The Virtual CISO Moment
By Greg Schaffer
The Virtual CISO Moment with Greg Schaffer dives into the stories of information security, information technology, and risk management pros; what drives them and what makes them successful while helping small and midsized business (SMB) security needs. No frills, no glamour, no transparent whiteboard text, no complex graphics, and no script - just honest discussion of SMB information security risk issues. Quick strike and wrap up audio-only episodes drop Mondays and Fridays; Throwback Thursday episodes are repeats. Twitter: @VirtualCISO1, email: email@example.com #cybersecurity #infosec
The Virtual CISO Moment S4E61 - A Conversation with Derek Andrews
Derek Andrews, Incident Response Manager at a Financial Institution, joins VCM to discuss his journey, incident response in the financial sector, and different types of virtual CISOs from the perspective of one who has worked with both the good and not so good. He also explains why he is the Resident Birdman of LinkedIn!
December 06, 2022
VCM Quick Strike for Monday. December 5, 2022
Chome Zero Day (again), offshore energy vyber threats, Rackspace Exchange hit by "incident", Australia dramatically increases breach penalties, and a ping vuln in FreeBSD - plus a couple of thoughts for entry-level information security analysts. https://cybersecuritynews-com.cdn.ampproject.org/c/s/cybersecuritynews.com/google-chromhe-9th-zero-day-bug/?amp https://www.pipeline-journal.net/news/us-offshore-natural-gas-oil-infrastructure-faces-rising-cybersecurity-threats https://www.securityweek.com/rackspace-shuts-down-hosted-exchange-systems-due-security-incident https://www.bleepingcomputer.com/news/security/australia-will-now-fine-firms-up-to-au50-million-for-data-breaches/ https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html
December 05, 2022
The Virtual CISO Moment Wrap Up for Friday, December 2, 2022
LastPass second incident, aged domains, Trigona ransomware, unemployment benefit fraud, ConectWise flaw, attackers target FI customers, and this week's 2023 predictions from SpiceWorks - plus some thoughts on cyber culture. https://thehackernews.com/2022/12/lastpass-suffers-another-security.html https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms/ https://www.techradar.com/news/this-new-ransomware-is-seeing-rapid-growth-so-beware https://www.infosecurity-magazine.com/news/eight-30m-unemployment-benefits/ https://krebsonsecurity.com/2022/12/connectwise-quietly-patches-flaw-that-helps-phishers/? https://www.scmagazine.com/news/email-security/attackers-target-vulnerable-financial-customers-rather-than-the-institutions-themselves https://www.spiceworks.com/it-security/cyber-risk-management/interviews/top-cybersecurity-trends-2023/
December 02, 2022
Throwback Thursday for December 1, 2022 - A Conversation with Jack Poltorak
Jack Poltorak discusses vCIO and vCISO services offered by MSSPs, how those services may not be exactly what a small or midsized business (SMB) is looking for, and tips how an SMB can ensure they are getting the virtual CISO services they need.
December 01, 2022
The Virtual CISO Moment S4E60 - A Conversation with Jacob Horne
In this month's special end of month Wednesday episode we talk with Jacob Horne, who was born with a rare genetic mutation that allows him to read NIST publications and government regulations without experiencing boredom like a normal person and has made a career out of using this power for good. He does a great job of using NIST SP 800-53 to clarify the bizarre, heavily tailored world of NIST SP 800-171 and CMMC - if you're interested in CMMC you must follow him on LinkedIn! He is also co-host of the Sum It Up podcast which sums up the news and developments relevant to CMMC; DFARS and other regulations; and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
November 30, 2022
The Virtual CISO Moment S4E59 - A Conversation with Cheri Hotman
Cheri Hotman of the Hotman Group (https://hotmangroup.com) is a CPA, has her MBA, and is a CISSP - a combination rare in information security. She discusses her experiences and lessons learned managing a business providing quality virtual CISO services to a variety of clients, including navigating "the land of 1000 piranhas"!
November 29, 2022
VCM Quick Strike for Monday, November 28, 2022
Cyber Monday, FCC bans Chinese equipment, Twitter breach cover up, WhatsApp data leak, and BMC firmware flaws - plus thoughts about how the interconnected world got something wrong for me. https://news.yahoo.com/fbi-warning-shoppers-online-holiday-172655986.html https://securityaffairs.co/wordpress/138998/breaking-news/fcc-bans-import-chinese-equipment.html https://www.cshub.com/attacks/news/iotw-twitter-accused-of-covering-up-data-breach-that-affects-millions https://cybernews.com/news/whatsapp-data-leak/ https://thehackernews.com/2022/11/over-dozen-new-bmc-firmware-flaws.html
November 28, 2022
The Virtual CISO Moment Wrap Up for Friday, November 25, 2022
Cybersecurity as part of business strategy, free resources from CISA, dysfunctional security team isn't good, AirAsia ransomware affects 5 million, and more predictions for 2023, this time from Deloitte - plus are we heading for a cybersecurity compensation bubble burst? https://www.forbes.com/sites/forbestechcouncil/2022/11/21/why-cybersecurity-should-be-part-of-any-business-strategy/ https://www.helpnetsecurity.com/2022/11/21/5-free-resources-cybersecurity-and-infrastructure-security-agency-cisa/ https://technative.io/cybersecuritys-too-important-to-have-a-dysfunctional-team/ https://www.databreaches.net/airasia-victim-of-ransomware-attack-passenger-and-employee-data-acquired/ https://venturebeat.com/security/deloitte-cybersecurity-predictions-2023/
November 25, 2022
Throwback Thursday for Thursday, November 24, 2022 - A Conversation with Monica Rowe
From August 9, 2022 - CISO and vCISO Monica Rowe joins us to discuss cybersecurity in financial services; the benefits of sharing information through ISACs, presentations, and other means; and how to provide a sense of calm to the cybersecurity storm.
November 24, 2022
The Virtual CISO Moment S4E57 - A Conversation with Robin Wilde
Robin Wilde is the Director of Business Solutions for TeamHealth. She is passionate about project management and cyber security, particularly Identity Management, as well as promoting women in cyber. She holds a variety of certifications, including the CISSP, CRISC, PMP, ACP, CSP, and Prosci, demonstrating her vast skillset and experience. She introduces the phrase "privilege sprawl" - listen to find out what that means!
November 22, 2022
VCM Quick Strike for Monday, November 21, 2022
MS zero day (and a term I should have known), banning cyber ransom payments, FI IT staff greatest cybersecurity risk, cybersecurity is the C-Suite responsibility, and five "starter" certs. https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-security-bypass-zero-day-to-drop-malware/amp/ https://theconversation.com/australia-is-considering-a-ban-on-cyber-ransom-payments-but-it-could-backfire-heres-another-idea-194516 https://www.scmagazine.com/news/cloud-security/many-financial-institutions-say-their-own-it-staffs-pose-the-biggest-risk-to-cloud-security https://www.mbanews.com.au/former-google-vp-believes-cyber-security-is-a-c-suite-responsibility/ https://www.businessnewsdaily.com/9661-cybersecurity-certifications.html
November 21, 2022
From The Vault - Information Security Policies
From November 13. 2019 - Information security policies direct the governance of the information security program. What are elements of effective policies, and what mistakes do SMBs often make with their information security policy program?
November 19, 2022
The Virtual CISO Moment Wrap Up for Friday, November 18, 2022
CISA claims elections secure, US network hacked, 42,000 imposter domains used by attackers, iOS 16 security features, CheckPoint predictions, and the security posture of Twitter. https://www.infosecurity-magazine.com/news/cisa-midterm-uncompromised-by/ https://cybersecuritynews.com/u-s-federal-network-hacked/ https://thehackernews.com/2022/11/chinese-hackers-using-42000-imposter.html https://9to5mac.com/2022/11/16/5-important-ios-16-iphone-security-features/ https://www.expresscomputer.in/news/check-point-softwares-cybersecurity-predictions-for-2023-expect-more-global-attacks-government-regulation-and-consolidation/91777/ https://www.wired.com/story/twitter-mega-breach-what-if/
November 18, 2022
Throwback Thursday for November 17, 2022 - A Conversation with Steve Mallard
From August 2, 2022 - Steve Mallard has over 20 years in Information Technology; is a Master Teacher in Information Technology/Infrastructure Management and Information Systems Manager at Tennessee College of Applied Technology - Shelbyville; is a private consultant for government organizations, higher-ed, and private corporations, a technical writer, and a public speaker on cybersecurity. He has also organized for many years the Middle Tennessee Cyber Conference (https://middletncyberconf.com/), held this year at Embassy Suites in Murfreesboro, Tennessee. In addition to his numerous career accomplishments, his contribution to the next generation of cyber professionals is unparalleled.
November 17, 2022
VCMS4E58 - The RETR3AT Sessions - A Conversation with Lin Clark
Lin Clark, the Carolina Cyber Center's SOC Director, discusses how the SOC benefits both the students in the Carolina Cyber Center program and the western North Carolina small business community. Recorded at RETR3AT Cyber Conference Montreat College September 23, 2022. Audio only.
November 16, 2022
The Virtual CISO Moment S4E57 - A Discussion About Cybersecurity Consulting
I've started a limited YouTube series on lessons I've learned from being a successful consulting business owner. It's not all sunshine and roses, and I've made a lot of mistakes, but I've learned from them. Here are the first two episodes - Consulting: Introduction and Consulting: Risk Assessment. If you find these interesting and useful, please subscribe to the vCISO Services, LLC YouTube channel (link below) to be notified when future episodes drop (episodes drop roughly weekly, and episode three will drop the week of November 14th). https://youtube.com/@vciso
November 15, 2022
VCM Quick Strike for Monday, November 14, 2022
KmsdBot, email server extortion, Fed requirements and ITAM, CMMC advice, ways data can be exposed, and a primer on pen testing - plus thoughts on when pen tests aren't exactly pen tests (and the SMB loses out). https://thehackernews.com/2022/11/new-kmsdbot-malware-hijacking-systems.html https://www.infosecurity-magazine.com/news/mass-email-extortion-claims-server/ https://itassetmanagement.net/2022/11/07/us-federal-cybersecurity-requirements-raise-itam-for-all/ https://washingtontechnology.com/companies/2022/11/cmmcs-father-warns-companies-not-wait-final-rule/379617/ https://www.csoonline.com/article/3675542/8-strange-ways-employees-can-accidently-expose-data.html https://www.intruder.io/blog/what-is-an-external-pentest
November 14, 2022
The Virtual CISO Moment Wrap Up for Friday, November 11, 2022
Why phishing emails have typos, repeat ransomware demands, SMS used in banking attack, CISOs making job changes, Twitter CISO and CPO resign, plus some thoughts on the Twitter infosec exodus. https://securityboulevard.com/2022/11/why-do-phishing-emails-have-such-obvious-typos/ https://www.insurancejournal.com/news/national/2022/11/09/694534.htm https://thehackernews.com/2022/11/warning-this-widespread-malicious.html https://www.zdnet.com/google-amp/article/cybersecurity-leaders-want-to-quit-heres-what-is-pushing-them-to-leave/ https://www.cnn.com/2022/11/10/tech/twitter-executives-resign/index.html
November 11, 2022
Throwback Thursday for November 10, 2022 - A Conversation with Anthony Scarola
From July 26, 2022 - Anthony Scarola is an IT Governance, Risk, and Compliance (GRC) expert; has many years in cybersecurity; is a U.S. Army veteran; holds the CISSP; and is a virtual CISO. And he's writing a security book! Listen to his wisdom as it pertains to risk management and learn one mistake many may make when discussing risk with the c suite and board of directors.
November 10, 2022
VCMS4E56 - The RETR3AT Sessions - A Conversation with Rob Bowker
Rob Bowker, Sales Director at EasyDMARC, explains the risks of email spoofing, the benefits of implementing DMARC in addition to DKIM and SPF, and how EasyDMARC helps to manage DMARC. Recorded at RETR3AT Cyber Conference Montreat College September 23, 2022.
