larger value chain, stretching from supplier to manufacturer to reseller to customer. Every link in the chain communicates with at least one other link. Some of those links are tiny, some are huge. Sometimes the communication is a phone call. Sometimes it’s a wire transfer.
Small Company X may not be the target, but their Huge Customer Q is excellent prey! Remember, this is exactly how Target was hacked a few years back. For companies that think, “We’re too small to make a difference,” this example should serve as official notice.
The value chain problem is old news at this point; we all know how hacks can “travel” from supplier to customer, and so forth.
What is new is the ability of a small company to meet compliance and security needs without having to hire employees, build a department, and trudge through the tiny details themselves. With new GRC tools built as SaaS platforms and priced affordably, it’s possible and relatively straight forward to implement. Add in Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), and make them affordable, and now you’re cooking with fire!
So let’s get down to brass tacks: What does it cost to have my security, compliance, and IT handled for me? OK, remember, these are estimated numbers but here we go. MSP’s charge about $100 per person per month. That’s the rule of thumb, so it might be more costly for a complex environment or highly regulated systems.
MSSP charges are a lot more variable. If you want them to only monitor your firewall, that’s a few hundred bucks per month or less. If you want the provider to execute vulnerability scanning and policy review, help you plan your incident response, do forensics, etc., it can range from $2000 per month to $15k per month, or more, depending. But remember, a lot of those costs don’t increase incrementally as you grow; they might only tier when you hit 50 people, 100 people, 250 people, etc.
As for GRC platforms, some of them are built as shrink wrap, but the SaaS options are offered for as low as $20 per person per month.
Let’s forecast the costs for a 25 person company that’s using an MSP for outsourced IT, an MSSP for compliance policy review, vulnerability scanning and management, and a GRC platform that helps everybody get their compliance tasks and evidence handled.
MSP – $100 per month per person /25 people – $2500 per month
MSSP – Vulnerability scanning and management, Incident response hours, compliance – $4000 per month, flat rate
GRC – $20 per person per month /25 people – $500 per month
For approximately $7k a month, you can have your IT, IT security, compliance, and incident response handled. Add in another $10-15k for an annual penetration test and you end up at a yearly total of around $99,000, essentially the cost of a single employee. Because most full time employees also require HR administration and benefits, you could be saving an additional 30% or so on taxes, healthcare, and insurance on top of the person’s salary. Effectively, one headcount cost will handle the majority of your compliance, security, and IT needs, and these programs will be managed by dedicated specialists.
If you’re running a small business you might be thinking, “That’s a chunk of change!” Remember, though, when Target was breached through their small HVAC vendor, it cost Target a lot more than $100,000. And I bet they stopped using that HVAC vendor, which equals a ton of lost revenue for the small company. That one breach might also have cost the HVAC vendor future business relationships. If they were thinking straight, though, once they were notified of their part in the breach they rushed to implement better security controls, bought cyber insurance, and contracted with outside partners to keep systems and compliance up to date. None of that is cheap, and it’s even more costly to add after the organization has already been affected (think: buying health insurance after a preexisting condition versus before).
When you realize that value chains are effectively one entity, all connected, all together, then making sure you’re protected helps not only the value chain you’re in now, but reduces the sales friction for all the value chains you could be in, for those new customers you’d like to conduct business with in the future. Working with suppliers in new verticals also becomes easier because your company can pass compliance and security questionnaires, plus your IT team (the MSP) keeps your technology up to date and within the scope of new regulations. More and more regulations are put in place every month; don’t fall behind.
If all of this sounds like a lot to digest and a huge financial burden, keep in mind that all of the solutions mentioned here are modular. This isn’t an “all or nothing” approach. If your business already employs an IT team, great, you might not need an MSP! Have a compliance officer? You might not need the GRC tool! Etc.
Of course, small businesses could always operate without any security or compliance management. Does anybody know what happened to the HVAC company that facilitated the Target breach? I think they’re actually still in business, but that’s surprising. The statistics tell us that over 70% of small businesses which suffer a cyber incident don’t remain in business.
