Eugene Pakhomov, CISSP
Security Warriors – what we did and how we continue the work
Joan Ross, Chief Intelligence Officer
Curtis Blount, CISO
Vulnerability Prioritization: Are You Getting It Right?
Thank you to all who attended our October 8th event. Please enjoy this free playback.
Dima Gorbonos, Senior Sales Engineer at WhiteSource
Is a key technical advisor and solution advocate, responsible for planning and delivering of solution demonstrations to large Enterprises. It’s his role to respond to functional and technical elements of RFIs/RFPs, so he’s an outstanding choice to guide our questions related to our own Vulnerability Prioritization and program requirements.
Dima will be assisted by John Timberlake , A self-appointment “techie” who enjoys the luxury of working with enterprise clients who are embracing DevOps and Cloud Technologies to transform the way they build software and run their business. Leader for the Seattle based North American DevOps Group
John has graciously agreed to provide attendees with some spectacular resources.
Their conversation and demo is supported by the work of David Habusha, WhiteSource Product Executive
Here’s a recent article sample:
Developers must find a way to zero in on the security vulns that present the most risk and quickly address them without slowing down the pace of development.
The past few years have seen an exponential rise in the volume of reported security vulnerabilities. Combined with the increase in headline-grabbing security breaches, it’s no surprise that organizations are upping their application-security game. This includes a heightened focus on the detection and remediation of security vulnerabilities as early as possible in their DevOps pipeline — leaving developers with the added task of handling an increasingly high number of security alerts.
But they can’t remediate everything. This is why they must find a way to zero in on the security vulnerabilities that present the most risk and quickly address them without slowing down the pace of development.
The prioritization of vulnerabilities has become a burning issue for software development outfits that want to stay ahead of security while not falling behind on AppSec release dates. Unfortunately, there is currently no set standard or practice for how to prioritize them. Different teams prioritize security alerts based on a variety of parameters and considerations — not necessarily the most effective ones, either. As a result, they are spending a lot of valuable time figuring out what to tackle first, to varying degrees of success.
To understand which prioritization methods are currently most common, we surveyed 300 of our customers and asked them how they prioritize vulnerability alerts. The top five considerations that arose were vulnerability severity, application type, the popularity of the vulnerable open source component, vulnerability disclosure date, and ease of remediation.
To learn more, we added a new perspective: the hacker community. We took the 100 most common open source vulnerabilities reported in 2019 based on the WhiteSource vulnerabilities database and compared characteristics, such as popularity, disclosure date, and severity score, to the level of discussion in the hacker community based on data from CYR3CON, which predicts cyberattacks based on artificial intelligence gathered from hacker communities.
In doing so, we’re able to gain insights about the effectiveness of common prioritization methods are and how they measure up when it comes to the hacker community’s preferences.
Many organizations consider the Common Vulnerability Scoring System (CVSS) vulnerability score first when prioritizing remediation since it’s so easily accessible and seemingly straightforward. Unfortunately, this parameter does little to shorten the long list of security vulnerabilities that teams need to address since data shows over 55% of the top open-source security vulnerabilities were rated as high or critical.
<Enjoy the full article here>
WhiteSource helps businesses all over the world to develop better software by harnessing the power of open source. Open source components, a significant and important part of commercial software today, are often substantially under-managed. WhiteSource fully automates the entire process of open source components selection, approval, tracking and management, including real-time alerts on vulnerable and problematic open source components, customized reports, enforcing policies automatically and more. An integral part of your software development environment, WhiteSource guarantees the continuity and integrity of open source management and reduces respective risks. WhiteSource provides a complete solution that supports all programming languages. The solution seamlessly plugs into all popular build tools. WhiteSource is a venture-backed company with offices in NY, Boston and Tel-Aviv.
Please register for Thursday, September 10, 7 PM – 9 PM 2 CPE “Get Hired” Cyber Security event – Free and open to nonmembers.