November 09, 2022
The Virtual CISO Moment S4E55 - A Conversation with Jake Williams
Jake Williams is a cybersecurity manager and aspiring CISO, currently pursuing his MBA. He is also well-versed in CMMC, and we dive into some elements of this somewhat confusing standard/requirement.
November 08, 2022
VCM Quick Strike for Monday, November 7, 2022
National Guard to assist with election cyber security, supply chain stops train, predictions for 2023, MFA fatigue explored, and CEO sanctioned in breach, plus thoughts on the C-Suite and Board of Directors responsibility. https://www.politico.com/news/2022/11/04/nationa-guard-midterm-election-cybersecurity-00065236 https://www.securityweek.com/cyberattack-causes-trains-stop-denmark https://www.proofpoint.com/us/blog/ciso-perspectives/cybersecurity-predictions-for-2023 https://www.theregister.com/AMP/2022/11/03/mfa_fatigue_enterprise_threat/ https://therecord.media/ftc-seeks-action-against-drizly-and-its-ceo-for-cybersecurity-failures/
November 07, 2022
The Virtual CISO Moment Wrap Up for Friday, November 4, 2022
2022 cybersecurity threat landscape report, election cybersecurity concerns, arrest in dark web market, five cybersecurity mistakes for businesses, and a primer on threat hunting - plus thoughts on career planning and management. https://www.enisa.europa.eu/news/volatile-geopolitics-shake-the-trends-of-the-2022-cybersecurity-threat-landscape https://www.helpnetsecurity.com/2022/10/31/election-cybersecurity/ https://www.bleepingcomputer.com/news/security/student-arrested-for-running-one-of-germany-s-largest-dark-web-markets/ https://venturebeat.com/security/5-cybersecurity-mistakes-that-will-haunt-you/ https://securityboulevard.com/2022/11/the-no-nonsense-benefits-of-threat-hunting/
November 04, 2022
Throwback Thursday for November 3, 2022 - A Conversation with J.J. Powell
From July 19, 2022 - J.J. Powell of Cyber Defense Group (https://www.cdg.io/) discusses his career journey from police officer to system administrator to CISO and now as leading virtual CISO services. He is also a pivotal component into my decision to leave corporate and become an independent vCISO - listen to find out what was "the straw that broke the camel's back" for me!
November 03, 2022
VCMS4E54 - The RETR3AT Sessions - A Conversation with Dan Bradley
Dan Bradley, CIPP/E, CIPP/US, CIPM, is the Senior Associate General Counsel at Global Payments, Inc. and a former Federal Prosecutor. We discuss privacy regulations both for financial institutions and SMBs, including the importance of frameworks. Recorded at RETR3AT Cyber Conference Montreat College September 23, 2022.
November 02, 2022
The Virtual CISO Moment S4E53 - A Conversation with Christian Espinosa
Christian Espinosa is the author of "The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity", Founder and CEO of Alpine Security, a cybersecurity engineer, certified high-performance coach, professor, and lover of heavy metal music and spicy food. He’s also an Air Force veteran and Ironman triathlete. He used to value being the “smartest guy in the room,” only to realize that his greatest contribution to the fight against cybercrime is his ability to bring awareness to the issue through effective communication. Christian is a speaker, coach, and trainer in the Secure methodology, helping to make the smartest people in the room the best leaders in the field. For more information, visit www.christianespinosa.com, and to order his book, visit https://www.amazon.com/dp/B08T6QK6FN.
November 01, 2022
VCM Quick Strike for Monday, October 31, 2022
Midterm election caution, OpenSSL critical update, copper producer Aurubis attached, possible intrusion at Bed Bath and Beyond, Liz Truss potential phone hack, and thoughts about the risks of using personal devices for corporate business. https://www.reuters.com/world/us/complex-threat-environment-ahead-midterm-elections-top-cybersecurity-official-2022-10-30/ https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html https://www.bleepingcomputer.com/news/security/largest-eu-copper-producer-aurubis-suffers-cyberattack-it-outage/ https://finance.yahoo.com/news/bed-bath-beyond-reviewing-possible-125236580.html https://www.msn.com/en-us/news/world/unconfirmed-liz-truss-phone-hack-report-prompts-calls-for-investigation/ar-AA13xVrU
October 31, 2022
The Virtual CISO Moment Wrap Up for Saturday, October 29. 2022
Australia to increase breach fines, patients affected by breach do not have standing to sue, 22-year old vulnerability discovered, two POS malware used in breach, cyber insurance considerations from the NACD blog, and some thoughts on risk treatment. https://www.abc.net.au/news/2022-10-21/data-breach-fines-increase-after-medibank-optus-hacks/101564614 https://www.vitallaw.com/news/hipaa-d-kan-patients-allegedly-victimized-by-computer-security-breach-at-county-hospital-lack-standing-to-assert-claims/hld01191d00ea3679403594877f366c89a047 https://thehackernews.com/2022/10/22-year-old-vulnerability-reported-in.html https://thehackernews.com/2022/10/cybercriminals-used-two-pos-malware-to.html https://blog.nacdonline.org/posts/crossroads-cyber-insurance-covered
October 29, 2022
Throwback Thursday for October 27. 2022 - A Conversation with Johanan (Jo) Dixon
From July 12, 2022 - Johanan (Jo) Dixon talks about life in the Marine Corps, as an MMA amateur fighter, and as a Title boxing instructor, and how these helped prepare him for his journey to cybersecurity and his current role with Halcyon (https://www.halcyon.ai/). And he's starting up a new podcast!
October 27, 2022
The Virtual CISO Moment S4E52 - A Conversation with Marci McCarthy
Marci McCarthy is CEO and President at T.E.N. CEO and Chairman at ISE® Talent. She founded T.E.N.’s flagship program, the Information Security Executive® of the Year (ISE®) Program Series, which is lauded by the IT industry as the premier recognition and networking program for security professionals in the U.S. and Canada. She is a 2012 recipient of a 4th Congressional District of Georgia Citation for fostering greater visibility and professionalism for the IT security industry, naming March 13th “Marci McCarthy Day.” She was listed as one of IFSEC Global’s Security and Fire Influencers for 2018 as #3 of 20 total leaders in their Cybersecurity category; she was also the highest-ranking woman on the list. She is also the DeKalb GOP Chairman (Georgia). She joins us to discuss information security and election integrity.
October 26, 2022
The Virtual CISO Moment S4E51 - A Conversation with Albert Whale
Albert Whale, Founder and CEO of IT Security Solutions, Inc and the developer of ITS Safe which provides real-time continuous protection at machine speed. He has over 30 years of experience with reducing the risk for business owners, minimizing their liabilities and overall risk. He has extensive experience in the techniques that criminal hackers use and identifies the probability and impact risks to exploit their business. He is the author of #Hacked and the primary author of #Hacked2. https://its-safe.com/ https://thehackedbook2.com/
October 25, 2022
VCM Quick Strike for Monday, October 24, 2022
"VSOC", nonprofit cybersecurity challenges, seven steps to defend healthcare agencies, workforce shortage, loss of GPS for flight navigation in Dallas, and some thoughts on aviation and navigation from my active pilot days. https://www.theregister.com/2022/10/18/ntt_denso_security_for_cars/ https://www.csoonline.com/article/3676668/altruism-under-attack-why-cybersecurity-has-become-essential-to-humanitarian-nonprofits.html https://www.helpnetsecurity.com/2022/10/18/7-critical-steps-defend-healthcare-sector-against-cyber-threats/ https://www.secureworld.io/industry-news/isc2-cybersecurity-industry-workforce-shortage https://www.bloomberg.com/news/articles/2022-10-18/faa-warns-airline-pilots-as-gps-signals-disrupted-around-dallas
October 24, 2022
The Virtual CISO Moment Wrap Up for Friday, October 21, 2022
Google forms COVID phish, US national cybersecurity strategy, Microsoft customer data breach, economic uncertainty and the effect on cyber risk, and skill resources and advice for CISOs - plus what I believe is an important certification for CISOs that is not talked about too often. https://www.bleepingcomputer.com/news/security/google-forms-abused-in-new-covid-19-phishing-wave-in-the-us/ https://www.cyberscoop.com/inglis-previews-national-cyber-strategy/ https://www.bleepingcomputer.com/news/security/microsoft-data-breach-exposes-customers-contact-info-emails/amp/ https://www.helpnetsecurity.com/2022/10/17/economic-uncertainty-increasing-cybersecurity-risks/ https://www.csoonline.com/article/3676130/top-skill-building-resources-and-advice-for-cisos.html
October 21, 2022
Throwback Thursday for October 20, 2022 - A Conversation with William Birchett
From July 5, 2022 - William Birchett, President of Logos Systems and creator of the vCISO Network, discusses the virtual CISO space including elements that make a successful vCISO, the biggest threat to SMBs (it's not ransomware!), and his future plans to help the vCISO field through Logos Systems, the vCISO Network, and other endeavors.
October 20, 2022
VCMS4E50 - The RETR3AT Sessions - A Conversation with Jon Sternstein
Jon Sternstein is the Founder and Principal of Stern Security, a cyber security company headquartered in Raleigh, NC. He is co-author of the Cisco Press course titled “Security Penetration Testing (The Art of Hacking) LiveLessons”, holds many security certifications including: GIAC Penetration Tester and Certified Information Systems Security Professional (CISSP), is a featured cyber security expert, and talks with us about managing risks - and a little guitar! Recorded at RETR3AT Cyber Conference Montreat College September 23, 2022.
October 19, 2022
The Virtual CISO Moment S4E49 - A Conversation with Keith Maune
Keith Maune, Founder & COO at Acumen Technology, discusses his IT and cybersecurity path, from doing consulting work for companies needing website design and programming services, working after school and full-time during the summers, pursuing a BS and MBA while working full-time as co-owner and CIO of Advanced Network Solutions, earning a law degree, and launching Acumen Technology, a comprehensive managed services organization that serves Middle Tennessee as the premier IT services provider for community banks, healthcare providers, and professional services organizations.
October 18, 2022
VCM Quick Strike for Monday, October 17, 2022
AMLBot cleans house, Windows Zero Day details, White and Black Hat, Magnibar ransomware, and SMBs feeling financial pain from county system attack. https://krebsonsecurity.com/2022/10/anti-money-laundering-service-amlbot-cleans-house/ https://www.hackademicus.nl/experts-disclose-technical-details-of-now-patched-cve-2022-37969-windows-zero-day/ https://www.bestcolleges.com/bootcamps/guides/white-hat-black-hat/ https://www.infosecurity-magazine.com/news/magniber-ransomware-adopts/ https://bronx.news12.com/county-vendors-feeling-the-pinch-of-suffolk-computer-systems-hack
October 17, 2022
From The Vault - Information Security Theater
From January 1, 2020 Information security theater, improvements that look and sound good but make no real impact to overall security stance of an organization, can do more harm than good. Are you understanding the information security risks of your organization before designing and implementing controls?
October 14, 2022
The Virtual CISO Moment Wrap Up for Friday, October 14, 2022
Update on Optus, why ji32k7au4a83 is a common password, Russia's version of GitHub, Lockbit used in attack, Malwarebytes new MDR, White House unveils IoT labeling initiative, and a new CMMC-focused podcast - plus a few thoughts on podcasts in general. https://www.cisc.gov.au/news-media/archive/article?itemId=955 https://www.gizmodo.com.au/2022/10/why-ji32k7au4a83-is-a-remarkably-common-password/ https://cybernews.com/news/russias-version-of-github/ https://www.theregister.com/2022/10/14/nhs_software_hosting_provider_advanced_ransomware_lockbit/ https://www.securityweek.com/malwarebytes-launches-mdr-solution-smbs https://www.cyberscoop.com/white-house-to-unveil-internet-of-things-labeling/ https://www.youtube.com/watch?v=VjmXH7b5kJU&ab_channel=Summit7Systems
October 14, 2022
Throwback Thursday for October 13, 2022 - A Conversation with Dick Wilkinson
In today's Throwback Thursday episode from June 28, 2022, Dick Wilkinson, CTO and Co-founder of Proof Labs, discusses securing space, the transition to entrepreneur, the vCISO discipline, and more!
