Penetration testing is something that more companies and organizations should be considering a necessary expense. Pen Testing  is an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems. They provide a valuable insight on how your digital and human assets perform.

In this episode we review the criticality of scoping a Pen Test, along with differences between Pen Testing, Red Teaming and Vulnerability Assessment. Why should you choose one over the other and when would one proceed the other.

Sponsored by: Hacket Cyber and post game interview with Founder James Carroll.  Hacket Cyber is a security consulting firm specializing in penetration testing, ethical hacking, and industry-leading cybersecurity services. Our offerings are purpose-built for the MSP, MSSP, and VAR channels.  https://hacketcyber.com/partner/

James Carroll LinkedIn: https://www.linkedin.com/in/jchax/

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/

The biggest takeaway from CIS Control 17 is that planning and communication are critical when responding to an incident. The longer an intruder has access to your network, the more time they’ve had to embed themselves into your systems. Communicating with everyone involved can help limit the duration between attack and clean-up.

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Our sponsor: Exigence (https://www.exigence.io) is a multi-tenant, Incident Readiness, Incident Response platform, built for MSP/MSSPs. Drive new revenue streams and meet cyber insurance & regulatory requirements for Incident Response plans and tabletops.
 
The Exigence platform gives you full control of critical incidents by uniquely addressing every aspect of the incident – turning an unstructured situation into one that is structured and easy to manage. ​

 It coordinates all stakeholders and systems all the time, orchestrates complex workflows from trigger to resolution, simplifies the post-mortem, and always leverages lessons learned for doing it even better next time.

Contact Noam here: noam@exigence.io

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/
'

CIS Control 16 - Application Software Security
The way in which we interact with applications has changed dramatically over years. Organizations use applications in day-to-day operations to manage their most sensitive data and control access to system resources. Instead of traversing a labyrinth of networks and systems, attackers today see an opening to turn an organizations applications against it to bypass network security controls and compromise sensitive data.  NOTE: Crowdstrike notes that Cloud based attacks and initial access via these systems has increased 112%, therefore SaaS applications, their potential vulnerabilities and misconfigurations along with initial access are all being focused on by threat actors.

**Jim Manico at minute 52:40 - do not miss!!**

Our sponsor: Jim Manico, Founder of Manicode is considered the "Godfather" of the OWASP Top 10 and trains software development teams around the globe. His firm helps organizations building secure code and creates programs to address the primary cause of insecurity, which is the lack of secure software development practices.
Contact Jim here: https://manicode.com/

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/
'

LastPass and the recent Rackspace Exchange incident are two prime examples of "why" this Control is Critical!!

Develop a process to evaluate service providers who hold sensitive data, or are responsible for critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

Identify your business needs and create a set of standards that can be used to grade services providers that are being proposed. 

Organize and monitor all services providers that are associated with your business. Keeping an inventory of all services providers will enable you to monitor them in case they update their policies. 

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/

MSP/MSSPs should offer solutions to provide users with frequent security awareness training to increase its overall security posture. The information provided by the security awareness training should be relevant and provide insights into recent security incidents. Training should also reiterate the necessity of using strong passwords, spotting and reporting phishing attacks, as well as properly handling personal information. 

Security awareness training should include frequent phishing tests. Phishing tests allow users to learn from their mistakes and utilize their training to spot actual phishing attacks. These phishing tests should be specially crafted for different departments within an enterprise. Specially crafted phishing tests are harder to detect and demonstrate the value of security awareness training.

👏Special thanks to Phin Security for their sponsorship and interview.

Connor Swalm: https://www.linkedin.com/in/connor-swalm/

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/

Network monitoring and defense is one of only two controls that does not contain any Implementation Group 1 Safeguards in Controls version 8.  This control is geared towards mature MSPs, MSSPs & organizations who have a mindset of  continuous improvement  that involves people, process, and technology.  Service providers  need a well-trained staff that executes on their network monitoring, detection, logging, correlation of events in order to thwart malicious attacks.

👏Special thanks for ConnectWise sponsorship and interview.

Drew Sanford: https://www.linkedin.com/in/drewsanford/

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/

Abstract: Network Infrastructure Management - Establish, implement, and actively manage network devices, in order to prevent attackers from exploiting vulnerable network services and access points. 

Network infrastructure devices can be physical or virtual and include things such as routers, switches, firewalls, and wireless access points. Unfortunately, many devices are shipped from manufacturers with “default” configuration settings and passwords that, if deployed as-is, can significantly weaken an organization’s network infrastructure.  Even if network devices are hardened with non-default configurations and strong passwords, over time these devices will be targeted by new vulnerabilities that are discovered by security researchers.

MSPs should ensure that their teams implementing and operating the network infrastructure have processes and procedures in place that include capabilities for having a secure network infrastructure.

👏Special thanks for Domotz sponsorship and interview. 
ONLY $21 per Network!!  Incredible for MSP COGS!!
Key areas Domotz helps MSPs: Control 1 | Continuous Discovery of new devices | checking for default passwords | Alerting on changes (ports, protocols, configurations) | being able to revert back (backup) | logging and auditing of changes and much more!!

🙌 JB Fowler: https://www.linkedin.com/in/jb-fowler-1302023/  & Giancarlo Fanelli https://www.linkedin.com/in/giancarlofanelli/

 👉Domotz's Security Standards: https://www.domotz.com/knowledge-base/Domotz-Security-Standards-2021-March.pdf

Domotz MSP: https://www.domotz.com/msp.php

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/

Abstract: Data loss can be a consequence of a variety of factors from malicious ransomware, threat actors using "Double Extortion" and exfiltration, human error and natural disasters like hurricanes.  Regardless of the reason for data loss, we need to have a process established (RPO/RTO) to recover our data. 

Key Takeaways for Control 11

1. Prioritize your data and come up with a data recovery plan.
2. Protect your backed up data. (See Control 3: Data Protection.)
3. Practice and Test restoring your data.
4. Restore your data after any compromise.

 👉Datto's BCDR Resource Center: https://www.datto.com/resources?page=4&categories=BCDR

🙌 Rob Rae: https://www.linkedin.com/in/robtrae/ - special thanks for Datto's sponsorship and interview.

Co-hosts:
Ryan Weeks: https://www.linkedin.com/in/ryanweeks/
Phyllis Lee: https://www.linkedin.com/in/phyllis-lee-21b58a1a4/
Wes Spencer: https://www.linkedin.com/in/wesspencer/