Head of Permanent Security Recruitment – and Co-Founder at Code Red Partners – Cybersecurity Careers Thriving During the Pandemic
Are you a senior security engineering manager looking for a career-defining role? Watch now to learn more about our latest #cybersecurityjob opportunity at a fast-growing Bay Area FinTech innovator: #infosecjob #cybersecurityjobs #cybersecuritystaffing #infosecurityjob pic.twitter.com/p0h6tsFJF0
— Code Red Partners (@CodeRedPartners) March 17, 2020
Want free cybersecurity training with certification? Check out SearchSecurity's free online security classes led by InfoSec experts today!https://t.co/Nhr4zay9UH#cybersecurity #freeclasses #certifications #onlinelearning pic.twitter.com/KNr00cKQ84
— Code Red Partners (@CodeRedPartners) August 26, 2020
Tom Alcock – Co-Founder at Code Red Partners | Cybersecurity Staffing and Consulting
Bruce Pendrey – Head of Security Recruitment – Permanent
Code Red Partners
Code Red specializes in cybersecurity staffing. We recruit exclusively in the security space, giving us an in-depth understanding of the needs of both the job seekers and employers that we partner with. We pride ourselves on our extensive network within the Financial Services industry, including FinTech, Banking, and Blockchain.
- JOBS HAPPENING RIGHT NOW, and how you get one.
Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy
|<<LSHC Webinar Replay>>|
Life Sciences & Health Care, Medical Device Manufacturing and Cybersecurity, A Strategy
As the Pandemic moves to its sixth month, we see a shift not only in our prioritization of health issues but how we do medicine and the implications of cybersecurity across the proliferation of attack services ranging from devices to home computing.
- Life Science and Health Care (LSHC) – Market, Players, Opportunities
- Two key documents for learning – BSI Cybersecurity of Medical Devices; MDIC Medical Device Cybersecurity Report
- Cyber Related Standards
- Frameworks, Standards & Tools, How CISO’s Address MDM Cybersecurity
- List of resources and Laws
- IoT and CCPA
- Mapping and Tagging – Unification within GRC and Cybersecurity Risk Management
- Integration Progress – Facilitated Compliance Management
- Investment in Licenses and Partners
Robin Basham is the owner EnterpriseGRC Solutions, President, ISC2 East Bay, Certified Information Systems Security (CISSP), Audit (CISA), Governance (CGEIT) and Risk (CRISC), ICT GRC expert and early adopter in both certifying and offering certification programs for Cloud Security and Virtualization, with industry experience in the management of systems, controls and data for SaaS (IaaS and PaaS), Finance, Healthcare, Banking, Education, Defense, and High Tech. Positions held include Technology Officer at State Street Bank, Leading Process Engineering for a major New England CLEC, Sr. Director Enterprise Technology for multiple advisory firms, founding, engineering product and running two governance software companies, and most recently Director Enterprise Compliance for a major player in the mortgage industry, Ellie Mae. Having served as Cisco, Unified Compliance, and ISMS Program Manager for a multi-year GRC project, Robin currently leads EnterpriseGRCSolutions LSHC initiative in support of three MDM clients. Robin may also be recognized for donating substantial time to supporting social platform security to further social democracy. Robin is also a past board member for the ISACA SV chapter.
