I recently had my second interview with freelancer Carolyn Heinze, and the questions were so interesting I decided to replicate the interview in a couple of posts this week.
From: Carolyn Heinze
Subject: Interview Request – tED Magazine
Dear Bob,
I interviewed you a while back for an article on ransomware that appeared in ChannelPro. I’m working on another article for which I thought you’d make a great source. Here’s the scoop:
I am writing an article on cyber security, and more specifically, security preparedness, for an upcoming issue of tED Magazine (www.tedmag.com; published by the National Association of Electrical Distributors, www.naed.org.) The piece is slated for our tech section, which aims to inform our readers––electrical distribution/wholesale supply houses that sell products to electricians and electrical contractors––on the latest tech trends that will either affect their offerings, or potentially streamline––or challenge––their own business operations. Let me know if you are interested in participating in a telephone interview on the subject.
From: Bob Weiss
Subject: RE: Interview Request – tED Magazine
Thanks for the invitation, and my answer would be “yes!”
Quick question: is this your blog? http://cheinze.blogspot.com/
I read your article in ChannelPro Network and appreciate the couple of quotes of mine that you included. I happened to have a ransomware article in the queue for my own blog and the article is scheduled for Nov 30th. To return the favor, I mentioned your article in the opening paragraph, and included a link to the article and to your blog (if that is it above).
And the contents of the interview:
CH – While our readership includes several national, and even multi-national corporations, the bulk of our readers lead small to mid-sized businesses with limited IT resources. Still, what are some of the best practices that these organizations absolutely must follow to a) prevent a security breach; and b) prepare for one?
- BW – Prevention is still important, but you should really have an incident response plan in place for when (not if, but when) it happens to you. You will probably need outside help for this, even if you have your own IT staff, they just are not going to have the requisite skills and knowledge.
CH – These days, what elements should organizations be taking into consideration when they’re conducting a cyber threat audit? And, which departments should participate in that audit?
- BW – Start with your public facing infrastructure, the web, mail, and database servers that allow customer access. But since nearly everything starts from an internal network compromise (phishing, vishing, disgruntled employee, etc.) you need to plan to look at everything. We are even looking at “air-gapped” systems since there are some pretty impressive compromises to those sorts of systems and networks. Let’s not forget your wireless networks (both legitimate and rogue) and employee BYOD systems.
CH – The tech part: what systems should absolutely be protected, using tech tools? What should these protection tools feature?
- BW – Perimeter and endpoint defenses are still important, so firewalls, IDS, IPS, and good old internet security software products such as Kaspersky or F-Secure. We are looking at solutions that monitor network traffic for anomalies and can identify, alert support staff, and quarantine suspected systems.
CH – The people part: what security training should non-tech employees receive so that they don’t unintentionally cause a breach?
- BW – It’s hard to train suspicion and paranoia into normal people, but employees and management staff all the way to the top need to learn how to identify suspicious (and non-suspicious!) phishing and spearphishing emails. They need to be encourage to confirm requests, especially transfers of large sums of money. They need to be on guard for “vishing” or telephone based social engineering approaches. They need to stop holding the door open (literally) for strangers who may be “tailgating” their way into an otherwise secure building. They need to be trained that it’s ok to say “no,” “I don’t want to,” and “who are you?” They need to learn to challenge and confirm requests, especially for email addresses, passwords, personal information about themselves or coworkers, demands for payment, requests for electronic fund transfers. Put a bounty on catching exploits. Everyone needs to be encouraged to share and report these incidents.
To be completed in our Wednesday post.
ShareJAN
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com