The world of technology is complex. Each episode of TechSperience will uncover helpful technology, cybersecurity, cloud, and workplace transformation tips to help the everyday IT professional. Tune in for advice from leading IT experts covering retail, manufacturing, healthcare, K-12, higher education, and more.
Episode 13 – Security Health Check Round Table Discussion
with Penny Conway
This transcript was first posted on the Connection Community
Announcer:
Do you completely know where your organization is vulnerable to cyber security attacks or breaches? Many teams have some, but not full insight into the risk they face in today's business climate. The good news, the Connection Security Team can help shed some light on the issues and prepare you to shore up your defenses.
On this episode of Connection's TechSperience podcast, Penny Conway, our Senior Program Manager for Workplace Transformation, sits down with Steve Nardone, the Director of Cyber Security Practice at Connection, our Senior Security Engineer Bill Virtue, and Rob Di Girolamo, he is a Product Manager for the Security Consulting and Professional Services at Connection. She sits down with them to talk about our security assessment process, what it is, what it looks like, and the value it can bring to your organization.
Penny Conway:
What is a security assessment? That is a very big blanket term, and so why don't we kind of knock it down a notch and just get the down and dirty on what a security health check is.
Steve Nardone:
So, security assessment is actually, you're right, a very, very broad term, and you know, we always talk about in the industry, art versus science when it comes to terminology if you get 6 security professionals in a room and say, "What is a security assessment?", you'll get eleven and a half different answers.
Penny Conway:
(laughs).
Steve Nardone:
So, but in specific the security health check, which is one of our premiere services that we provide our customers, in reality it was designed to help customers that really need to have a good through understanding of risk inside their environment, outside their environment, and also the look of things like social engineering, right, are the users prepared and trained to not click on links or give out information over the phone, and do policy reviews and so on. So it's a very comprehensive process, we like to say it's an a la carte menu, where we can provide a lot of different solutions and services to our customers and, again, it's been very effective, especially for customers who really need help understanding what the risk is and how to address their risk.
Rob, I don't know if you want to go into a little bit more detail about the, the, the SHC?
Rob Di Girolamo:
Yeah. So it- it, as Steve indicated... Tremendously valuable. We see it really helping clients with their requirements in a few different areas, right. We see a lot of clients that are new to an organization, lets say, "I- I don't know a lot about my environment, I don't know where my risks are, can you help me?". We say, we have this wonderful assessment called the Security Health Check, and it's a great way to start, as Steve said, inside and outside, right. You do external pen testing, internal pen testing, a wireless evaluation and pen test router switches conf- router switches, security configuration reviews, firewall reviews testing the human element, right. We can harden systems all we want but humans are becoming more and more obvious as weakest link in anybody's infrastructure.
So, we test humans for social engineering and if clients want we can take a look at policies and procedures and see if they're in line with the best practices. Or offer them guidance or templates on how to improve it. So, it really is this great way for clients to either get an understanding of their environment. Maybe they've never done this type of testing before and really need to get a baseline. One of our favorite expressions on the team is, "uncover the rocks", right? See what's underneath, what's living in those, underneath the rocks, excuse me. So, it's a really good way to get this baseline and start managing risk in your environment. You get wonderful reporting from executive level reports, technical reports and remediation plans, get this soup-to-nuts reporting that says this is where your gaps are, these are where your risks are... now how do I manage against this to improve overall risk posture in my environment.
So, that's our goal for the health check is really become this trusted advisor by uncovering all these issues in the client's environment. Not to say you're doing, you know, you've fallen down and doing something wrong, but you need... This is how you can improve your risk by doing, by taking our recommendations and, and fixing the risks in your environment.
Penny Conway:
Where do you typically see the request for the health check come from? Are you seeing it from sort of the top levels, CESO, or are you seeing it from an IT manager? Where does that conversation start to, you know... Are you reaching out? This is one of the things I, we hear a lot is that there's a whole security practice within an organization, but then there's the whole, you know, IT management practice as well. So who are you talking to first, and kind of doing that health check, and then... where- who do you bring all of those results to?
Rob Di Girolamo:
I love that question. So, what I see a lot in talking to clients is... We're usually in contact with maybe an IT manager, an IT director, and they've gotten a requirement to, from, from their leadership to say, "Can you investigate security assessments?" Which trails back to your original question, how broad is this security assessment, what do you need to do? So we talk to them, and we say, "This is all the interesting things that we can offer you from an assessment, just from a baseline security testing." And they love what they hear, because they had direction to do a security assessment. But, they didn't really understand, what do I actually need to do as part of this? Or maybe they had an idea, but you know, they needed to get lead a little bit down to, these are all the things you should be thinking about.