October 13, 2022
VCMS4E48 - The RETR3AT Sessions - A Conversation with Michelle Pupoh
Michelle Pupoh is the Senior Director of Cybersecurity Education at the Carolina Cyber Center. She discusses the approach the center takes in training the next generation of cyber professionals, including the importance of ethics and soft skills. Recorded at RETR3AT Cyber Conference Montreat College September 23, 2022.
October 12, 2022
The Virtual CISO Moment S4E47 - A Conversation with David Leech
David Leech is a vCISO using his global, operational, program management, and security experience together with leadership skills to drive digital transformation, product innovation, and risk reduction for business growth, involving work across Risk Management, Technical Architecture, Control Frame Works, HIPAA, FFIEC, PCI, HITRUST, FedRamp, and SOC compliance. He has supported clients in multiple sectors, including Finance, Manufacturing, Insurance, Healthcare and GovEd.
October 11, 2022
VCM Quick Strike for Monday, October 10, 2022
Uber trial a lost opportunity to promote cyber governance, hacked IP scanning tool, leak of Alder Lake BIOS, LilithBot Malware as a Service, and healthcare provider IT incident likely malware - plus thoughts on the importance of business continuity table top exercises. https://www.forbes.com/sites/jodywestby/2022/10/08/uber-trial-a-lost-opportunity-for-cyber-governance/amp/ https://www.scmagazine.com/analysis/network-security/backdoored-version-of-popular-network-admin-tool-hits-80-organizations-around-the-globe https://thehackernews.com/2022/10/intel-confirms-leak-of-alder-lake-bios.html https://www.theregister.com/2022/10/10/eternity_lilithbot_malware_bundle/ https://www.healthcaredive.com/news/commonspirits-it-security-incident-likely-cyberattack-security-expe/633509/
October 10, 2022
The Virtual CISO Moment Wrap Up for Friday, October 7, 2022
Threat actors may influence US midterm elections, DIB org attached with APT, an interesting approach to password expiration policies, an updated primer and review on cyber insurance, and Uber's CISO convicted on two counts related to breach actions - plus more thoughts on ethics. https://www.ic3.gov/Media/PDF/Y2022/PSA221006.pdf https://www.bleepingcomputer.com/news/security/hackers-stole-data-from-us-defense-org-using-impacket-covalentstealer/amp/ https://www.helpnetsecurity.com/2022/10/04/mandatory-password-expiration-helping-or-hurting-password-security/ https://www.csoonline.com/article/3643054/cyber-insurance-explained.amp.html https://thehackernews.com/2022/10/former-uber-security-chief-found-guilty.html https://www.justice.gov/usao-ndca/press-release/file/1306781/download
October 07, 2022
Throwback Thursday for October 6, 2022 - A Conversation with Nick Santora
From June 21, 2022 - Nick Santora, CEO of Curricula (curricula.com), discusses information security awareness and how Curricula uses storytelling to make both short term and long term impressions, resulting in increased security across the organization. He also discusses his path to entrepreneur, challenges in the SMB infosec awareness space, and "wisdom walks"!
October 06, 2022
VCMS4E46 - The RETR3AT Sessions - A Conversation with Joe Jakubielski
Joe Jakubielski is a Cyber Defense Analyst with the Carolina Cyber Center. He discusses his recent pivot to a new career in cyber, including challenges and opportunities ahead. Recorded at RETR3AT Cyber Conference Montreat College September 23, 2022.
October 05, 2022
The Virtual CISO Moment S4E45 - A Conversation with Gary Chan
Gary Chan of Alfizo LLC helps businesses stay secure from hackers and insider threats, meet legal and regulatory compliance, and enable sales by meeting their customers' expectations for security. He is also a "security mentalist", and if you're like me and have never heard of this term, you need to check out this episode - it's fascinating! Gary's websites: • Creating memorable experiences for corporate audiences, https://www.gschan2000.com/ • Helping organizations build their information security programs, https://alfizo.com/
October 04, 2022
VCM Quick Strike for Monday, October 3, 2022
ICO fines privacy-invading firms, disgruntled former admin does damage with unrevoked access, healthcare fraud results in fines and jail time, Comm100 supply chain attach, banks fined $1.8B for using unauthorized apps to communicate, and a few thoughts on shadow IT. https://www.infosecurity-magazine.com/news/ico-fines-four-predatory/ https://www.bleepingcomputer.com/news/security/fired-admin-cripples-former-employers-network-using-old-credentials/amp/ https://www.infosecurity-magazine.com/news/health-care-company-jail-time-7m/ https://cybernews.com/news/live-chat-platform-spreads-malware/ https://www.reuters.com/business/finance/us-fines-16-major-wall-street-firms-11-billion-over-recordkeeping-failures-2022-09-27/
October 03, 2022
The Virtual CISO Moment Wrap Up for Friday, September 30, 2022
Microsoft Exchange zero days, Optus update, Brute Ratel cracked, 60% of cyber pros report "losing ground", more on the risk of deepfakes, and cyber insurance providers pivoting to requiring adherence to frameworks and risk management. https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html https://www.bbc.com/news/world-australia-63056838 https://www.bleepingcomputer.com/news/security/hackers-now-sharing-cracked-brute-ratel-post-exploitation-kit-online/ https://www.businesswire.com/news/home/20220926005190/en/60-of-Cybersecurity-Professionals-Feel-They-Are-Losing-Ground-Against-Cybercriminals https://www.theregister.com/2022/09/28/trend_deepfake_video/ https://community.microfocus.com/cyberres/b/sws-22/posts/cyber-insurance-customers-need-to-be-more-cyber-resilient
September 30, 2022
Throwback Thursday for September 29, 2022 - A Conversation with Matt Santill
From June 14, 2022: Matt Santill, Founder and CEO of Cyber Security Services https://www.cybersecurityservices.com/ discusses the challenges of a vCISO, what is the most significant business risk, how he became interested in information security, and his career progression to CISO and on to business owner.
September 29, 2022
The Virtual CISO Moment S4E44 - A Conversation with Mark Burnette
In this month's special end of month Wednesday episode Mark Burnette, Shareholder-In-Charge at LBMC Information Security, discusses his path from Senior IT Auditor to overseeing and directing LBMC’s Risk Services practice nationwide. He is very active in the information security community, including as co-founder and past president of the Middle Tennessee ISSA chapter (one of the largest in the world), and co-founder and board member of the Southern CISO Security Council. His certifications include CPA, CISA, CISSP, CISM, and CRISC, and he frequently speaks on information security topics, including a fabulous TEDx talk on the Humanity Behind Cyber Attacks - https://www.ted.com/talks/mark_burnette_the_humanity_behind_cybersecurity_attacks.
September 28, 2022
The Virtual CISO Moment S4E43 - A Conversation with Cy Sturdivant
Cy Sturdivant, Director at Forvis (Cybersecurity Division), joins us to discuss his path from accounting and finance to cybersecurity and the audit field. We dive into controls, the Three Line of Defense model, and how audit as the third line helps organizations achieve and maintain a solid information security posture.
September 27, 2022
VCM Quick Strike for Monday, September 26, 2022
Anonymous injects into the Iranian protests, ChromeLoader injecting ransomware, Optus extortion, 543,000 added to ECL breach, IHG disruption for "fun", and thoughts about the need for ethics in cybersecurity. https://cybernews.com/cyber-war/anonymous-takes-iran-in-support-of-women/ https://www.theregister.com/2022/09/21/vmware_microsoft_chromeloader_threat/ https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142 https://www.scmagazine.com/analysis/ransomware/eye-care-leaders-fallout-grows-543k-wolfe-clinic-patients-added-to-breach-tally https://www.bbc.com/news/technology-62937678
September 26, 2022
The Virtual CISO Moment Wrap Up for Friday, September 23, 2022
A little different today - we are recording live from the RETR3AT conference at Montreat College! Look for discussions to drop Wednesdays.
September 23, 2022
Throwback Thursday for September 22, 2022 - A Conversation with James Farley
From June 7, 2022: James Farley, Partner Development Manager, Cybersecurity at ConnectWise (connectwise.com), discusses migrating from insurance to IT sales to supporting Managed Service Providers, as well as running to beat the stress, including reaching a goal many never achieve!
September 23, 2022
The Virtual CISO Moment S4E42 - The Secret to Success in Cybersecurity (2022 Middle Tennessee Cyber Conference)
Recorded at the Middle Tennessee Cyber Conference September 13, 2022 - host Greg Schaffer walks through his 33 year career in information technology and security, providing lessons learned and what he has determined is, for him, the secret for success in cyber security. We had technical issues with the primary video and audio recording so this recording is not quite up to our standards, but we still felt it was relevant to share.
September 21, 2022
The Virtual CISO Moment S4E41 - A Conversation with Adam Bricker
Adam Bricker has led many career lives, from working on Tomahawk missiles to cofounding the Carolina Cyber Center, focused on hardening community resources and continuing education to address the nation's critical cybersecurity talent shortfall. He currently provides consulting services for businesses in high tech, IT-enabled and emerging markets as the founder of ePower Learning, and his testimony of faith in relation to his callings is truly inspirational.
September 20, 2022
VCM Quick Strike for Monday, September 19, 2022
Criminals had internal access to LastPass for four days, Microsoft gaming click fraud, cyberattack costs increase, SaaS sprawl risks, and the necessity of collaboration in security and privacy. https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-had-internal-access-for-four-days/ https://thehackernews.com/2022/09/microsoft-warns-of-large-scale-click.html https://www.darkreading.com/attacks-breaches/cyberattack-costs-for-us-businesses-up-by-80- https://securityboulevard.com/2022/09/saas-security-issues-driven-by-sprawl-lack-of-visibility/ https://www.csoonline.com/article/3673943/collaboration-is-key-to-balance-customer-experience-with-security-privacy.html
September 19, 2022
The Virtual CISO Moment Wrap Up for Friday, September 16, 2022
Uber cybersecurity "incident", Teams critical vuln, Lorenz ransomware exploits Mitel, Meta and Google fined for violating privacy laws, White House releases software security requirements, and the one piece of career advice I would tell my 19 year-old self. https://www.digitaltrends.com/mobile/uber-investigating-cybersecurity-incident/ https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ https://thehackernews.com/2022/09/lorenz-ransomware-exploit-mitel-voip.html https://techcrunch.com/2022/09/14/google-meta-fined-71-8m-for-violating-privacy-law-in-south-korea/ https://www.theregister.com/2022/09/14/white_house_software_security_guidance/ My Cybersecurity Path YouTube playlist - https://youtube.com/playlist?list=PLZkMMBCZshiO0gu44pAZUM__fpHOrvTcv
September 16, 2022
Throwback Thursday for September 16, 2022 - A Conversation with Rob Black
On this week's Throwback Thursday, from May 31, 2022, Rob Black, Founder and CEO of Fractional CISO (https://fractionalciso.com) talks about providing fractional/virtual CISO services to midsized SaaS technical organizations as well as other businesses, his story of starting Fractional CISO, and how he sees the SMB threat environment.
September 15, 2022
The Virtual CISO Moment S4E40 - A Conversation with Elvis Huff
Elvis Huff is the Vice President - Director of Security/Information Security Officer for Wilson Bank and Trust. His path to bank ISO is not typical but is inspirational, with 12 years as a police officer prior to entering the world of banking. His reason for the transition involves faith and following a calling. He also produces an awesome security newsletter, Security Stuff with Elvis Huff - check it out at https://www.wbtsecurityblog.com/!