|Standard, Law or Framework||Web Link to Source|
|California Consumer Privacy Act of 2018||California Consumer Privacy Act (CCPA)|
|Eudralex Volume 4 Annex 11 – Computerized Systems||Eudralex Volume 4 Annex 11 –Computerized Systems|
|GAMP® 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems||GAMP®5|
|HIPAA – HITECH Title 45 C.F.R. § 164||HIPAA – HITECH Title 45 C.F.R. § 164|
|ISO/IEC 27001:2013 € Information technology — Security techniques — Information security management systems — Requirements||ISO/IEC 27001:2013 €|
|ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002||ISO 27799:2016|
|ISO/IEC 27002:2013 € Information technology — Security techniques — Code of practice for information security controls||ISO/IEC 27002:2013 €|
|ISO/IEC 27017:2015 € 27002 for cloud services||ISO/IEC 27017:2015 € 27002 for cloud services|
|ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES||ISO 13485:2016 – MEDICAL DEVICES – A PRACTICAL GUIDECAL DEVICES|
|ISO/IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes||ISO/IEC 30111:2019|
|ISO 14971:2019 Medical devices — Application of risk management to medical devices||ISO 14971:2019 Medical devices — Application of risk management to medical devices“|
|HITRUST CSF v9.3||HITRUST ALLIANCE|
|Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (MITRE)||Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook|
|Premarket Management of Cybersecurity in Medical Devices||Premarket Management of Cybersecurity in Medical Devices|
|Postmarket Management of Cybersecurity in Medical Devices||Postmarket Management of Cybersecurity in Medical Devices|
|Title 21 CFR Part 11||CFR – Code of Federal Regulations Title 21 CHAPTER I–FOOD AND DRUG ADMINISTRATION PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES|
|Title 21 CFR Part 820 QMS Requirements||21 CFR Part 820 QMS Requirements|
|*An overview of the medical device industry – MedPAC||An overview of the medical device industry – MedPAC|
|*Cybersecurity of medical devices – Addressing patient safety and the security of patient health information||Cybersecurity of medical devices|
- CCPA SB-1121 California Consumer Privacy Act of 2018. (2017-2018) https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
- SB-327 Information privacy: connected devices. TITLE 1.81.26. Security of Connected Devices https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
- SANS Top 20 Critical Security Controls V7.1 https://www.sans.org/critical-security-controls/
- NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.1 http://www.nist.gov/cyberframework/ https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- NIST 800-53 V5. Security and Privacy Controls for Federal Information Systems and Organizations Important new features include Keywords and Attributes used for tagging https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
- DISA Secure Technical Implementation Guides. https://public.cyber.mil/stigs/
IoT and California Consumer Privacy Act, CCPA
TITLE 1.81.26. Security of Connected Devices, a new law, was designed to protect the security of IoT devices and the information those devices hold.
- The law can be enforced only by the attorney general, a city attorney, a county counsel, or a district attorney, and does not provide for any right of private action.
- The law does not apply to connected devices already subject to federal security standards.
The CCPA became effective on January 1, 2020
- Officially called AB-375, CCPA is a bill that enhances privacy rights and consumer protection for residents of California. Signed into Law June 28, 2018, CCPA amends Part 4 of Division 3 of the California Civil Code.
The Road to Zero-Trust: Past, Present, and Future: What is Zero Trust <Araali_ Deck for (ISC)2>
Organizations measure their Application teams on deployment velocity, feature release velocity, and performance of their apps. In today’s cloud-native world, app teams are building and iterating at lighting speed, churning out multiple features, and releases a day. Often application teams feel dragged down by their security counterparts, and the application security gets left behind. The disconnect between app and sec drives companies to focus more on Response and Detect – which is more manual and expensive than automated Prevention. Even though teams spend more on security, breaches galore.
Over the last couple of decades, analysts and the security community, focussed on Preventive Security, concentrated on user and hardware devices (e.g., software-defined perimeter (SDP), Zero-Trust, and Privileged Access Management). These technologies deliver the least permissive privilege and access for users and their devices, but the apps running in the data centers and hybrid cloud were never covered. One of the key reasons is that users and devices are independent entities, and they have identities – 2FA like a fingerprint, SMS, etc. Apps don’t have 2FA.
Different companies took different paths to deliver zero-trust for apps through Big Data, ML, Network processors, FPGAs, etc. However, the promised land of Application Zero-Trust remained elusive. Even though enterprises know the least permissive privilege/zero trust is the right way to go, they struggle to adapt. The conflict is mainly centered around three key pillars – operation complexity, business disruption, and operational cost.
In this talk, Abhishek will cover some of these ideas to unpack the concepts in an easy to understand fashion. Also, he will share some key ideas you should keep in mind while thinking of protecting your custom apps running in your public and private clouds.
Abhishek Singh, CEO, Araali Networks
Abhishek was previously the Co-Founder/VP Engineering at Tetration Analytics where he led the initial team to build and scale a datacenter-scale platform to enable micro-segmentation and security in a Virtual Machine environment. Prior to Tetration, he held engineering leadership positions at Aruba, Cisco and Ericsson.
Abhishek has a Bachelor’s in Technology degree from the Indian Institute of Technology Kanpur and a Masters’s degree from John Hopkins University (both in Computer Science).
Registration for the event:
Topic: Data-Centric Security in an entirely Remote World
Atakama protects files using advanced threshold cryptography and by inextricably linking files stored in one location to more than one physical device.