The interconnectedness of the internet, payment systems, fulfillment houses, and suppliers means that all companies—not just big ones—need to meet basic standards, including minimum viable security and compliance. Value chains will want secure and compliant companies, and shun companies which aren’t.
Simple as that.
Initially released February 6, 2017 for MISTI – Business for Technologists – Technologists are the bedrock of IT and IT security. They innovate, create, build, implement, maintain, and decommission the most amazing software and hardware systems ever compiled. Even something as simple as a file server, which is only supposed to store and backup files, has to deal with firewall rules, authentication, authorization, travel across VPN’s, backup/restore, and monstrous amounts of other factors.
Why do technologists struggle to become entrepreneurs? And when they’re embedded in a corporation, why do they have issues getting budget allocated to handle the problems that they, the techie, can clearly see will cause massive issues in the future? Why does senior leadership not understand the problem from the techie’s perspective?
Because business is not tech. Corporations these days look at technology as a cost center unless the business is either a bank or an information security company. Sure they may spend money on the new shiny “next-gen” equipment, but does it really enhance operations? The answer is emphatically “No.”
The structural elements of technology are the pieces that support revenue generation, but they don’t actually generate any revenue on their own. It is the people and other intellectual resources within an organization that make the business run (and generate revenue), with direction from senior leadership.
Yet we see the technologists as the “Entrepreneur-Revolutionaries.” Elon Musk, Mark Zuckerberg, Bill Gates. All techies, all disruptive innovators, all amazing! There’s a catch.
Notice the three entrepreneurs mentioned above? Why do you think there are so few of those types of names that are also household names? Because there aren’t many of them. Like God, Cher, and Superman, there aren’t many immediately recognizable super-beings, super-music, or super-heroes.
“But I have a great idea!!! It solves a big problem I have! I should make a billion dollars!” say more entrepreneurs than we can count. “Who else has that problem? Are there enough of them with enough spend that we can make a billion dollars?” asked every angel investor and VC firm ever.
Technologists spend time thinking about problems and solutions. It’s massively important! But business people, unlike technologists, think about their product or service in terms of who will buy it, who will support it, who will maintain it, and how much it will cost to acquire a customer. There are other considerations too: How to market it, how to brand it, how to protect the intellectual property, and how to raise enough money to get the cash flow working in the corporate favor rather than burning right through all the funds.
Most technologists don’t realize that there are sales leads that need to be generated, contacts that need to be cultivated, and supporting business purchases that need to be made (insurance, legal services, copiers, accounting software, anyone?). All of this under the mountain of paperwork that needs to be completed to ensure that one party does not take unfair advantage of the other during the process. If that’s not enough to think about, all of this must meet the goals of the business and be tied to the direction of senior leadership.
Business people can work with technologists to learn how to think about solving technology problems, and how to understand the terminology and thought processes of a technology buyer. To sell the solution properly, discuss it intelligibly, and sustain growth, business people must learn these skills.
Technologists generally have massive issues seeing the bigger picture, just as business people have massive issues understanding the complexities of the technology solutions built. These different ways of thinking are not failures on anyone’s part; in fact, they are learning experiences waiting to happen. Technologists can work with business people to learn how to implement, sell, market and brand a given solution, and then learn how to grow a business based on that solution. Next, they can architect solutions to make it easier for business.
Ultimately, communication is the answer.
About the Authors: Joshua Marpet and Scott Lyons can be found presenting at InfoSec World, and other MISTI conferences, as well as Security BSides Delaware, Derbycon, Defcon, Shmoocon, etc. Ask them business, entrepreneurial, and technology questions. But be ready to get a long answer. Have a drink with you. You’ll need it.
Everyone today wants to start their own business. I mean Dave Kennedy did it, how hard could it be? (Love you, Dave!) So you gather your team. You can do the pen-testing and Jimmy over there can handle Incident Response, right? So what’s the big deal? Why aren’t customers knocking down my door? Don’t they know how awesome we are? Business Development.
No, it’s not a dirty word. BUSINESS DEVELOPMENT is how you make money. It’s how you put food on the table and a roof over your head. You can do the work. Cool! Where’s the work coming from? You know, those things called customers?
