On October 14, 2021, FRSecure hosted our third annual Hacks and Hops cyber security conference. This event series was designed from the ground up to be a meeting point for cybersecurity professionals to speak, learn, and network over beers.
While this year’s event was unfortunately made virtual due to ever-changing travel concerns surrounding the COVID-19 pandemic, the event has kept up its momentum and managed to be the biggest and best Hacks and Hops to date!
The all-day conference was filled with talks from some industry-leading professionals including FRSecure’s own Mike Thompson, and Director of Technical Services, Oscar Minks. Joining our in-house experts was a group of leading industry professionals who led fantastic discussions on cyber insurance, MSSPs, ransomware, and more.
- Joe Scargill – Special Agent in Charge Twin Cities at Secret Service
- Arin Brown – CTO at SEACHANGE
- Tony Lambert – Senior Intelligence Analyst at Red Canary
- Sonu Shankar – Head of MDR Product at Arctic Wolf
- Tim Smit – Cyber Security Practice Lead & Owner at Lockton
- Mike Kennedy – Founder at Ostra
Also joining us, was Amanda Berlin of Mental Health Hackers, an excellent non-profit organization that seeks to educate information security professionals about the unique mental health risks faced by those in our field.
A Word from FRSecure’s CEO and Founder
Our founder, Evan Francen, had this to say about 2021’s Hacks and Hops Event:
“I realize I’m biased, but people who know me know I speak the truth.
This was the best conference I’ve attended in years! The content was practical, consistent, and relevant. The speakers were all relatable experts, and I walked away a better information security professional for having attended this year’s Hacks & Hops.
Since the conference, I’ve heard from several people who attended. The remarks have been overwhelmingly positive, and ultimately, this is what matters!
I’m extremely proud of everyone at FRSecure for hosting a great event, and I’m grateful for the wonderful partners who participated alongside us. I’m especially proud of our marketing team. It’s hard to market in this industry with integrity, and this team knocked it out of the park.
Our mission was served, and I couldn’t be happier!”
Q&A’s from the Sessions
In addition to keynotes and discussions, each of this year’s segments included valuable Q&A time with the speakers. We thought it would be helpful to include some highlights from the conference here in case you didn’t get a chance to attend live!
Session topic – Ransomware: Evil with Follow-The-Sun Support
Q: What prevents them from keeping your data and asking for a new ransom down the road?
A: Ultimately nothing prevents the adversary from doing this outside “the honor system.” Generally, it’s in the adversary’s best interest to honor their deals as a reputation for less-than-honest deals will prevent future victims from paying.
Q: Are the ransomware prevention tools offered by firewalls efficient? Would any other layer be recommended for on-premise networks?
A: Generally endpoint controls are the most ideal for ransomware detection or prevention.
Q: Have you seen an uptick of Ramnit being used in ransomware?
A: Ramnit, not necessarily. We mostly see Bazar and Qbot leading to Cobalt Strike and ransomware.
Q: Do ransomware attacks generally start more from the server hardware or the endpoints? Where should we focus first?
A: This depends on the methods used for initial access to a network. Phishing attacks affect endpoints more than servers, while specialized exploitation (Exchange, Sharepoint, etc.) happens more on servers. I generally advise focusing on endpoint controls first.
Session topic – What’s Going on with Cyber Insurance, and Why It’s Still Important
Q: Is a SIEM a requirement?
A: Yes, along with a SOC to monitor and respond, contain, and minimize disruption(s).
Q: Will insurance companies perform an on-site audit to validate information provided for a cyber insurance plan?
Q: Many of the questions are vague and controls in place may or may not be compensating depending on who is looking at them.
A: Be as transparent as you can be.
Q: For Lockton, this covers the basic IT functions, but how does this model change for companies that develop/integrate applications to push out software products?
A: These types of companies need to address those risks with other insurance programs.
Q: Does this make security integration into those processes for the product mandatory?
A: Privacy by Design needs to be integrated and implemented.
Q: Describe “automatic network segmentation.”
A: We’ve got a lot of static network segmentation. Auto-containment ensures an attack can not scale and cascade causing a catastrophic loss.
Q: Are insurers requiring K-12 education to use MFA for young students?
A: No, however, they are for staff.
Q: We are protecting our solutions (email, CRM, etc) with MFA but we do not have workstation-level or desktop-level MFA. Are you saying that MFA is required even at the workstation level now?
Q: Are they looking at MFA at the desktop, server, network device levels, or just the mobile device?
A: All of the above, to include systems connecting with systems.
Q: Are cyber insurance companies developing standards for us to follow to maintain coverage and at the lowest cost?
A: They follow industry best practice frameworks.
Session topic – How to Build a Security Program from the Ground Up
Q: Do you have any guidance on these [IS Committee] meetings? How do we push a culture that includes information security?
A: Set up your Information Security (IS) Committee with a charter that defines its purpose, responsibilities, and membership. Once the charter is in place, the committee’s meetings should focus on agenda items such as:
- Policy review and approval
- Reviewing status reports on awareness training, incident response, vulnerability management, risk assessments, etc.
- Identifying and handling non-compliance and disciplinary actions
- Decision-making for all the above
In the end, your IS committee provides clear direction and visible management support for your information security program. With this support trickling down from the top, it will be easier to form a culture that embraces security versus “pushing” it. And don’t underestimate the power of an information security team that is friendly and likable!
Q: I have seen “policies” be complex and thrown out with all kinds of legal terms. I do not very often see the stuff being enforced. Is that a maturity thing?
A: As we should know by now, complexity is the enemy of security.
It’s a best practice that your security policies should be general, easy to understand (and follow), and should fit your business.
First, management must review and approve the policies. Employee awareness and training are next, not only on the policies themselves but on the approved disciplinary actions for non-compliance. Employees should sign off on their acknowledgment and acceptance of the policies. Only then should you enforce any disciplinary actions, and it should be consistent throughout the organization.
So, yes, it’s a bit of a maturity thing.
Q: What are some of the key milestones that companies should meet to ensure their security program is maturing effectively and efficiently?
A: It depends on your business objectives, but starting with a third-party risk assessment that will help identify your most critical risks (and then address those) will give you some assurance that the largest gaps are addressed. From there, doing an assessment like a SOC2, or other industry-specific assessment can help validate that you have the right pieces in place for a strong IS Program.
We’re very proud of how this year’s conference went. We hope this recap helped answer any questions you may have around these topics, and we’re thrilled we can continue to play a part in your security programs by bringing you resources like this.
Stay tuned with us to find out how we’ll keep up the momentum and continue to build on the event for years to come.
Have any suggestions for making the next Hacks and Hops the best one yet? Feel free to drop us a line via our contact form.