This session introduces the founders speaking on the problems they found and solved. Attendees can get a free trial license and experience the Atakama approach to file level security as required on any type of device and under any permutation of requirements for rights management.
Learn more at Atakama’s recent press release
Meet Daniel H. Gallancy and Dimitri Nemirovsky from Atakama
Daniel H. Gallancy
CEO, Atakama, LinkedIn
200 Park Ave, 17th Floor, New York, NY 10166 – +1-212-273-9580
Daniel H. Gallancy is the CEO and a founding member of Atakama, a NYC-based information security software company. Atakama Inc. provides unparalleled data protection for businesses. By employing a file-by-file encryption design, Atakama eliminates the ability for attackers to directly profit off of confidential data and substantially mitigates the damage of unpreventable attacks. Atakama’s encryption solution helps companies adhere to mandatory compliance regulations and in the process, provides best-in-class protection for sensitive and non-public information. Atakama’s distributed key management protocols can be customized based on company or department needs, seamlessly integrates with existing cybersecurity stacks, and can be deployed within hours.
Mr. Gallancy has provided bitcoin and blockchain-related advisory services for private corporations, investment management firms, post-trade processing companies, central counterparties, and US State and Federal regulators.
Prior to founding Atakama, Mr. Gallancy spent ten years in the asset management industry. Mr. Gallancy was an investment professional at Beaconlight Capital and, before that, at Alson Capital Management. Mr. Gallancy’s areas of focus included semiconductor capital equipment, IT hardware, software, and telecommunications. Mr. Gallancy was responsible for corporate diligence, financial analysis, and investment decision-making.
Daniel is one of the co-founders of SolidX Management LLC, a company that has filed a registration statement with the Securities and Exchange Commission relating to the proposed launch of the VanEck SolidX Bitcoin Trust, which will seek to provide shareholders with exposure to the daily change in the U.S. dollar price of bitcoin. Bitcoin to be held by the VanEck SolidX Bitcoin Trust will carry insurance against theft, loss, and other adverse operational events.
Daniel was raised in Queens where he attended public school. He taught himself to program in C at age 10. Daniel graduated from Stuyvesant High School before attending the University of Pennsylvania where he earned a BA in Physics and a BSE in Electrical Engineering. During college, Daniel built a wireless, laser-based network communication link (back in the days before WiFi). He earned an MBA from Columbia University and is a CFA Charterholder.
How it Works – The Graphichowitworks_infographic_03
About Dimitri: Dimitri is the Cofounder and COO of Atakama. Dimitri took his first coding classes in 8th grade. He holds BBA and MBA degrees from Baruch College and earned his JD from Brooklyn Law School. Prior to co-founding Atakama, Dimitri practiced regulatory and enforcement law at an international law firm where he focused on the various technology, digital archive, and e-discovery regulations that developed during the 2000’s.
Atakama Inc. is an information security software company that provides unparalleled data protection for businesses. By employing a file-by-file encryption design, Atakama eliminates the ability for attackers to directly profit off of confidential data and substantially mitigates the damage of unpreventable attacks. Atakama’s encryption solution helps companies adhere to mandatory compliance regulations and in the process, provides best-in-class protection for sensitive and non-public information. Atakama’s distributed key management protocols can be customized based on company or department needs, seamlessly integrates with existing cybersecurity stacks, and can be deployed within hours. Undeniably, a vast improvement over the status quo.
If you want to improve your security and better protect your data, we’re here to help you.
Atakama will be offering a free user version of their software to attendees and will be showcasing a live demo of their revolutionary file encryption product that is designed to protect companies from today’s emerging threats such as maze attacks.
Topic: IT Assurance Across System Boundaries
IT administrators and security experts face a daunting challenge assuring information security and privacy across numerous interconnected systems, many of which they may not exercise authority over. These integrated entities, such as vendor applications and industrial control systems, are housed both on-premise and in the cloud. In this presentation, David will outline the challenge of providing security assurance across system boundaries, show some examples of breaches across system boundaries, and explore risk management techniques for dealing with this seemingly intractable problem.