September 13, 2022
VCM Quick Strike for Monday, September 12, 2022
Americans lost nearly $7B to cybercrime in 2021, ports at risk of breach, FBI alert about Vice Society, Wordpress plugin BackupBuddy zero-day vuln, HP notebook high severity flaws remain wihtout a patch, and a few thoughts about 9/11 21 years later. https://www.cbsnews.com/miami/news/fbi-americans-lost-nearly-7-billion-to-cybercrime-last-year/ https://www.darkreading.com/attacks-breaches/why-ports-are-at-risk-of-cyberattacks https://www.cybersecurity-insiders.com/fbi-issues-serious-cyber-threat-alert-about-vice-society/ https://www.cysecurity.news/2022/09/new-zero-day-flaw-in-backupbuddy-plugin.html https://thehackernews.com/2022/09/high-severity-firmware-security-flaws.html https://www.cnn.com/2022/09/11/politics/biden-september-11-remembrance-ceremony-pentagon/index.html
September 12, 2022
The Virtual CISO Moment Wrap Up for Friday, September 9, 2022
IHG cyberattack disrupts booking systems, Tik-Tok-Hak, North Face credential stuffing attack, fake Android AV and cleaner apps install malware, posting photos and the information security risks they bring, and thoughts about technology debt. https://www.bleepingcomputer.com/news/security/intercontinental-hotels-group-cyberattack-disrupts-booking-systems/ https://www.msn.com/en-in/money/news/tiktok-hacked-over-2-bn-user-database-records-stolen-security-researchers/amp/ar-AA11u87N https://www.bleepingcomputer.com/news/security/200-000-north-face-accounts-hacked-in-credential-stuffing-attack/ https://thehackernews.com/2022/09/fake-antivirus-and-cleaner-apps-caught.html https://www.csoonline.com/article/3672869/how-posting-personal-and-business-photos-can-be-a-security-risk.html https://technative.io/time-to-bring-the-cyber-security-technical-debt-under-control/
September 09, 2022
Throwback Thursday for September 8, 2022 - A Conversation with Kyle Cravens
From May 24, 2022 - Kyle Cravens, Founder/Managing Principal of the staffing and recruiting firm Key Resource Group, LLC (https://www.krgnow.com/), joins us to discuss the IT and Information Security recruiting environment including tips on how a candidate can improve their chances of landing the position; how COVID and remote work has changed the environment, and how his faith guides his journey.
September 08, 2022
The Virtual CISO Moment S4E39 - A Conversation with Donna Gallaher
Donna Gallaher, President and CEO of New Oceans Enterprises, LLC, is a seasoned IT and information security pro providing virtual CISO and risk management services. She is a FAIR (Factor Analysis of Information Risk) evangelist and is passionate about growing the virtual CISO community, including serving on the Board of Directors for vCISO Catalyst, a Public Benefit Corporation supporting the improvement of cybersecurity programs of small and medium businesses. If you have never heard of FAIR or are interested in the virtual CISO field (or both), check out this episode! New Oceans Enterprises, LLC - https://www.newoceansenterprises.com/
September 06, 2022
VCM Quick Strike for Monday, September 5, 2022
IRS leaks taxpayer info, student loan breach, breach affects KeyBank and possibly others, REvil hits Fortune 500 company, phishing scam for American Express customers, and what I did on Labor Day, and how it ties in to information security. https://www.theepochtimes.com/mkt_app/irs-mistakenly-published-confidential-info-of-120000-taxpayers_4708384.html https://threatpost.com/student-loan-breach-exposes-2-5m-records/180492/ https://www.securityweek.com/keybank-hackers-third-party-provider-stole-customer-data https://cybernews.com/news/revil-claims-to-have-hit-a-fortune-500-company/ https://hackademicus.nl/a-new-phishing-scam-targets-american-express-cardholders/
September 05, 2022
The Virtual CISO Moment Wrap Up for Friday, September 2, 2022
Lockbit leaks Entrust data, older iPhone vulns patch available, apps leaking hard-coded AWS creds, organ transplant system needs strengthening, "ghost in the machine" a significant risk, very experienced security reporter gets fooled by a phish, and a lookback at Stuxnet. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/ https://www.securityweek.com/ios-12-update-older-iphones-patches-exploited-vulnerability https://thehackernews.com/2022/09/over-1800-android-and-ios-apps-found.html https://www.bankinfosecurity.com/report-organ-transplant-data-security-needs-strengthening-a-19967 https://www.darkreading.com/edge-threat-monitor/ghost-data-increases-enterprise-business-risk https://arstechnica.com/information-technology/2022/08/im-a-security-reporter-and-got-fooled-by-a-blatant-phish/ https://www.csoonline.com/article/3218104/stuxnet-explained-the-first-known-cyberweapon.html
September 02, 2022
Throwback Thursday for September 1, 2022 - A Conversation with Clark Cummings
From May 17, 2022 - Clark Cummings joins us to discuss enterprise risk management, how to recognize "risk collisions", and provide practical risk management advice for small and midsized businesses.
September 01, 2022
The Virtual CISO Moment S4E38 - A Conversation with Scott Augenbaum
Scott Augenbaum was a special agent with the FBI and now continues his mission to help prevent businesses from becoming a victim of cybercrime as an author, speaker, and trainer. His story and mission is educational and inspirational! Check out https://www.cybersecuremindset.com/ and connect with Scott at https://www.linkedin.com/in/saugenbaum/.
August 31, 2022
The Virtual CISO Moment S4E37 - A Conversation with Susan Richards
Susan Richards is a dynamic director of Information Security concentrated in compliance, project management, application development, and database administration. She is skilled in IT Strategy, Management, Compliance Assurance, and Risk Management including HITRUST, NIST and ISO security frameworks. She is also very involved in the information security community, including ISSA chapter leadership and has this year started a local HITRUST chapter - plus we discuss election integrity!
August 30, 2022
VCM Quick Strike for Monday, August 29, 2022
Portland Oregon loses $1.4 million to BEC compromise, stolen Texas data possibly on dark web, 10 new actively exploited vulns added to CISA list, banking trojan targets industries in Spanish-speaking countries, an opinion piece on whether cybercriminals follow a moral code, and a new enterprise browser startup secures massive funding, which prompted my walk down memory lane of browsers over my 30-plus year career. https://www.pcmag.com/news/portland-city-officials-accidentally-send-hacker-14-million https://www.healthcareitnews.com/news/stolen-texas-health-data-may-be-posted-dark-web https://thehackernews.com/2022/08/cisa-adds-10-new-known-actively.html https://gbhackers.com/banking-trojan-targeting-automotive/ https://cybernews.com/security/attacking-healthcare-do-cybercriminals-follow-moral-code-/ https://www.securityweek.com/enterprise-browser-startup-island-snags-massive-funding-round
August 29, 2022
The Virtual CISO Moment Wrap Up for Friday, August 26, 2022
Lastpass breach, counterfeit Microsoft USB installers, deepfake getting scary, dramatic rise in DDoS attacks, Apple iOS VPNs leak, and claiming to stop all malware ignites social media storm. https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ https://news.sky.com/story/criminals-posting-counterfeit-microsoft-products-to-get-access-to-victims-computers-12675123 https://www.infosecurity-magazine.com/news/scammers-create-ai-hologram-csuite/ https://www.govtech.com/blogs/lohrmann-on-cybersecurity/hacktivism-and-ddos-attacks-rise-dramatically-in-2022 https://www.theregister.com/2022/08/19/apple_ios_vpn/ https://www.crn.com/news/security/exec-s-claim-that-xcitium-stops-all-malware-ignites-msp-social-media-firestorm
August 26, 2022
Throwback Thursday for August 25, 2022 - A Conversation with Mike Rastigue
In this episode from May 10, 2022, Mike Rastigue with Crum & Forster joins us to discuss cyber insurance and one way that his organization is helping SMBs to be both better prepared to meet cyber insurance underwriting requirements and increase their security posture.
August 25, 2022
The Virtual CISO Moment S4E36 - A Conversation with Vanessa Taylor
Vanessa Taylor is a small business owner, a business technology consultant, an educator, and a mentor. She is well-versed in many aspects of GRC and infosec risk management, and has a mission to aspire to inspire!
August 23, 2022
VCM Quick Strike for Monday, August 22, 2022
Entrust data leaks, cyber war insurance exclusion definition updated, vulnerable RTLS systems, crypto stolen from hacked ATMs, draft US government cybersecurity acquisition requirements, and pragmatic infosec, and why that is important. https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-attack-on-security-giant-entrust-leaks-data/https://www.securityweek.com/lloyds-london-introduces-new-war-exclusion-insurance-clauses https://thehackernews.com/2022/08/rtls-systems-found-vulnerable-to-mitm.html https://thehackernews.com/2022/08/hackers-stole-crypto-from-bitcoin-atms.html https://www.threatshub.org/blog/the-truth-about-that-draft-law-banning-uncle-sam-buying-insecure-software/
August 22, 2022
The Virtual CISO Moment Wrap Up for Friday, August 19, 2022
Apple zero-day vulns. poop hack, pregnancy app privacy concerns, UK water supply ransomware, tips for SMBs to avoid ransomware risks, and the most interesting CVE? Plus a few more thoughts on Twitter cyber drama. https://thehackernews.com/2022/08/apple-releases-security-updates-to.html https://www.bleepingcomputer.com/news/security/anonymous-poop-gifting-site-hacked-customers-exposed/ https://www.theregister.com/2022/08/17/mozilla_pregnancy_app/ https://www.bleepingcomputer.com/news/security/hackers-attack-uk-water-supplier-but-extort-wrong-company/ https://www.csoonline.com/article/3669855/ransomware-safeguards-for-small-to-medium-sized-businesses.html https://www.techspot.com/news/95671-janet-jackson-song-1989-declared-cybersecurity-vulnerability-crashing.html
August 19, 2022
Throwback Thursday for August 18, 2022 - A Conversation with Frank Platt
On today's Throwback Thursday from May 3, 2022, Frank Platt of Infosec Alliance LLC (https://www.infosecalliance.com/) joins us to discuss many infosec topics, including risk management, and CMMC...and BBQ! Note a production error resulted in this TT episode releasing on Friday August 19, 2022.
August 18, 2022
The Virtual CISO Moment S4E35 - Briefing for Small Businesses
In this presentation from 2014, Greg discusses SMB information security concerns with a group of small business owners in Tennessee. Most is relevant still today (though Greg notes he'd reevaluate his antivirus recommendations). Most of the video is dark (lights turned down to view slide deck off-screen).
August 17, 2022
The Virtual CISO Moment S4E34 - A Conversation with Jack Poltorak
Jack Poltorak discusses vCIO and vCISO services offered by MSSPs, how those services may not be exactly what a small or midsized business (SMB) is looking for, and tips how an SMB can ensure they are getting the virtual CISO services they need.
August 16, 2022
VCM Quick Strike for Monday, August 16, 2022
BHG brief affects almost 200K, hackers target cybersecurity pros with fake job offers, Zeppelin ransomware multiple encryption, Russia wiper attacks on Ukraine, smartphone ransomware, 5G IOT API vulns, and thoughts on how to police the infosec community. https://www.scmagazine.com/analysis/breach/behavioral-health-group-informs-198k-patients-of-data-theft-from-december https://hackercombat.com/north-korean-hackers-target-crypto-experts-with-fake-coinbase-job-offers/ https://www.bleepingcomputer.com/news/security/fbi-zeppelin-ransomware-may-encrypt-devices-multiple-times-in-attacks/amp/ https://www.cybersecurity-insiders.com/russia-launching-wiper-malware-cyber-attacks-against-ukraine/ https://www.forbes.com/sites/daveywinder/2022/08/14/gmail-and-gpay-cookies-targeted-by-new-smartphone-ransomware-threat-to-200-apps/?sh=65e59f936743 https://arstechnica.com/information-technology/2022/08/one-of-5gs-biggest-features-is-a-security-minefield/
August 15, 2022
The Virtual CISO Moment Wrap Up for Friday, August 12, 2022
Starlink hack, Ukraine cyber chief at BlackHat, new GitHub alerts to potential vulns, new Malware as a Service, what caused that Google outage, Cloudflare phishing attack, two new tools for nonbank financial services companies, and a Cisco breach involving "MFA fatigue". https://www.wired.com/story/starlink-internet-dish-hack/ https://www.reuters.com/world/europe/ukraine-cyber-chief-pays-surprise-visit-black-hat-hacker-meeting-las-vegas-2022-08-11/ https://thehackernews.com/2022/08/github-dependabot-now-alerts-developers.html https://www.theregister.com/2022/08/08/dark_utilities_c2_service/ https://cybernews.com/news/google-apologizes-for-a-global-services-outage/ https://cybernews.com/news/cloudflare-targeted-by-a-sophisticated-phishing-attack/ https://www.csbs.org/newsroom/csbs-releases-nonbank-cybersecurity-exam-procedures https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/
August 12, 2022
Throwback Thursday for August 11, 2022 - A Conversation with Don Baham
On this week's Throwback Thursday from April 19, 2022, Don Baham is very active in both the local and on-line information security communities, as well as having extensive experience helping SMBs with information security needs. He joins us to discuss challenges and opportunities including observations on the cyber security supply chain issue and possible ways to address.
