Sercan Azizoğlu's Personal Website
December 21, 2024

A CISO Guide to Cyber Resilience by Debra Baker - A Book Review

Posted on December 21, 2024  •  7 minutes  • 1347 words
Table of contents

Book

Debra Baker, CISSP CCSP, is a cybersecurity professional with over 20 years of experience. She is the CEO and Founder of TrustedCISO. Debra provides checklists and guides professionals for companies with different maturity levels in the book. Identity and access management, security policies, risk management, endpoint security, data protection, security awareness, patch management, asset inventory, configuration baselines, data classification, and resilience in Artificial Intelligence are the subjects she discusses. The book was published on April 30, 2024, and is available on Amazon for purchase.

Those are the points that took my attention:

Citations

As the United States Department of Homeland Security aptly defines it, cyber resiliency is the “ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions.” (p.9)

…it’s crucial to handle biometric data with utmost care because, unlike passwords, biometrics cannot be changed if they are compromised. (p.31)

Ideally, you should use an authentication application such as Google Authenticator, Authy, or Microsoft Authenticator. (p.34)

I don’t see passwords going away any time soon, but passwordless login is definitely a better alternative. (p.34)

NIST 800-63-3B does not want you to force a password change unless there is a known breach. If you force password changes frequently, research shows users will create a weak password. (p.36)

Some of the secure password hashing algorithms are Scrypt, Bcrypt, Argon2, PBKDF2, and Balloon. (p.38)

Argon is another password hashing algorithm designed to be resistant to attacks such as dictionary, brute-force, and precomputational attacks. (p.38)

Ensure that these shared passwords are changed once a team member either moves to another department or leaves the company. (p.39)

SANS also has some free information security policy templates that are more specific, such as recommended password policies and recommended encryption policies. (p.42)

NIST provides mappings to other control frameworks in The Cybersecurity Capability Maturity Model (C2M2) Tool4. The C2M2 Tool provides an easy way to do a self-assessment of your organization’s IT network. (p.45)

There is also an amazing cross-reference mapping that the Secure Controls Framework has published that is free to use. (p.45)

…all compliance, whether it be laws or frameworks, overlap and map back to NIST 800-53b. (p.46)

…when you are alerted to a hack, whether by an internal team or government agency, you better take it seriously. (p.47)

Critical CVEs such as this should be patched within 30 days. (p.49)

To be fair, the CISO role is responsible for the security and risk management of a company; however, it’s on the executive management team to accept, mitigate, or transfer the risk. (p.50)

the CISO of SolarWinds, which the Security and Exchange Commission (SEC) has brought charges against. The reason is that the “SEC’s complaint alleges that [Tim] Brown [the CISO of SolarWinds] was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. (p.50)

…aligning your program with your company’s mission and goals is imperative to achieve alignment from the top down. (p.52)

…such as Drata, Secureframe, and Vanta. These products will automatically monitor your cloud environment controls and map them to a specific framework or standard, such as SOC2 or NIST CSF. (p.59)

NIST offers a free NIST CSF Maturity tool that you can use to perform an assessment and track your progress. (p.61)

Steve Gibson’s ShieldsUP web page provides a home firewall test that can be run. You could send this out to your employees to test their home firewalls. HackerTarget offers a way to test your external firewall also. (p.69)

IoT devices are particularly susceptible since many have default passwords that cannot be changed. (p.71)

The best way to prepare for having to recover from your backups is to test them regularly. You can do this daily, weekly, monthly, or quarterly, depending on your company’s time and resource availability. (p.79)

The RPO plays a crucial role in shaping an organization’s disaster recovery plan. Setting the RPO too high could leave the organization vulnerable to unacceptable levels of risk. (p.84)

Redundancy can be applied at various layers of an organization’s architecture, including data, hardware, and connectivity. (p.87)

In the SolarWinds SEC case against the CISO, Timothy G. Brown, it specifically explains that the CISO was not reporting the actual risks the company faced up to executive management board. (p.96)

…materiality is determined based on whether the information about a cybersecurity incident would be considered important by a reasonable investor when making an investment decision. (p.96)

One of the big changes between CVSS v3.1 and v4.0 is taking into account threat intelligence (TI) and environmental metrics for more accurate scoring. In addition, CVSS v4.0 has incorporated more metrics to better cover the Internet of Things (IoT) and Operational Technology (OT). (p.102)

The Known Exploited Vulnerabilities (KEV) Catalog is maintained by CISA, part of the U.S. Department of Homeland Security. The KEV catalog was officially launched in November 2021 as part of Binding Operational Directive (BOD) 22-01, aimed at driving urgent and prioritized remediation of vulnerabilities posing significant threats. (p.103)

…if the Attack Vector is Network, then you need to prioritize this vulnerability to be patched within 30 days. (p.106)

Renovate is a Snyk tool that will automatically scan all of the open source software (OSS) used in your code and will update it accordingly. (p.112)

I recommend to all my clients to use OWASP ZAP, which is a free DAST tool that you can use to scan your web applications. (p.112)

Once you have CIS IG1 implemented, you can start moving toward implementing CIS IG2. (p.121)

Understanding your network and where assets reside is important, especially to your vulnerability prioritization plan. Many companies have network diagrams, but having a tool that will give you an actual view of your network is super valuable. (p.121)

For the cloud, each service offers its own tools for asset discovery and inventory, including visualization of your assets. (p.121)

Even in the cybersecurity space, encryption knowledge is limited. (p.123)

You can also see recommended algorithms and key sizes on the Crypto Done Right! website standards table. (p.124)

…using Snyk’s renovate package to ensure your open source code is up to date and patched. Also, use GitHub’s static application security testing (SAST) code scanning tool to ensure your code doesn’t have vulnerabilities. (p.132)

This includes using unapproved or company-assigned USB sticks for storage. (p.136)

An IBM engineer got mad and attacked the research lab where he worked. He deleted all the data and work that resided in his research lab. (p.136)

Assessing the quality of an MDR service can be difficult. It’s advisable to assign a dedicated individual to manage the MDR relationship. Ideally, this person should independently verify the MDR’s findings, providing a dual-layered security approach. (p.140)

CSPM provides compliance with secure configurations such as the Center for Internet Security (CIS) or Security Technical Implementation Guide (STIGS). (p.141)

Other features include exposure and vulnerability management. CNAPP takes all of the CSPM features and adds to them, such as infrastructure-as-code (IaC) scanning. (p.141)

How to obtain zero trust: Zero Trust Roadmap (p.148)

The only threat vector I’ve seen that beat email phishing is unsecured RDP ports open to the internet. Implementing MFA for RDP protects this from hackers. (p.149)

Close all inbound ports from the internet. Configure internet-facing devices: Free Qualys scan, Security Scorecard, and Censys.ioCloudflare. (p.149)

Automating these configurations by using a product such as Ansible for your network devices will make your company so much more secure. (p.152)

Cybersecurity Maturity Model Certification (CMMC) Model. DOD, Chief Information Officer U.S. Department of Defense

Segmentation is an incredible tool that stops ransomware from self-propagating onto these critical subnets where your critical assets and data reside. (p.176)

Conclusion

Debra Baker’s Guide is a good reference for every professional in neither a start-up nor an advanced multi-national corporation. It provides fundamental points for related subjects and controls which can or should be implemented. Sharing insights from experience is always valuable because it may not be suitable for every company to have, for instance, hardware-based authentication for end users. Thank you, Debra Baker, for sharing your knowledge and experiences.

Social Media

LinkedIn