So that's how the conversation starts, right. Someone says, "Go do a security assessment," or "I would like to do one." And then, we step in and say, "These are all the things you might want to start thinking about." And that usually trails on and starts the conversation.
Steve Nardone:
So, the beauty of the way the assessment is aligned and structured is, it can address the very well-trained, well-focused risk owner with addressing things that they would typically do, right. They know they need to do ethical hacking, they know they need to do policy review. They want to do some level of social engineering training. It also can address the risk owner. And we see this quite frequently, especially in the small to medium business space, where you have a director of IT that has two staff, and they're responsible for everything in the environment IT. Right. All business processing, the applications, configuration and deployment of the systems, maintaining the systems as well as cyber security, oh, by the way. Right?
So we're talking to them, and they say, "You know what? I don't have a deep staff, I don't have a trained set of cyber security professionals on my team. I don't really know what I don't know." And when we hear that, that's a great trigger for talking to them about the Security Health Check.
Penny Conway:
Right. And, kind of the other thing that comes to mind is, w- what stage is- or what mindset is the customer in when you're talking to them? Like, is this a customer that maybe has had a recent breach, and has had to report in? I know a lot of states now are really putting legislation in place to, you know, when you need to report on when... I think the last time we were together, we sort of chatted about that. Like, our company is embarrassed to report security breaches, but now states are saying, you know, if you have X amount of people, if you do this kind of business, then it's going to be mandatory to report in.
So, do you guys see more of those customers who have had an incident, either public or private, and they're trying to react to and make sure it doesn't happen again? Or you have customers that are really, and this is I think what you guys probably love the most, proactively kind of saying, you know, before something happens, we need to do this assessment. So where are you seeing customers sort of fall on that spectrum?
Steve Nardone:
Bill, you want to address that?
Bill Virtue:
Yeah, well, all states have a breach notification law right now. Alabama was the last state to implement one last year. And it does depend on the type of business that the customer is in, the number of records that were breached, the type of data that it was, whether or not it was encrypted, et cetera. You will see some- the breaches that you do see, the public notification breaches that you do see, are ones that have affected the customer at a larger scale. Some of the smaller breaches still don't go announced, they keep them more private.
But in- for the most part, we see customers coming to us, I don't know, it's probably 50/50 for me with customers that are saying, "You know what, I'm concerned about being breached, so what kind of assessment can you offer?" Versus the customer that says, "You know what, we had a security event, you know, at some time in the past, and we want to make sure that now that we've made some changes, that we're protected." So it's sort of a 50/50 split for me.
Penny Conway:
Mm-hmm (affirmative). Interesting.
Steve Nardone:
So, the other thing I- I would add to that, is that, you know again, we get engaged on all different levels with customers, and those that have been breached, I would agree, you know, with Bill's assessment. We do see customers that come to us and say, I have just recently been breached. I have hired somebody, or, you know, I have the ability to be able to remediate that and get that under control, right. So, contain and get their systems back up and running in a full operational state. And they say, "What should I do next?"
So, to your point right, the Security Health Check is a fantastic way for us to go in there, you know, as Rob indicated right, turn over every rock, look underneath it and see what's ugly, determine what needs to be done about it, part- do a complete and total comprehensive review of all the risk in the environment, organize it, prioritize it, and give the customer a remediation plan.
So that is, you know, in itself, just a really effective way for us to be able to help customers. Again, we talked about customers that may- you know, they don't know what they don't know. We also see in some cases a customer will come to us, and they'll ask for, let's say, a penetration test, because they want to be able to do ethical hacking outside their environment. And we'll ask them about, okay, when's the last time you tested inside your environment? And they'll say, "Well... never, really."
Penny Conway:
(laughs)
Steve Nardone:
And we say, "Well, that's a really good thing to do as well, let us tell you what we do from a Security Health Check perspective." And they'll say, "Hmm. That sounds really great, right. Put together a quote, and we'll talk through it." And again, the other beauty of the Security Health Check is when we do present it, again, a la carte. Typically there are seven or eight milestones that are part of it. When we review it with the customer, the customer always has the right to be able to say, "Hey, you know what, now that I've seen all this and I see the methodology and what you guys are going to do, let's hold off on the wireless assessment for now. Because, you know, I'm not really overly concerned about that at this point in time, but all these other things are critical." And we just pull that milestone out, and sell them the Security Health Check without the wireless assessment. It's just a very effective way for us to really, really target and provide a solution for the customer that meets their exact specific needs at that time.
Penny Conway:
Yeah, so they have that a la carte sort of experience. And focusing, you know, what their initiatives are and where they're looking, they can really focus on that. And then, you know, if something like you said, wireless, becomes a security concern for them, they can re-engage your team and sort of get those results through a different assessment.