August 11, 2022
The Virtual CISO Moment S4E33 - A Conversation with Monica Rowe
CISO and vCISO Monica Rowe joins us to discuss cybersecurity in financial services; the benefits of sharing information through ISACs, presentations, and other means; and how to provide a sense of calm to the cybersecurity storm.
August 09, 2022
VCM Quick Strike for Monday, August 8, 2022
Critical flaws in Emergency Alert System and in some Cisco SOHO routers, new IoT threat, CISA adds Zimbra vulnerability to its Known Exploited Vulnerabilities Catalog, and what you need to do to land a six-figure cybersecurity job. https://www.threatshub.org/blog/warning-critical-flaws-found-in-us-emergency-alert-system/ https://www.theregister.com/2022/08/05/cisco_smb_routers_critical_flaws/ https://thehackernews.com/2022/08/new-iot-rapperbot-malware-targeting.html https://thehackernews.com/2022/08/cisa-adds-zimbra-email-vulnerability-to.html https://fortune.com/education/business/articles/2022/07/27/what-you-need-to-land-a-six-figure-cybersecurity-job/ https://youtube.com/playlist?list=PLZkMMBCZshiO0gu44pAZUM__fpHOrvTcv
August 08, 2022
The Virtual CISO Moment Wrap Up for Friday, August 5, 2022
Motherboard malware that survives OS reinstall, mobile apps leaking Twitter API keys, TVA EDR not OK, Defender defends against ransomware better, ransomware big brands migrating to more smaller bands, and Ukraine shutters major Russian bot network. https://www.pcmag.com/news/malware-that-can-survive-os-reinstalls-found-on-asus-gigabyte-motherboards https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.html https://www.scmagazine.com/analysis/zero-trust/feds-begin-measuring-edr-at-tennessee-valley-authority-but-gaps-cited-in-audit https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-now-better-at-blocking-ransomware-on-windows-11/ https://www.bankinfosecurity.com/blogs/ransomware-ecosystem-value-big-name-brands-diminishing-p-3257 https://www.infosecurity-magazine.com/news/ukraine-shutters-major-russian-bot/
August 05, 2022
Throwback Thursday for August 4, 2022 - A Conversation with Chris Bedel
On this week's Throwback Thursday from April 12, 2022, Chris Bedel, President and CEO of Bedel Security (bedelsecurity.com) talks about how the virtual CISO fits in to, compliments, and enhances financial institutions' information security program and posture. He also touches on history and future of the virtual CISO. If you're a virtual CISO for financial institutions or are interested in how a virtual CISO benefits financial institutions, this is a must-see episode packed with useful information!
August 04, 2022
The Virtual CISO Moment S4E32 - A Conversation with Steve Mallard
Steve Mallard has over 20 years in Information Technology; is a Master Teacher in Information Technology/Infrastructure Management and Information Systems Manager at Tennessee College of Applied Technology - Shelbyville; is a private consultant for government organizations, higher-ed, and private corporations, a technical writer, and a public speaker on cybersecurity. He has also organized for many years the Middle Tennessee Cyber Conference (https://middletncyberconf.com/), held this year at Embassy Suites in Murfreesboro, Tennessee. In addition to his numerous career accomplishments, his contribution to the next generation of cyber professionals is unparalleled.
August 02, 2022
VCM Quick Strike for Monday, August 1, 2022
More Pegasus, Chrome extension steals emails and creds, increase of critical infrastructure attacks, Robin Banks PhaaS, more Log4Shell, and top security news websites. https://www.reuters.com/technology/exclusive-eu-found-evidence-employee-phones-compromised-with-spyware-letter-2022-07-27/ https://www.bleepingcomputer.com/news/security/cyberspies-use-google-chrome-extension-to-steal-emails-undetected/ https://securityboulevard.com/2022/07/cyber-attacks-against-critical-infrastructure-quietly-increase/ https://securityboulevard.com/2022/07/cyber-attacks-against-critical-infrastructure-quietly-increase/ https://www.csoonline.com/article/3668652/cisa-releases-iocs-for-attacks-exploiting-log4shell-in-vmware-horizon-and-uag.html https://blog.feedspot.com/cyber_security_news_websites/
August 01, 2022
The Virtual CISO Moment Wrap Up for Friday, July 29, 2022
Arrests in nuclear plant attack, RaaS providers adjust business plans, new cybersecurity House legislation passes with significant bipartisan support, how to make risk assessments better, PrestaShop critical vulns exploited, new CMMC AB draft assessment guide, why it's a good idea to establish a solid relationship with a recruiter (e.g. it may reduce chance of being ghosted). https://thehackernews.com/2022/07/spanish-police-arrest-2-nuclear-power.html https://www.infosecurity-magazine.com/news/raas-groups-forced-change-payments/ https://www.theepochtimes.com/mkt_app/house-passes-cybersecurity-bill-to-protect-americas-energy-sector-infrastructure-from-hackers_4627765.html https://www.securitymagazine.com/articles/98076-dreading-security-risk-assessments-6-ways-to-make-them-better https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/ https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf https://securityboulevard.com/2022/07/im-not-looking-for-a-new-cyber-security-role-so-why-should-i-have-an-introduction-with-a-recruiter/
July 29, 2022
Throwback Thursday for July 28, 2022 - A Conversation with Bob Quandt
On his week's Throwback Thursday from April 5, 2022, Bob Quandt, owner of Bullseye Compliance (https://bullseyecompliance.com) joins VCM for a conversation that ranges from issues and trends in SMB security, entrepreneurship and making a difference, fitness and stress management, application of military experience to infosec, and more!
July 28, 2022
The Virtual CISO Moment S4E31 - Optimizing Your vCISO
In this special Wednesday episode, from the CU Intersect Conference in Houston Texas July 19, 2022, vCISO Services, LLC Principal Greg Schaffer discusses how credit unions and other small and midsized businesses can optimize their vCISO to maximize their information security posture.
July 27, 2022
The Virtual CISO Moment S4E30 - A Conversation with Anthony Scarola
Anthony Scarola is an IT Governance, Risk, and Compliance (GRC) expert; has many years in cybersecurity; is a U.S. Army veteran; holds the CISSP; and is a virtual CISO. And he's writing a security book! Listen to his wisdom as it pertains to risk management and learn one mistake many may make when discussing risk with the c suite and board of directors.
July 26, 2022
VCM Quick Strike for Monday, July 25, 2022
Rogers outage cause, 54 million Twitter accounts' information for sale for $3K, ransomware update, Entrust breached, an startups without a CISO are at a disadvantage - plus statistics, and why you need to both understand their context and source, using a well-known example of an information security "statistic" in the last article. https://twitter.com/atoonk/status/1550896347691134977 https://www.bleepingcomputer.com/news/security/hacker-selling-twitter-account-data-of-54-million-users-for-30k/ https://venturebeat.com/2022/07/21/ransomware-attacks/ https://www.bleepingcomputer.com/news/security/digital-security-giant-entrust-breached-by-ransomware-gang/ https://venturebeat.com/2022/07/14/startups-without-a-ciso-youre-losing-out-on-a-big-business-opportunity/amp/
July 25, 2022
The Virtual CISO Moment Wrap Up for Friday, July 22, 2022
Ransomware infections and payments decline, CISO urges patching Windows 11 patch bug, more Chrome fixes, stress in cybersecurity, possibly regulating BGP, and commentary on the CU Intersect conference. https://www.darkreading.com/threat-intelligence/ransomware-attempts-flag-as-payments-also-decline https://threatpost.com/cisa-urges-patch-11-bug/180235/ https://www.forbes.com/sites/daveywinder/2022/07/20/google-sees-double-as-chrome-security-update-2-arrives-for-windows-mac--linux/ https://www.csoonline.com/article/3667490/cybersecurity-is-a-constant-fire-drill-that-s-not-just-bad-it-s-dangerous.html https://www.nextgov.com/cybersecurity/2022/07/cisa-urges-fcc-prioritize-national-security-internet-routing-probe/374077/ https://cuintersect.com/ https://www.cubroadcast.com/episodes/cuintersect22-how-to-enhance-small-and-midsized-businesses-cybersecurity
July 22, 2022
Throwback Thursday for July 21, 2022 - A Conversation with Chuck Sirois
On this Throwback Thursday episode from March 29, 2022 - Email remains the most common vector for criminals to exploit. Chuck Sirois discusses how PhishFacts (https://phishfacts.com) can help SMBs identify misconfigured email configurations that criminals may leverage.
July 21, 2022
The Virtual CISO Moment S4E29 - A Conversation with J.J. Powell
J.J. Powell of Cyber Defense Group (https://www.cdg.io/) discusses his career journey from police officer to system administrator to CISO and now as leading virtual CISO services. He is also a pivotal component into my decision to leave corporate and become an independent vCISO - listen to find out what was "the straw that broke the camel's back" for me!
July 19, 2022
VCM Quick Strike for Monday, July 18, 2022
Shodan special offer, banks need to implement best practices, five key things from smal org CISOs, Netwrix Auditor bug, and on the road challenges. https://www.shodan.io/ https://fintechmagazine.com/banking/banks-need-best-practices-to-fight-rising-cyberattacks https://thehackernews.com/2022/07/5-key-things-we-learned-from-cisos-of.html https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html
July 18, 2022
The Virtual CISO Moment Wrap Up for Friday, July 15, 2022
Phishing campaign bypasses MFA, healthcare debt collection agency ransomware breach 1.9 million records, Log4Shell endemic, criminal hackers targeting Indian students, Florida Atlantic University received grant, and my cybersecurity path, including learning Python? https://threatpost.com/large-scale-hishing-bypasses-mfa/180212/ https://www.theregister.com/AMP/2022/07/13/19m_patients_medical_data_exposed/ https://www.computerweekly.com/news/252522789/Log4Shell-on-its-way-to-becoming-endemic https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html https://www.fau.edu/newsdesk/articles/cybersecurity-grant https://youtu.be/NzJlE0YLSiA https://www.youtube.com/watch?app=desktop&v=7utwZYKweho&ab_channel=TheCyberMentor
July 15, 2022
Throwback Thursday for July 14, 2022 - The CISSP and the Virtual CISO
On this week's Throwback Thursday from 3/22/2022 - The Certified Information Systems Security Professional, or CISSP, is considered by some to be the pinnacle of information security professional certifications, on par with the CPA. But why is that, and what differentiates it from other certifications? And why is it important for virtual CISOs to have and maintain this certification?
July 14, 2022
The Virtual CISO Moment S4E28 - A Conversation with Johanan (Jo) Dixon
Johanan (Jo) Dixon talks about life in the Marine Corps, as an MMA amateur fighter, and as a Title boxing instructor, and how these helped prepare him for his journey to cybersecurity and his current role with Halcyon (https://www.halcyon.ai/). And he's starting up a new podcast!