Let’s address the mysteries of business development. We will take you from the initial meeting in the boardroom, through identification of stakeholders, getting the Statement of Work hammered out and signed, finding the ideal employee, and getting the job done all while effortlessly making the money.
We will also cover what happens when you screw up each and every single step of the process, as well. (Trust us, you will! We did!) 🙂
We’ll discuss the differences between a product based business and a service based business, explain the process, the funnel, the problems, the success stories. And it’s all real.
Bottom line: Starting a business is easy! Keeping the doors open? Not so much. If it was easy, everyone would do it!? – Albert Einstein, or maybe Abraham Lincoln
Watch a pre-Red Lion Scott Lyons (CEO) and Josh Marpet (COO) present another one of their Business for Technologists talks at Derybcon 6.0 in Louisville, KY below.
Read the full magazine below. Our article starts on page 11:
Posted from: AIDE Website
The legal, IT, business, military, and intelligence communities struggle to keep pace with this flood of technology and to adequately understand the nuances of digital evidence. To serve the public good, practitioners in a variety of disciplines must cooperate and keep current when it comes to technology and the law.
The Appalachian Institute of Digital Evidence is a regional not-for-profit organization dedicated to serving the legal, technical, public sector, and business professionals for whom digital evidence is part and parcel of their work. The AIDE exists to help network administrators, digital forensics practitioners, law enforcement, and legal professionals survive – and even thrive – in the ever-changing landscape where technology and the law meet. Fostering collaboration among practitioners, students, and academics, AIDE aims to improve access to information, develop solutions to practical problems, and narrow the gap between the accessing and use of digital evidence and traditional physical evidence in the law.
Lawyers, judges, digital forensic examiners, network security professionals, and law enforcement personnel are all stakeholders when it comes to digital evidence. AIDE, comprised of three sub-groups (Digital Forensics, Information Security, and Electronic Discovery) is here to serve them.
If digital evidence is a critical part of your profession or field of study, we invite you to join us. AIDE is in its infancy. Help us build a progressive, active, professional organization.
More information about AIDE working groups:
Josh Brunty, from Marshall University, talks about network forensics at AIDE
What does Network Security mean? Network security is an over-arching term that describes that the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. This means that a well-implemented network security blocks viruses, malware, hackers, etc. from accessing or altering secure information. Health Check: The first layer of network security is enforced through a username/password mechanism, which only allows access to authenticated users with customized privileges. When a user is authenticated and granted specific system access, the configured firewall enforces network policies, that is, accessible user services. However, firewalls do not always detect and stop viruses or harmful malware, which may lead to data loss. An anti-virus software or an intrusion prevention system (IPS) is implemented to prevent the virus and/or harmful malware from entering the network. Network security is sometimes confused with information security, which has a different scope and relates to data integrity of all forms, print or electronic.
Compaines must adapt to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.
When the organization’s policy structure sets clear accountabilities for risk and the compensation system reinforces those accountabilities, there is a positive impact on the organization’s risk awareness and culture. Effectively articulated risk accountabilities lay the groundwork for balancing the entrepreneurial, revenue-generation side of the business and the control, risk oversight side of the business, so that neither one is too disproportionately strong relative to the other. This balance is elusive, which is why a strong foundation of clear accountabilities is vital to any organization.
As healthcare providers rely more and more on evolving technologies to store and transmit their data, compliance has become an increasingly complex landscape to navigate. Managing the security requirements from federal and state agencies and other third parties can be a daunting task, one that consumes considerable energy, expense, and effort. When you consider that healthcare organizations and their IT vendors must not only achieve compliance but prove that they are a trustworthy resource, it’s obvious that the industry needs a system that is clear, efficient and secure. The basic compliance rule book, of course, comes straight from HIPAA. By now experienced providers are familiar with HIPAA’s baseline of requirements; they must ensure the confidentiality, integrity, and availability of any data they create, receive, maintain, or transmit, while providing reasonable protection against threats. This all sounds reasonable enough until providers dig a little deeper for an actionable roadmap and instead find vague language with a lot of loopholes.