Speaker: David Trepp, M.S., Partner, IT Assurance
A technology entrepreneur since 1989, David has led over 1,300 comprehensive information security penetration test engagements for satisfied customers across all major industries throughout the United States and abroad. He has given dozens of presentations to audiences nationwide, on a variety of information security topics. David, a US Army veteran, is founder and CEO of Info@Risk (now BPM), a leading comprehensive penetration test firm. David has worked in information security with banking, law enforcement, government, healthcare, utilities, and commercial organizations since 1998. When not at work testing security controls, David exercises his risk management skills as an avid rock climber and long-distance cyclist.
Thu, May 14, 2020, 7:00 PM – 9:00 PM PDT
1. Click the link to join the webinar at the specified time and date:
2. Choose one of the following audio options:
TO USE YOUR COMPUTER’S AUDIO:
When the webinar begins, you will be connected to audio using your computer’s microphone and speakers (VoIP). A headset is recommended.
TO USE YOUR TELEPHONE:
If you prefer to use your phone, you must select “Use Telephone” after joining the webinar and call in using the numbers below.
United States: +1 (914) 614-3221
Access Code: 660-163-974
Audio PIN: Shown after joining the webinar
About BPM: Our Member Meeting Sponsor!
The BPM Information Security Assessment team (formerly Info@Risk), has worked with all types of organizations throughout the United States. A large percentage of the Information Security Assessment team’s clients are repeat customers, with many of our relationships stretching back nearly to our beginning in 1998. We attribute these enduring relationships to three facts:
- our clients value the depth and comprehensive quality of our work
- our clients recognize that to truly manage risk, an unbiased assessment and remediation plan are a priority when choosing a vendor
- our clients seek a partnership with their impartial assessment vendor to guide them in making informed, risk-based decisions for their organization
BPM’s Information Security Assessment team provides thorough and comprehensive information security assessments so they can make informed, confident risk-based decisions best suited for their organization. We are proud of the work we have done and are confident our references will support this pride.
Our assessment-focused services include:
- Comprehensive Penetration Test
- Targeted Application Penetration Test: Web/Mobile/Client-Server
- Targeted Wireless Penetration Test
- Stand-Alone Penetration Test, e.g. email Test, Social Engineering Test, Physical Security Test, etc.
- Password Audit
- Firewall Ruleset Review
- Configuration Review
- Vulnerability Assessment
- Infosec Program Review
- IT General Controls Audit
- Infosec Risk Assessment
- Infosec Training
- Social Engineering Awareness
Canceled – Postponed.
Due to impacts on our board and volunteers from the COVID19 outbreak, we are unable to go forward with chapter activity.
Please be on the lookout for a series of online meetings.
We look forward to inviting Rafae Bhatti to another event.
Cybersecurity and CCPA, Looking at Legal Implications affecting Cyberthreat management and response
Meet Rafae Bhatti, Data protection leader and licensed CA attorney
Location Online – Link to be emailed to attendees.
Location: Oracle 5805 Owens Dr, Pleasanton, CA 94588, Time: 7:00 to 9:00 PM
7:00 PM Chapter Announcements, pizza
Agenda: Announcing the results of the annual election.
7:15 PM Presentation
Abstract: Among different types of financial crimes facilitated by the Internet, money laundering stands out due to the diverse methods criminals use to legitimize ill-gotten profits. The criminal practice of money laundering in cyberspace through online transactions has been
termed as cyber-laundering. One of the important concepts for launderers are to avoid detection from law enforcement, and the Internet has opened a large window of opportunities for them.
In this talk, we review a couple of malware attacks via email case studies, statistics on source of revenue for cybercriminals, and industry defenses against the most damaging
- How criminals are making their money (through which cybercrime type),
- How much they are making, and what are the consequences to organizations,
- How do we stop this by discussing
- Industry defenses against Business Email Compromise
- Defenses against Data Breaches
- Defenses against Ransomeware
With roughly 44% of the $1.5 trillion of cybercrime funds coming from preventable activity (good security postures), not only the cybersecurity is necessary to protect the businesses, but also required to prevent money from getting into the hands of criminals.
Let’s learn from current trends and prevent this money from being stolen.
More from Faranak Firozan https://www.linkedin.com/pulse/neglected-element-human-faranak-firozan/