Steve Nardone:
Yeah, exactly. Right. And they may say something like, "You know what, we're in the middle of upgrading our wireless infrastructure right now," right.
Penny Conway:
Mm-hmm (affirmative).
Steve Nardone:
So obviously, you don't want to test at that particular point in time. And that's very valid. The other thing that helps lead into the Security Health Check, we talked about this a few times in a previous podcast, is the Security Landscape Optimization.
Penny Conway:
Mm-hmm (affirmative).
Steve Nardone:
And we find when we do that review, the full ecosystem review, a lot of times what ends up as one of the primary recommendations, because again, they haven't done the testing, is you know, penetration testing, or a full Security Health Check.
Penny Conway:
So, wh- the security health assessment, and the checks and things like that, are kind of helping showing that snapshot, where you guys can help a customer improve those areas, reinforce those areas, make sure a breach doesn't happen in those areas. But is part of the assessment that you guys do, working with a customer that, if a breach happens, if they are hacked, if they have something, sort of what the game plan is when something goes wrong? We can only be so secure, things are getting more and more sophisticated. I didn't know if that was sort of part of your assessment, is that readiness plan if something were to go wrong.
Steve Nardone:
Absolutely. So, incident response planning is definitely something we help with. And it's not only just helping prepare documentation to say, "These are my critical assets. These are the things I really need to be proactive about either protecting, or when something happens, here's how I'm going to respond and then recover." So that's your documentation side. We also do round table exercises, right. We simulate, you know, your XYZ database went down, what are we going to do about it? And we round table, and we do the scenario where we can really help clients live in the moment. And that helps drive that creation of that plan. So that's really effective, and it's a great question.
Penny Conway:
I love- Because I think what I'm seeing now, when I'm reading, I think, everything's that happened down in Baltimore. With the breaches that they've had over the past year, you know, the big thing that comes to light is, you know, we were aware the- the C- I'm going to- CTO- Chief Information Officer of the entire city of Baltimore came in knowing that there was a lot of gaps in the infrastructure, and end users, and devices, and had this plan to, you know, really revamp the entire environment. But he didn't put any sort of plan in place that, if there was an incident, here's what would happen. And we all know now that there's like an $18M, you know, cost of a security breach that the city of Baltimore is dealing with.
So, it's, I think, something that sometimes customers miss is, while I'm working to get more secure, I'm not necessarily thinking about what happens in the meantime. Because we can only do this stuff so fast.
Steve Nardone:
Yeah, that's absolutely right. And it is actually very systemic in the industry. "Oh, this isn't going to happen to me." We talk about, our standard mantra, right, it's not a matter of if, it's not even a matter of when. You probably already have been breached, and you just don't know it.
Penny Conway:
Mm-hmm (affirmative).
Steve Nardone:
And that's because of the sophistication of the malicious actors that are out there, right. The- what they put in the environment can sit in there, I think the standard numbers are 197 days mean time to identify something in the environment, a malicious piece of software, and about 70 days to contain it. So we know there's a lot of that that's happening in the environment. And so, what customers have to prepare for, and this one of our mantras as well, prepare for the when. Right. It is going to happen, make sure you're prepared for the when.
And that means people, process, and technology, not just, "I have the latest and greatest firewalls," or "I just put this new gateway in," or whatever. Right. It has to be people, process, and technology. There has to be a plan, all the individuals need to be aware, trained, and capable of responding. It's respond and recover, right, that's really the mantra for, for something that may be a disaster, right, a DR strategy.
And, quite frankly, we see in most cases, in fact, Bill probably would agree, right? In the SLO, we see a lot of gaps in that business continuity, disaster recovery area.
Bill Virtue:
That's right. In the, in the GRC space, as part of the SLO, we cover disaster recovery, business continuity, and instant response, and usually that comes back, you know, more than 50% of the time, comes back as a gap. They don't- they just don't have it in place.
Penny Conway:
Right, right.
Bill Virtue:
So.
Penny Conway:
And the newest thing coming on the horizon is the Internet of Things. Everything has the Internet, everything is going to be able to collect data, you know, push back that data. And is Internet of Things currently included in the Security Health Check, or is that something to come?
Steve Nardone:
That is a fantastic question, thank you for taking us there. So it is, it is an assessment process that we have. We do both IoT and IoMT, Medical Things, as part of our assessment process. But we are upgrading the Security Health Check into a cyber security assessment, an IoT, IoMT assessment, and a more thorough, actual detailed data security assessment, will be two of the things that we're adding to that. And we can do those today, and we can actually include them as part of an a la carte process in a Security Health Check, but it's not part of the standard pitch. So if you look at our collateral, right, you won't see that in there.