July 12, 2022
VCM Quick Strike for Monday, July 11, 2022
Rogers service interruption, hacking a Honda, the future of certifications, and Monday thoughts. https://www.reuters.com/business/media-telecom/rogers-communications-services-down-thousands-users-downdetector-2022-07-08/ https://blog.cloudflare.com/cloudflares-view-of-the-rogers-communications-outage-in-canada/ https://www.coguard.io/post/canada-rogers-outage-root-cause-analysis https://www.vice.com/en/article/z34xnw/hackers-say-they-can-unlock-and-start-honda-cars-remotely https://www.infosecurity-magazine.com/magazine-features/future-cybersecurity-certifications/ https://www.linkedin.com/posts/gregoryschaffer_motivationalmonday-mondaythoughts-career-activity-6952245177432387584-Knql
July 11, 2022
The Virtual CISO Moment Wrap Up for Friday, July 8, 2022
Marriott breach third in four years, CISA alert for Maui ransomware, SMBs not leveraging MFA, free entry-level cybersecurity training, DoD bug bounty program, the illusion of short cuts, and a disturbing LinkedIn site allegedly distributing copyrighted cybersecurity books without author and publisher authorization. https://www.cyberscoop.com/marriott-data-breach-baltimore/ https://www.cisa.gov/uscert/ncas/alerts/aa22-187a https://www.helpnetsecurity.com/2022/07/08/smb-implement-mfa/ https://venturebeat.com/2022/07/04/dod-bug-bounty-program/ https://goodmenproject.com/featured-content/the-illusion-of-short-cuts-take-the-long-cut-kpkn/
July 08, 2022
Throwback Thursday for July 7, 2022 - A Conversation with Ed Carroll
On this week’s Throwback Thursday from 3/15/22, Ed Carroll joins us to discuss many of the initiatives he's involved with, including Edison Marks to apply AI to help SMBs (https://edisonmarks.com/), the Carolina Cyber Center to help with information security in North Carolina and beyond (https://carolinacybercenter.com/), and an update on the RETR3AT cyber security conference at beautiful Montreat College (https://www.montreat.edu/about/events/retr3at/).
July 07, 2022
The Virtual CISO Moment S4E27 - A Conversation with William Birchett
William Birchett, President of Logos Systems and creator of the vCISO Network, discusses the virtual CISO space including elements that make a successful vCISO, the biggest threat to SMBs (it's not ransomware!), and his future plans to help the vCISO field through Logos Systems, the vCISO Network, and other endeavors.
July 05, 2022
VCM Quick Strike for Monday, July 4, 2022
Ransom returned with gains, cyber risks in space, NIST CSF 2.0 coming, HackerOne employee claims bug bounties for themselves, bug bounty programs offer hope for cyber skills gap, and thoughts on another approach to closing that gap. https://www.dw.com/en/dutch-university-wins-big-after-bitcoin-ransom-returned/a-62337229 https://cybernews.com/editorial/in-space-cutting-losses-invite-cyberattacks/ https://insidecybersecurity.com/share/13585 https://www.bleepingcomputer.com/news/security/rogue-hackerone-employee-steals-bug-reports-to-sell-on-the-side/ https://www.computing.co.uk/sponsored/4050714/bug-bounty-cyber-skills https://www.linkedin.com/feed/update/urn:li:activity:6949703194893578240/ https://www.linkedin.com/feed/update/urn:li:activity:6949499768611966977/
July 04, 2022
The Virtual CISO Moment Wrap Up for Friday, July 1, 2022
Microsoft Office 365 Office feature could enable ransomware infection, MedusaLocker alert from CISA, California breach of gun enthusiasts' PII, human error remains the top security issue according to a SANS report, and a tribute to an extraordinary man. https://www.itsecurityguru.org/2022/06/23/microsoft-office-365-feature-could-help-ransomware-attackers-infiltrate-cloud-files/ https://www.cisa.gov/uscert/ncas/alerts/aa22-181a https://www.theregister.com/2022/06/30/california_websites_expose_personal_data/ https://www.techtarget.com/searchsecurity/news/252522226/SANS-Institute-Human-error-remains-the-top-security-issue https://www.linkedin.com/feed/update/urn:li:activity:6948688755394318336/
July 01, 2022
Throwback Thursday for June 30, 2022 - A Conversation with Craig Sandman
On this week’s Throwback Thursday from 3/8/22, Craig Sandman of Symbol Security (https://symbolsecurity.com/) and vCISONews (https://www.vcisonews.com/) joins us to discuss the importance of effective security awareness training for SMBs and the virtual CISO role.
June 30, 2022
The Virtual CISO Moment - A Conversation with Dick Wilkinson
On this episode of The Virtual CISO Moment podcast, Dick Wilkinson, CTO and Co-founder of Proof Labs, discusses securing space, the transition to entrepreneur, the vCISO discipline, and more!
June 28, 2022
VCM Quick Strike for Monday, June 27, 2022
Japanese man loses USB stick with citizen data after night of drinking, ransomware more about extortion, MITEL VOIP exploit, "the hateful eight" ransomware groups, new Colorado facia recognition law, and thoughts on the Offensive Security free Kali Linux Twitch stream training after two sessions. https://www.bbc.com/news/world-asia-61921222.amp https://www.theregister.com/2022/06/25/ransomware_gangs_extortion_feature/ https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/ https://securelist.com/modern-ransomware-groups-ttps/106824/ https://www.jdsupra.com/legalnews/colorado-law-restricts-use-of-facial-5065947/ https://www.twitch.tv/offsecofficial
June 27, 2022
The Virtual CISO Moment Wrap Up for Friday, June 24, 2022
Pegasus in Europe, Log4Shell affecting VMware, voicemail scam (because it works), SMS Bomber malware, and how financial firms can benefit from a vCISO - plus more commentary and analysis of the vCISO field. https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html https://www.helpnetsecurity.com/2022/06/24/log4shell-vmware-horizon/ https://threatpost.com/voicemail-phishing-scam-steals-microsoft-credentials/180005/ https://www.itsecurityguru.org/2022/06/23/chinese-hackers-distributing-sms-bomber-tool-with-malware-hidden-inside/ https://biztechmagazine.com/article/2022/06/what-vciso-and-how-can-financial-firms-benefit
June 24, 2022
Throwback Thursday for June 22, 2022 - A Conversation with David Baker
This week's Throwback Thursday episode is from March 1, 2022 - Chief Information Security Officer David Baker gives insight into the challenges of an SMB CISO. Guest opinions are their own and not the views of their employer.
June 23, 2022
The Virtual CISO Moment S4E25 - A Conversation with Nick Santora
Nick Santora, CEO of Curricula (curricula.com), discusses information security awareness and how Curricula uses storytelling to make both short term and long term impressions, resulting in increased security across the organization. He also discusses his path to entrepreneur, challenges in the SMB infosec awareness space, and "wisdom walks"!
June 21, 2022
VCM Quick Strike for Monday, June 20, 2022
Russian botnet shut down, CFOs see cybersecurity gaps, security lapses in SMBs, university students defeat 21st century vehicle boot, and a free pen testing class coming soon to Twitch! Plus my thoughts on this past weekend's #infosec Twitter conference issue. https://thehackernews.com/2022/06/authorities-shut-down-russian-rsocks.html https://www.cfodive.com/news/cfos-ceos-see-cybersecurity-gaps-accenture/624831/ https://www.scmagazine.com/brief/risk-management/cybersecurity-lapses-in-smbs-examined https://driving.ca/auto-news/news/students-defeat-new-barnacle-parking-boot-skip-fines-and-get-free-internet https://www.bleepingcomputer.com/news/security/offsec-to-stream-kali-linux-penetration-testing-course-on-twitch/
June 20, 2022
The Virtual CISO Moment Wrap Up for Friday, June 17, 2022
Internet Explorer is retired, risks with IoT, Facebook Messenger phish, diving into the Veeam ransomware report, and one of the hardest things I've had to do in my professional career. https://www.cnn.com/2022/06/15/tech/internet-explorer-dead/index.html https://www.forbes.com/sites/forbestechcouncil/2022/06/16/cybersecurity-and-risk-management-in-the-internet-of-things/ https://threatpost.com/acebook-messenger-scam/179977/ https://go.veeam.com/wp-ransomware-trends-report-2022
June 17, 2022
The Virtual CISO Moment S4E24 - A Conversation with Matt Santill
Matt Santill, Founder and CEO of Cyber Security Services https://www.cybersecurityservices.com/ discusses the challenges of a vCISO, what is the most significant business risk, how he became interested in information security, and his career progression to CISO and on to business owner.
June 14, 2022
VCM Quick Strike for Monday, June 13, 2022
A third of organizations hit by ransomware were forced to close temporarily or permanently, job cuts hit cybersecurity industry despite surging growth from ransomware attacks, four signs you may be ignoring your health for your career, and Cyber Security for Small Organisations webinar. https://www.techrepublic.com/article/organizations-hit-by-ransomware-shut-down/ https://www.cnbc.com/2022/06/10/job-cuts-hit-cybersecurity-firms-despite-surging-growth-from-attacks.html https://www.reefguardian.org/health-for-your-career/ https://ncsc-production.microsoftcrmportals.com/event/sessions?id=Digital_Loft_Template3613648229
June 13, 2022
The Virtual CISO Moment Wrap Up for Friday, June 10, 2022
Small businesses aren't ready for a cyberattack, security leaders metrics and reporting, cloud migration, NIST supply chain guidance. https://www.cnbc.com/2022/05/21/americas-small-businesses-arent-ready-for-a-cyberattack.html https://biztechmagazine.com/article/2022/05/how-should-cybersecurity-leaders-report-their-progress https://securityboulevard.com/2022/06/six-things-to-check-before-moving-to-the-cloud-to-avoid-pitfalls-in-the-long-run/ https://www.helpnetsecurity.com/2022/05/06/cybersecurity-supply-chain-risk/
June 10, 2022
The Virtual CISO Moment S4E23 - A Conversation with James Farley
James Farley, Partner Development Manager, Cybersecurity at ConnectWise (connectwise.com), discusses migrating from insurance to IT sales to supporting Managed Service Providers, as well as running to beat the stress, including reaching a goal many never achieve!
June 07, 2022
VCM Quick Strike for Monday, June 6, 2022
Unpacking the Verizon Data Breach Investigations Report, a new "Man on the Side" attack (and what is that?), this week's resource highlight - InfoSecSherpa, and "paying your dues". https://securityboulevard.com/2022/06/verizon-dbir-2022-whats-worth-acting-on/ https://thehackernews.com/2022/06/chinese-luoyu-hackers-using-man-on-side.html https://en.wikipedia.org/wiki/Man-on-the-side_attack https://infosecsherpa.medium.com/
June 06, 2022
The Virtual CISO Moment Wrap Up for Friday, June 3, 2022
Confluence zero day, Microsoft zero day exploitation example, Ransomware roundup, and my reaction to a LinkedIn post about virtual CISO services that went semi-viral for the wrong reasons. We need to do better in the virtual CISO space. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ https://techcrunch.com/2022/06/01/china-backed-hackers-are-exploiting-unpatched-microsoft-zero-day/ https://www.csoonline.com/article/3662038/ransomware-roundup-system-locking-malware-dominates-headlines.html
June 03, 2022
The Virtual CISO Moment S4E22 - A Conversation with Rob Black
Rob Black, Founder and CEO of Fractional CISO (https://fractionalciso.com) talks about providing fractional/virtual CISO services to midsized SaaS technical organizations as well as other businesses, his story of starting Fractional CISO, and how he sees the SMB threat environment.