Consider, for instance, HIPAA’s guidelines that allow for considerations such as the size, complexity, and capabilities of the organization, including technical infrastructure, hardware, and software capabilities, costs of security measures, and the probability of potential risks when selecting controls to implement. These guidelines are too elastic to provide specific and reliable direction for providers – nor does following them offer a solid guarantee of data protection. As a result, providers that follow HIPAA requirements are often unsure of what constitutes “reasonable and appropriate” protections. Often they implement controls without reasonable justification – or worse, implement controls that aren’t sufficient. They conduct inadequate risk assessments or skip them entirely. When you consider how many significant fines the OCR issued in 2012, the need for standardized and actionable guidance becomes clear. This is where the Health Information Trust Alliance (HITRUST) comes in.
Developed by healthcare and IT professionals, the HITRUST Common Security Framework (CSF) helps organizations by providing an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. By integrating the diverse set of existing requirements applicable to agencies and businesses, HITRUST seeks to eliminate the inconsistencies and wasted resources so typical in reporting healthcare compliance. This is not to say that HIPAA is a waste or should be ignored. HITRUST should be seen, rather, as an important, industry-managed approach to meeting HIPAA security rule requirements. HITRUST can offer providers a trusted benchmark from which they can measure and manage their own compliance – while offering proven protection to their customers. The Value of the HITRUST CSF When you consider that virtually every healthcare provider has more than just one compliance obligation, the advantages of the HITRUST CSF becomes clear. By translating HIPAA and HITECH requirements into an actionable roadmap that is cross-referenced to many other security and data privacy regulations, the CSF provides organizations with a prescriptive set of controls that can be used to manage compliance across a broad range of regulatory requirements. This comprehensive approach reduces complexity, risk and cost while protecting sensitive patient and other data.
With one simplified compliance process, the CSF: Incorporates existing, globally recognized standards such as HIPAA, NIST, ISO, PCI, FTC Red Flag and COBIT Reduces risk of non-compliance with HIPAA Scales according to your organization’s size, type and complexity Provides clear, actionable guidelines Evolves according to your needs, as well as changes in both the healthcare industry and the regulatory environment The Benefits of HITRUST Certification Right now it is virtually impossible to claim that your organization is “certified HIPAA compliant” as no formal process or status exists. Yet HITRUST offers a third-party assessment that verifies your organization has met all of the industry-defined certification requirements of the CSF. What benefits can certification offer you? To start, it can save you considerable time and money when it comes to audits; because the consolidated controls view from the CSF provides visibility into the controls overlap among multiple regulatory requirements, you’ll be able to demonstrate exactly how your controls program is meeting the combined requirements. With one assessment, you can generate multiple reports addressing multiple legislative, regulatory or best practice frameworks such as HIPAA, PCI or NIST. Yet perhaps the most far-reaching and competitive advantage relates to your brand. Consumers today are aware of and concerned by cybercrime and privacy breaches, and most are too cynical to truly believe an organization’s marketing claims of data protection. Yet a third-party attestation – one benchmarked against a recognized controls framework specifically designed to fully address the letter and spirit of HIPAA – can lend your security program both credibility and prestige.
Once HITRUST CSF Certified, your organization will be able to advertise its compliance and security, with the proof to back it up. A Foundation for Better Healthcare When it comes to compliance, the world of healthcare technology can be a complicated place. HITRUST certification simplifies compliance by offering providers a tailored set of controls, founded on the expertise and best practices of leading healthcare and IT experts, for an assumed set of risks and compliance requirements. By helping organizations of all sizes and backgrounds become certified, the CSF ultimately allows providers to spend less time worrying about compliance – and spend more time focused on patient care.
Today marks the first day that Red Lion is officially open for business. We welcome all companies that need solutions to their security issues. Red Lion is a top-shelf Information Security consulting firm with unprecedented access to the highest caliber hackers the industry has to offer. Our Capabilities are listed below.
● Enterprise Architecture Design and Implementation
● Gap Analysis
● Security Systems Development
● Vendor Comparisons
● Hacker resources used
From basic vulnerability scans to compliance validation to full-scope enterprise architecture and security design, we have the right solution to complete your project
ON-TIME and ON-BUDGET.