Embed Size (px)
Citation preview
A CISOrsquos Perspective on Vendor Management
Randall Frietzsche
Bio
bull CISOPrivacy Officer - Denver Healthbull Catholic Health Initiatives (CHI)bull Teaching
bull Ethical HackingDigital Forensicbull Harvard Cybersecurity Risk Mgmt
bull Masterrsquos Degree ndash Information Security and Assurance
bull Bachelorrsquos Degree ndash Information Technology
bull ITSecurity Experience ndash IT - 20 years | IT Security ndash 15 yearsbull 10 years Healthcare
bull Distinguished Fellow ndash Information Systems Security Association (ISSA)
bull Chapter President ndash ISSA Kentuckiana ndash 8 years | Board ndashISSA Denver Chapter
bull Technical Certifications ndash CISSP C|EH C|HFI VMware Citrix web dev servers networking etc
bull Industry Speaker Guest Author WSJ Day in the Life
bull Graduate FBI Citizenrsquos Academy -2017
bull Deputy Sheriff Indiana ndash 90rsquos
Introduction
bull Vendor management - what is it
bull From CISO perspective - from yours
bull How do you better serve your customers
bull What are the risks if you dont
bull Competitive advantage
Landscape
bull Everything is connected
bull Almost everything is Internet-connected
bull Businesses still donrsquot understand the risks or how to identifymanage
bull Internet of Things (IoT) and many physical security components are not ldquousuallyrdquo built to be secure by default
bull If you install something ndash whorsquos risk is it
Current State
bull IoT devices
bull Internet-connected
bull Remotely managed
bull Self-administered
bull Risksbull Botnets ndash unauthorized access ndash denial of service ndash stolen data ndash services
unavailable ndash data modifieddeleted ndash etc etc etc
Example ndash shodanio
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Bio
bull CISOPrivacy Officer - Denver Healthbull Catholic Health Initiatives (CHI)bull Teaching
bull Ethical HackingDigital Forensicbull Harvard Cybersecurity Risk Mgmt
bull Masterrsquos Degree ndash Information Security and Assurance
bull Bachelorrsquos Degree ndash Information Technology
bull ITSecurity Experience ndash IT - 20 years | IT Security ndash 15 yearsbull 10 years Healthcare
bull Distinguished Fellow ndash Information Systems Security Association (ISSA)
bull Chapter President ndash ISSA Kentuckiana ndash 8 years | Board ndashISSA Denver Chapter
bull Technical Certifications ndash CISSP C|EH C|HFI VMware Citrix web dev servers networking etc
bull Industry Speaker Guest Author WSJ Day in the Life
bull Graduate FBI Citizenrsquos Academy -2017
bull Deputy Sheriff Indiana ndash 90rsquos
Introduction
bull Vendor management - what is it
bull From CISO perspective - from yours
bull How do you better serve your customers
bull What are the risks if you dont
bull Competitive advantage
Landscape
bull Everything is connected
bull Almost everything is Internet-connected
bull Businesses still donrsquot understand the risks or how to identifymanage
bull Internet of Things (IoT) and many physical security components are not ldquousuallyrdquo built to be secure by default
bull If you install something ndash whorsquos risk is it
Current State
bull IoT devices
bull Internet-connected
bull Remotely managed
bull Self-administered
bull Risksbull Botnets ndash unauthorized access ndash denial of service ndash stolen data ndash services
unavailable ndash data modifieddeleted ndash etc etc etc
Example ndash shodanio
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Introduction
bull Vendor management - what is it
bull From CISO perspective - from yours
bull How do you better serve your customers
bull What are the risks if you dont
bull Competitive advantage
Landscape
bull Everything is connected
bull Almost everything is Internet-connected
bull Businesses still donrsquot understand the risks or how to identifymanage
bull Internet of Things (IoT) and many physical security components are not ldquousuallyrdquo built to be secure by default
bull If you install something ndash whorsquos risk is it
Current State
bull IoT devices
bull Internet-connected
bull Remotely managed
bull Self-administered
bull Risksbull Botnets ndash unauthorized access ndash denial of service ndash stolen data ndash services
unavailable ndash data modifieddeleted ndash etc etc etc
Example ndash shodanio
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Landscape
bull Everything is connected
bull Almost everything is Internet-connected
bull Businesses still donrsquot understand the risks or how to identifymanage
bull Internet of Things (IoT) and many physical security components are not ldquousuallyrdquo built to be secure by default
bull If you install something ndash whorsquos risk is it
Current State
bull IoT devices
bull Internet-connected
bull Remotely managed
bull Self-administered
bull Risksbull Botnets ndash unauthorized access ndash denial of service ndash stolen data ndash services
unavailable ndash data modifieddeleted ndash etc etc etc
Example ndash shodanio
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Current State
bull IoT devices
bull Internet-connected
bull Remotely managed
bull Self-administered
bull Risksbull Botnets ndash unauthorized access ndash denial of service ndash stolen data ndash services
unavailable ndash data modifieddeleted ndash etc etc etc
Example ndash shodanio
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Example ndash shodanio
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Video
Internet - httpswwwyoutubecomwatchv=Y9YapCUHjiUampt=2sDisk - Shodan Search Engine Video
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Moving Forwardhellip
bull Understand the servicesdevices yoursquore sellinginstallingmanaging
bull Understand the components that can be compromised
bull Assessdocumentrate risks
bull Require corrective actions or mitigations to risks
bull Check to make sure
bull Be able to show customers your due diligence so thathellipbull Customers arenrsquot opening up themselves to attacks
bull Engage customerrsquos IT CISO
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Risk Assessments
bull Risk Stratification ndash key to maturity
bull Aspects of Risk Assessmentbull Identifybull Control Objectives (SOC 123 NIST HITRUST COBIT etc)bull Gaps vs Risksbull Risk Rating ndash qualitative vs quantitativebull CAPs
bull Effective ndash Efficient ndash Mature ndash use resources appropriately
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Corrective ActionsMitigations
bull Default passwords
bull FirmwareOS updates
bull Limit remote access
bull Understand connectivity ndash understand attack vectors
bull Network isolation
bull Support for security (encryption wireless etc)
bull Change default ports
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Conclusion
bull Risk Landscape
bull Companies need these solutions
bull Companies donrsquot understand the risks how to identify or how to mitigate
bull Competitive advantage to be able to understand your productsbull Security configurationsbull Risks
bull Work with vendors and customers to bring best and most secure solutions
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
Questions
Randall ldquoFritzrdquo Frietzsche fritzdhhagmailcom
wwwlinkedincominrandallfrietzsche
rfrietzsche