May 31, 2022
VCM Quick Strike for Monday, May 30, 2022
Microsoft Zero Day, CISA adds 75 vulns to critical list, and cybersecurity as Corporate Social Responsibility. Today we honor all who gave their life for freedom. https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html https://www.forbes.com/sites/daveywinder/2022/05/26/us-cybersecurity-agency-strongly-urges-you-patch-these-75-actively-exploited-flaws/?sh=7c03a1b26381 https://venturebeat.com/2022/05/26/cybersecurity-is-a-corporate-social-responsibility-especially-in-times-of-war/
May 30, 2022
May 28, 2022
May 28, 2022
The Virtual CISO Moment Wrap Up for Friday, May 27, 2022
Verizon DBIR, 10 exploited access points, email is still a problem (surprise), four tips for entry-level cyber analysts, and ransomware with a twist. Be kind to each other. Please. https://www.verizon.com/business/resources/reports/2022/dbir/2022-data-breach-investigations-report-dbir.pdf https://www.securitymagazine.com/articles/97676-cisa-outlines-10-initial-access-points-exploited-by-hackers https://www.scmagazine.com/analysis/email-security/employees-email-still-drives-most-of-the-data-loss-at-organizations https://www.redglobal.com/news-blog/cybersecurity-jobs-4-tips-every-budding-cybersecurity-analyst-should-know https://www.tripwire.com/state-of-security/security-data-protection/ransomware-demands-acts-of-kindness-to-get-your-files-back/
May 27, 2022
The Virtual CISO Moment S4E21 - A Conversation with Kyle Cravens
Kyle Cravens, Founder/Managing Principal of the staffing and recruiting firm Key Resource Group, LLC (https://www.krgnow.com/), joins us to discuss the IT and Information Security recruiting environment including tips on how a candidate can improve their chances of landing the position; how COVID and remote work has changed the environment, and how his faith guides his journey.
May 24, 2022
VCM Quick Strike for Monday, May 23, 2022
Conti disbands, DOJ directs good-faith security research should not be charged, governments consider ransomware self-insuring, and just say no to saying no in information security. https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/ https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act https://www.govtech.com/computing/facing-cyber-insurance-woes-local-governments-find-other-options https://www.helpnetsecurity.com/2022/05/17/security-department-refuses-request/
May 23, 2022
The Virtual CISO Moment Wrap Up for Friday, May 20, 2022
Remote work, IT and infosec staff stress and ransomware - a canary in the coal mine? https://www.helpnetsecurity.com/2022/05/17/state-of-security/ https://www.helpnetsecurity.com/2022/05/18/it-help-desk-stress/ https://www.techtarget.com/searchsecurity/news/252518151/Iranian-APT-Cobalt-Illusion-launching-ransomware-attacks https://thehackernews.com/2022/05/russian-conti-ransomware-gang-threatens.html https://finance.yahoo.com/news/cybersecurity-research-76-organizations-admit-161500884.html https://www.csoonline.com/article/3660636/cisos-worried-about-material-attacks-boardroom-backing.html https://www.prnewswire.com/news-releases/nacd-responds-to-sec-rule-proposal-on-public-company-cybersecurity-risk-management-strategy-governance-and-incident-disclosure-301546494.html
May 20, 2022
The Virtual CISO Moment S4E20 - A Conversation with Clark Cummings
Clark Cummings joins us to discuss enterprise risk management, how to recognize "risk collisions", and provide practical risk management advice for small and midsized businesses.
May 17, 2022
VCM Quick Strike for Monday, May 16, 2022
What is the secret to security (or any business) success? Listen to find out.
May 16, 2022
About the Virtual CISO Moment Podcast
The Virtual CISO Moment aims to inform and entertain. We hope you will join us! All episodes drop at 8:00 AM Central (US). Monday - The VCM Quick Strike (audio only) Tuesday - The Virtual CISO Moment Conversations (audio and video) Friday - The Virtual CISO Moment Wrap Up
May 13, 2022
The Virtual CISO Moment Wrap Up for Friday, May 13, 2022
Many topics, including Lincoln College, CISA and MSPs, SEC and Board of Directors, and Pegasus. https://www.engadget.com/lincoln-college-ransomware-attack-shut-down-covid-19-164917483.html https://www.cisa.gov/uscert/ncas/current-activity/2022/05/11/cisa-joins-partners-release-advisory-protecting-msps-and-their https://media-exp1.licdn.com/dms/document/C561FAQE9H1UdCeHoyg/feedshare-document-pdf-analyzed/0/1652377478990?e=1653523200&v=beta&t=h52Z9d1TKwui7If9gNJTf03j1YQUPLzIwQRyxAABFEQ https://www.weforum.org/agenda/2022/03/cybersecurity-rules-prepare/ https://www.nytimes.com/2022/05/12/us/politics/fbi-pegasus-spyware-israel.html
May 13, 2022
The Virtual CISO Moment S4E19 - A Conversation with Mike Rastigue
Mike Rastigue with Crum & Forster joins us to discuss cyber insurance and one way that his organization is helping SMBs to be both better prepared to meet cyber insurance underwriting requirements and increase their security posture.
May 10, 2022
VCM Quick Strike for Monday, May 9, 2022
Last week I came across two instances on LinkedIn of apparent predatory practices in the information security field - one related to regulatory compliance, another for a consultant certification. We have to do better as an industry.
May 09, 2022
The Virtual CISO Moment Wrap Up for Friday, May 6, 2022
Conti continues, ransomware payouts, supply chain breach in higher ed, and NIST 800-161r1 release. https://www.providencejournal.com/story/news/politics/2022/05/04/malware-used-ripta-hack-identified-conti-strain-russian-cybercriminals/9635388002/ https://cybernews.com/security/russian-passport-details-exposed-by-database-leak/ https://thejournal.com/articles/2022/05/05/565-schools-over-1m-students-impacted-by-illuminate-data-breach-2nd-colorado-district-affected.aspx https://www.helpnetsecurity.com/2022/05/06/cybersecurity-supply-chain-risk/ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf
May 06, 2022
The Virtual CISO Moment S4E18 - A Conversation with Frank Platt
Frank Platt of Infosec Alliance LLC (https://www.infosecalliance.com/) joins us to discuss many infosec topics, including risk management, and CMMC...and BBQ!
May 03, 2022
VCM Quick Strike for Monday, May 2, 2022
A business continuity exercise to continue operations after a nuclear attack? Maybe not as crazy a scenario to plan for as we might have thought. Today's Quick Strike touches on that, including an interesting option for a data center that could possibly survive such an attack. It's not what you think... https://www.amazon.com/Nuclear-War-Survival-Skills-Instructions/dp/1634502973/ https://www.amazon.com/Information-Security-Small-Midsized-Businesses/dp/1733066845/ https://www.linkedin.com/posts/todd-byars-9b669a6_solaronemonolith-toddwbyars-computerdudes-activity-6926164507580919808-EEKp/
May 02, 2022
The Virtual CISO Moment Wrap Up for Friday, April 29, 2022
Advice and resources for those looking for a cybersecurity entry level position, updates on vulns/exploits. https://www.wgu.edu/blog/guide-entry-level-cyber-security-jobs2102.html https://blogs.cisco.com/security/the-more-you-know-job-searching-interviewing https://www.linkedin.com/company/breaking-into-cybersecurity/ https://www.darkreading.com/vulnerabilities-threats/cisa-log4shell-most-exploited-vulnerability-2021 https://www.bleepingcomputer.com/news/security/okta-lapsus-breach-lasted-only-25-minutes-hit-2-customers/amp/ https://www.ic3.gov/Media/News/2022/220420.pdf https://store.isaca.org/s/community-event?id=a334w000004TXbEAAW#/Overview
April 29, 2022
The Virtual CISO Moment S4E17 - Saying Goodbye to the First Office
All small businesses have their own genesis story. vCISO Services began as many do; an idea in a home office, then a migration to an outside work environment, and then further growth. Recognizing, honoring, remembering, and respecting roots is a critical component of the success of a business. Note - Because this was an on-site video and was not recorded in the studio; the video and audio quality is a bit less.
April 26, 2022
VCM Quick Strike for Monday, April 25, 2022
CISA tools, improving communications, and scholarship recipient. https://www.cisa.gov/free-cybersecurity-services-and-tools
April 25, 2022
The Virtual CISO Moment Wrap Up for Friday, April 22, 2022
Conti, BlackCat/ALPHV, DDoSecrets. https://ddosecrets.substack.com/ https://www.csoonline.com/article/3657875/ransomware-plagues-finance-sector-as-cyberattacks-get-more-complex.html https://krebsonsecurity.com/2022/04/contis-ransomware-toll-on-the-healthcare-industry/ https://www.cisa.gov/uscert/ncas/alerts/aa21-265a https://www.cyber.nj.gov/alerts-advisories/blackcatalphv-ransomware-indicators-of-compromise
April 22, 2022
The Virtual CISO Moment S4E16 - A Conversation with Don Baham
Don Baham is very active in both the local and on-line information security communities, as well as having extensive experience helping SMBs with information security needs. He joins us to discuss challenges and opportunities including observations on the cyber security supply chain issue and possible ways to address.
April 19, 2022
VCM Quick Strike for Monday, April 18, 2022
Virtual CISO resources: https://www.linkedin.com/groups/12095465/ https://www.vcisonews.com/ https://vciso.network/
April 18, 2022
The Virtual CISO Moment Wrap Up for Friday, April 15, 2022
Discussed in this week's wrap up: https://www.techrepublic.com/article/supply-chain-cyberattacks-jumped-51-in-2021/ https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/ https://healthitsecurity.com/news/cisa-issues-guidance-on-cybersecurity-information-sharing https://www.nationalcybersummit.com/ https://secondchancebook.org
April 15, 2022
The Virtual CISO Moment S4E15 - A Conversation with Chris Bedel
Chris Bedel, President and CEO of Bedel Security (bedelsecurity.com) talks about how the virtual CISO fits in to, compliments, and enhances financial institutions' information security program and posture. He also touches on history and future of the virtual CISO. If you're a virtual CISO for financial institutions or are interested in how a virtual CISO benefits financial institutions, this is a must-see episode packed with useful information!
April 12, 2022
The Virtual CISO Moment Wrap Up for Friday, April 8, 2022
Discussed in this week's wrap up: https://www.techrepublic.com/article/credit-agency-warns-weak-cybersecurity-defenses-could-hurt-a-companys-credit-rating-even-before-an-attack/ https://www.techrepublic.com/article/fbi-investing-millions-in-software-to-monitor-social-media-platforms/ https://techcrunch.com/2022/02/07/irs-facial-recognition-id-me/ Ad link: https://www.amazon.com/Information-Security-Small-Midsized-Businesses/dp/1733066845/ Finally, a correction: The Tennessee Bankers Association Strategic Technology, Risk, and Security Conference https://tnbankers.org/event/strategic-technology-risk-security-conference/ is April 27th, not April 28th as noted in the episode.
April 08, 2022
The Virtual CISO Moment S4E14 - A Conversation with Bob Quandt
Bob Quandt, owner of Bullseye Compliance (https://bullseyecompliance.com) joins VCM for a conversation that ranges from issues and trends in SMB security, entrepreneurship and making a difference, fitness and stress management, application of military experience to infosec, and more!
April 05, 2022
The Virtual CISO Moment S4E13 - A Conversation with Chuck Sirios
Email remains the most common vector for criminals to exploit. Chuck Sirois discusses how PhishFacts (https://phishfacts.com) can help SMBs identify misconfigured email configurations that criminals may leverage.
March 29, 2022
The Virtual CISO Moment S4E12 - The CISSP and the Virtual CISO
The Certified Information Systems Security Professional, or CISSP, is considered by some to be the pinnacle of information security professional certifications, on par with the CPA. But why is that, and what differentiates it from other certifications? And why is it important for virtual CISOs to have and maintain this certification?
March 22, 2022
The Virtual CISO Moment S4E11 - A Conversation with Ed Carroll
Ed Carroll joins us to discuss many of the initiatives he's involved with, including Edison Marks to apply AI to help SMBs (https://edisonmarks.com/), the Carolina Cyber Center to help with information security in North Carolina and beyond (https://carolinacybercenter.com/), and an update on the RETR3AT cyber security conference at beautiful Montreat College (https://www.montreat.edu/about/events/retr3at/).
March 15, 2022
The Virtual CISO Moment S4E10 - Sad Reaction to Recent Infosec Advice
While watching a report on the news this morning about items to consider to counter possible Russian cyber attacks related to the Ukraine-Russia crisis, I felt sadness. The reason may surprise you, or not. Find out why on today's special midweek installment of The Virtual CISO Moment.