But you're right, IoT is huge, and we're seeing a lot of issues. We did- we recently just did some testing in an environment, and we found malicious traffic on the network where a CT scanner was trying to reach out to a URL in China.
Penny Conway:
Wow.
Steve Nardone:
And so, fortunately, the environment was contained, and it wasn't getting out of the environment. But that's the type... You know, we have devices, especially in a hospital, medical devices, that are still running Windows 95 or Windows 98, because they're scanning systems or imaging systems that are old, but they cost $20M, right. And so you just can't go out and replace them. You see a lot of vulnerabilities, those systems are corrupted, and a lot of really ugly, malicious things can happen in an environment when you have systems that have those very, very common weaknesses and flaws in the overall operating system itself.
Penny Conway:
Yeah, that's something I, you know, as medical technology adv- advances really quick, like, things are just coming out and being put into hospitals, and could potentially really be a blind spot- you know, you're not thinking a CT scanner- someone's going to hack my CT scanner. Or, someone's heart... What do they, the pacemakers now are all, like, run by the Internet. And you don't think of, or at least I don't think of... Hopefully someone in a hospital's IT department is thinking of those things.
But sometimes happens really fast, and not always, and I think this is kind of universal, is, people are bringing technology into organizations. And that's not necessarily an IT decision-maker's choice, like, who's going to buy the CT scanner. That's not running through IT. That's running through a whole different department. So, kind of a great tip for hospitals, that if you've got all of this equipment coming in that's connected to the Internet that's feeding information back definitely an opportunity to have a security assessment done to kind of find potential risks and gaps in, you know, those devices.
Steve Nardone:
Yeah, absolutely. I mean, give them a complete asset inventory of everything that's in their environment, which we can do, and then tell them what's vulnerable. And some other cool things we can tell them, Rob, right? What are those?
Rob Di Girolamo:
Yeah, we can tell all kind of cool things. We can say if any of these medical devices have open recalls associated to them, or have had recalls in the past. So maybe you have, you know, you knew of three recalls from a couple years ago, but you missed one, whatever the case may be.
Penny Conway:
Yeah.
Rob Di Girolamo:
So we can do open recalls for things like CT scanners or MRI- imaging devices. You can see how utilized they are. So, to Steve's point, right, you have a $20M device, or whatever it is, that's getting used once or twice because it happens to be three floors up from the cheaper equipment that everybody just uses because it's more convenient to get to. So, you could see that that investment that you're making either needs to be moved, or be socialized that you should use this brand-new device that we spent $20M on that we're not getting any return on. So, I mean, cool stuff like that.
And you can also see location of things, too. So, like infusion pumps, or things along those lines. What floor are they on? Are they in the right spot, right?
Penny Conway:
Right.
Rob Di Girolamo:
We bought 600 of these things, but they're all over the hospital, where they should be contained in a locked room on this one specific floor. And you can tell from the position of where they are in the network. So, really cool data points that you can get, you know, maybe not necessarily thinking about the security impact, but just cool data points when you're managing this environment.
Penny Conway:
Right.
Rob Di Girolamo:
So, the biomed team and the IT team can operate really more closely together when they have these data points to work from.
Penny Conway:
Oh, that's a good- a great point. And like I said, something I don't think, maybe people are actively realizing, how many devices out there connected to the Internet that, one, need to be tracked, and be, you know, secured. If there's potential to send CT scan information back out to China. (laughs).
Rob Di Girolamo:
Or like, medical device implants, right? That's terrifying. But there's been vulnerabilities against these things, where they, you know, malicious actors can drain batteries on your medical device implant. It's terrifying.
Penny Conway:
So, what is the, how does a customer engage with your team to kind of get this Security Health Check put in place for them?
Bill Virtue:
If the customer is interested in pursuing the health check, through their account manager, or the account manager typically reaches out to my team on the pre-sales side. And then we- we jump on a call, and just sort of cover what the health check is, and how it works, some of the mechanics of it. And then through a ticketing process internally, we start the process off with a kick-off call, and go through the process.
Penny Conway:
Excellent. So if you are out there listening, and you have the need, or the desire, because now you've heard all the cool things that we can pick up in the Security Health Check with our team, reach out to your account manager. Or if you are new to Connection, visit our website and give us a call, and we will connect you with our security team and not only find, maybe, devices you didn't know were out there but show you some areas of vulnerability and how our team can help you improve.
Thanks so much, guys.
Steve Nardone:
Thank you. Appreciate it.
Rob Di Girolamo:
Thank you.
Bill Virtue:
Thanks.