March 09, 2022
The Virtual CISO Moment S4E9 - Discussion with Craig Sandman of Symbol Security
Craig Sandman of Symbol Security (https://symbolsecurity.com/) and vCISONews (https://www.vcisonews.com/) joins us to discuss the importance of effective security awareness training for SMBs and the virtual CISO role.
March 08, 2022
The Virtual CISO Moment S4E8 - CISO David Baker
Chief Information Security Officer David Baker gives insight into the challenges of an SMB CISO. Guest opinions are their own and not the views of their employer.
March 01, 2022
The Virtual CISO Moment S4E7 - Don't Ignore the News
Threat awareness sources are many. One that is often overlooked is the news. Hear why being plugged into current events in real time is important. (And Greg says "yes I know the difference between emulate and emanate").
February 21, 2022
The Virtual CISO Moment S4E6 - Don't Spin Your Wheels
Information security is difficult without a plan. Don't spin your wheels. Find a framework, find a coach, and find success.
February 16, 2022
The Virtual CISO Moment S4E5 - Business Continuity Table Top Exercises Continued
We delve in a bit deeper into business continuity exercise types - which is right for your business? We also have a special invitation.
February 08, 2022
The Virtual CISO Moment S4E4 - The Effect of Culture on Information Security
The security posture of a company is rooted in the company's culture - its approach and attention to information security across all levels of the organization.
February 02, 2022
The Virtual CISO Moment S4E3 - The vCISO and 3LoD
Morning thoughts on how the virtual CISO fits in an organization, using the Three Lines of Defense (3LoD) model to illustrate.
January 28, 2022
The Virtual CISO Moment S4E2 - Business Continuity Table Top Exercises
Business Continuity Table Top Exercises (or BCP TTX, since it's easier to type) are important for identifying gaps in business continuity, disaster recovery, and incident response programs. Don't ignore this essential exercise, and don't treat it as just an information technology exercise.
January 28, 2022
The Virtual CISO Moment S4E1 - Information About the Virtual CISO Field
The virtual CISO is not a new discipline, but it is evolving. Like other security specialties, there are different approaches and skills offered. This is the first of several upcoming discussions on the virtual CISO space. firstname.lastname@example.org
January 28, 2022
The Virtual CISO Moment S4E0 - Trailer
After a hiatus, The Virtual CISO Moment returns with useful information from security experts who understand small and midsized business (SMB) security needs. No frills, no glamour, no transparent whiteboard text, no complex graphics, and no script - just a few minutes every Tuesday discussing SMB information security risk issues.
January 27, 2022
The Virtual CISO Moment S3E7 - Metrics
Metrics - security leaders talk about them often. But what is the one critical question they, and you, should ask about information security metrics?
August 20, 2020
The Virtual CISO Moment S3E6 - Social Distancing
The episode compares COVID-19 and information security risks...through a Chihuahua.
July 13, 2020
The Virtual CISO Moment S3E5 - COVID-19 Fear and Small Business Scams
Many small business owners are frightened now, unsure of how their business will survive. Many in the United States have applied for the PPP. But the combination of economic calamity, fear of infection, stress from lives upended , all create an environment for criminals to exploit. It's okay to be afraid, but don't let it lead you to becoming a victim.
April 21, 2020
The Virtual CISO Moment S3E4 - COVID-19 Business Continuity Lessons
The COVID-19 pandemic has disrupted business operations on an unprecedented scale. It also presents an opportunity to learn and grow business operations. This will end, and the time to prepare for the "new normal" is now.
April 14, 2020
The Virtual CISO Moment S3E3 - Hoodie
The "hacker in a hoodie" image has been used for years by the media to call attention to articles about cyber security incidents. It's time that graphic is retired. Here's why.
January 19, 2020
The Virtual CISO Moment S3E2 - FUD and Statistics
FUD - Fear, Uncertainty, and Doubt - is sometimes used to sell products or services. One popular FUD element is statistics, whether spinning valid numbers or making them up. Regardless of the type of FUD, bowing to the instinctual urges to respond can obfuscate genuine information security risks.
January 13, 2020
The Virtual CISO Moment S3E1 - Information Security Theater
Information security theater, improvements that look and sound good but make no real impact to overall security stance of an organization, can do more harm than good. Are you understanding the information security risks of your organization before designing and implementing controls?
January 01, 2020
The Virtual CISO Moment S2E12 - Information Security and Information Technology Security
Information Security and Information Technology Security are not the same. If your program is focused on Information Technology Security only, you've got gaps.
December 13, 2019
The Virtual CISO Moment S2E11 - Information Security Fitness
In order to stay healthy, we need to exercise regularly. To maintain our information security program's fitness, we need to exercise it as well.
November 24, 2019
The Virtual CISO Moment S2E10 - Information Security Policies
Information security policies direct the governance of the information security program. What are elements of effective policies, and what mistakes do SMBs often make with their information security policy program?
November 13, 2019
The Virtual CISO Moment S2E9 - Quantitative Information Security Risk Assessments - Presentation
Learn how quantitative information security risk assessments can help community institutions (and all small and midsized businesses). A presentation to the Bankers' Bank of the West Information Security for Community Institutions conference October 25, 2019.
October 25, 2019
The Virtual CISO Moment S2E8 - GRC
Governance, Risk, and Compliance - how it can benefit information security for businesses of all sizes.
October 21, 2019
The Virtual CISO Moment S2E7 - What is a Virtual CISO? InfoSec Nashville 2019
In this extended episode, vCISO Services principal Greg Schaffer speaks at InfoSec Nashville 2019 about what a virtual CISO is and how they help small and midsized businesses.
September 27, 2019
The Virtual CISO Moment S2E6 - Conversation at the National Cyber Summit 2019
vCISO Services principal Greg Schaffer discusses the virtual CISO role in a short interview at the National Cyber Summit.
September 21, 2019
The Virtual CISO Moment S2E5 - OpenFAIR
Greg discusses the announcement of vCISO Services, LLC's licensed quantitative information risk assessment offering based on The Open Group Open FAIR™ Body of Knowledge. https://www.prnewswire.com/news-releases/an-answer-for-cybersecurity-cost-exposure-300911336.html
September 04, 2019
The Virtual CISO Moment S2E4 - ISO 27001 Part 3
Greg concludes a three-part series breaking down ISO 27001 and ISO 27002, international standards for information security. Part three dives into the second half of the ISO 27002 control requirements.
August 29, 2019
The Virtual CISO Moment S2E3 - ISO 27001 Part 2
Greg continues a three-part series breaking down ISO 27001 and ISO 27002, international standards for information security. Part two dives into the first half of the ISO 27002 control requirements.
August 19, 2019
The Virtual CISO Moment S2E2 - ISO 27001 Part 1
Greg begins a three-part series breaking down ISO 27001 and ISO 27002, international standards for information security. Part one lays out the history and a glimpse at the structure of ISO 27000 and why it's important for SMBs.
August 14, 2019
The Virtual CISO Moment S2E1 - What's in a Name?
Taken from a Facebook Live video July 26th (hence the lower video quality), Greg explains why the Virtual CISO Minute is now the Virtual CISO Moment, talks about possible future use of the Facebook Live channel to help small and midsized businesses with information security topics, and invites current vCISOs or those interested in the space to join the Virtual CISO Exchange LinkedIn group at https://www.linkedin.com/groups/12095465/. Produced by vCISO Services, LLC. https://vcisoservices.com
August 07, 2019
The Virtual CISO Moment S1E12 - The Rise of the Virtual CISO
There is a growing rift between the information security “haves” and “have nots,” and the threat actors know that as well. Cyber criminals increasingly target small and midsized businesses (SMBs) because they know SMBs likely do not have information security programs as robust as those large organizations have in place. Nor do they have experienced information security leadership, as the average annual cost of nearly $260,000 for a full-time CISO is out of the reach of most SMB budgets. The Virtual CISO, or vCISO, has emerged to fill this need. While most SMBs cannot afford a full-time CISO, most also do not need one, just access to CISO expertise. Often as little as ten hours per month of a virtual CISO can bolster an SMB's information security program and posture to nearly the same level as if they had a full-time CISO on staff. This presentation discusses why the virtual CISO has become a viable option for businesses, what to look for in a virtual CISO, and what a virtual CISO can and cannot do for your small or midsized business.
July 31, 2019
The Virtual CISO Moment S1E11 - Career Genesis
Thirty-four years ago, I worked as a porter (janitor) at a hotel in New Jersey. I took a year off between high school and college to decide where I wanted to direct my life - and to earn money for college. I promised myself that one day, when I had become successful, I would stay in that hotel. Recently it happened. I realized I learned an early lesson applicable to information security then. Watch to find out what it was.
July 31, 2019
The Virtual CISO Moment S1E10 - What is a Virtual CISO?
You've heard the term, but what is a Virtual CISO, or vCISO? This week's Virtual CISO Minute explains
July 24, 2019
The Virtual CISO Moment S1E9 - Compensating Controls
Compensating Controls: Is an audit exception regarding a failing primary control absolute? Maybe, maybe not. The risk may be mitigated by other methods - compensating controls.
July 17, 2019
The Virtual CISO Moment S1E8 - Veterans and Information Security
The Nashville Technology Council's Veterans Peer Group helps veterans land civilian jobs and enhance their careers in IT and information security in the Nashville/Middle Tennessee region. SMBs should look to a veteran when trying to fill these positions.
July 10, 2019
The Virtual CISO Moment S1E7 - Quantitative Risk Assessments and SMBs
Quantitative risk assessments and how they can help your SMB's information security posture.
July 01, 2019
The Virtual CISO Moment S1E6 - Qualitative Risk Assessments
Qualitative risk assessments - the ones that produce those "heat maps" with the red (high risk), yellow (medium risk) and green (low risk) are a standard method for communicating information security risk. But they have limitations.
June 28, 2019
The Virtual CISO Moment S1E5 - The Importance of Information Security Risk Assessments
Information security risk assessments - why are they important?
June 21, 2019
The Virtual CISO Moment S1E4 - SOC1, SOC2 Audit Reports Explained
SOC1, SOC2, what do they mean for your small business? Find out in this week's installment of The vCISO Minute.
May 31, 2019
The Virtual CISO Moment S1E3 - The (Pragmatic) Need for Incident Response Testing
A recent breach highlights the need for incident response testing, particularly about notification.
May 24, 2019
The Virtual CISO Moment S1E2 - Outdated Operating Systems
Microsoft released a patch for out-of-support operating systems this week, but that's usually not the case. If your business requires running old operating systems, usually due to legacy software or systems, you need to reduce the risk running an outdated operating system brings by not relying on patches. Music by https://www.bensound.com/
May 17, 2019
The Virtual CISO Moment S1E1 - The Verizon Data Breach Investigation Report
The annual Verizon Data Breach Investigation Report will come out soon. What is it, and how does it benefit small and midsized businesses?
May 10, 2019
The Virtual CISO Moment S0E4 - Infosec Nashville (VCM Pilot Episode)
vCISO Services, LLC Principal Greg Schaffer discusses information security opportunities at the 2018 InfoSec Nashville conference. The Virtual CISO Moment (Minute) video series/podcast spun off from this discussion.
February 19, 2019
The Virtual CISO Moment S0E3 - Information Security as Risk Management
vCISO Services, LLC Founding Principal Greg Schaffer explains Information Security as Risk Management at the National Cybersecurity Summit, Huntsville, Alabama, June 2018
February 16, 2019
The Virtual CISO Moment S0E2 - The Value of a Compromised Device
Presentation at the Middle Tennessee State University Cyber Summit 2013
February 09, 2019
The Virtual CISO Moment S0E1 - Secure Your SMB Like a Large Corporation
You treat your small or midsized business like a large corporation, why not secure it like one? From the Virtual CISO Moment pre-series archives (2019).
January 01, 2019
The Virtual CISO Moment S0E0 - Genesis
vCISO Services, LLC Founding Principal Greg Schaffer explains the purpose and calling for launching vCISO Services, LLC to the Christian Business Leaders Roundtable in 2017.
November 30, 2017