On October 14, 2021, FRSecure hosted our third annual Hacks and Hops cyber security conference. This event series was designed from the ground up to be a meeting point for cybersecurity professionals to speak, learn, and network over beers.
While this year’s event was unfortunately made virtual due to ever-changing travel concerns surrounding the COVID-19 pandemic, the event has kept up its momentum and managed to be the biggest and best Hacks and Hops to date!
The all-day conference was filled with talks from some industry-leading professionals including FRSecure’s own Mike Thompson, and Director of Technical Services, Oscar Minks. Joining our in-house experts was a group of leading industry professionals who led fantastic discussions on cyber insurance, MSSPs, ransomware, and more.
- Joe Scargill – Special Agent in Charge Twin Cities at Secret Service
- Arin Brown – CTO at SEACHANGE
- Tony Lambert – Senior Intelligence Analyst at Red Canary
- Sonu Shankar – Head of MDR Product at Arctic Wolf
- Tim Smit – Cyber Security Practice Lead & Owner at Lockton
- Mike Kennedy – Founder at Ostra
Also joining us, was Amanda Berlin of Mental Health Hackers, an excellent non-profit organization that seeks to educate information security professionals about the unique mental health risks faced by those in our field.
A Word from FRSecure’s CEO and Founder
Our founder, Evan Francen, had this to say about 2021’s Hacks and Hops Event:
“I realize I’m biased, but people who know me know I speak the truth.
This was the best conference I’ve attended in years! The content was practical, consistent, and relevant. The speakers were all relatable experts, and I walked away a better information security professional for having attended this year’s Hacks & Hops.
Since the conference, I’ve heard from several people who attended. The remarks have been overwhelmingly positive, and ultimately, this is what matters!
I’m extremely proud of everyone at FRSecure for hosting a great event, and I’m grateful for the wonderful partners who participated alongside us. I’m especially proud of our marketing team. It’s hard to market in this industry with integrity, and this team knocked it out of the park.
Our mission was served, and I couldn’t be happier!”
Q&A’s from the Sessions
In addition to keynotes and discussions, each of this year’s segments included valuable Q&A time with the speakers. We thought it would be helpful to include some highlights from the conference here in case you didn’t get a chance to attend live!
Red Canary
Session topic – Ransomware: Evil with Follow-The-Sun Support
Q: What prevents them from keeping your data and asking for a new ransom down the road?
A: Ultimately nothing prevents the adversary from doing this outside “the honor system.” Generally, it’s in the adversary’s best interest to honor their deals as a reputation for less-than-honest deals will prevent future victims from paying.
Q: Are the ransomware prevention tools offered by firewalls efficient? Would any other layer be recommended for on-premise networks?
A: Generally endpoint controls are the most ideal for ransomware detection or prevention.
Q: Have you seen an uptick of Ramnit being used in ransomware?
A: Ramnit, not necessarily. We mostly see Bazar and Qbot leading to Cobalt Strike and ransomware.
Q: Do ransomware attacks generally start more from the server hardware or the endpoints? Where should we focus first?
A: This depends on the methods used for initial access to a network. Phishing attacks affect endpoints more than servers, while specialized exploitation (Exchange, Sharepoint, etc.) happens more on servers. I generally advise focusing on endpoint controls first.
Lockton
Session topic – What’s Going on with Cyber Insurance, and Why It’s Still Important
Q: Is a SIEM a requirement?
A: Yes, along with a SOC to monitor and respond, contain, and minimize disruption(s).
Q: Will insurance companies perform an on-site audit to validate information provided for a cyber insurance plan?
A: No
Q: Many of the questions are vague and controls in place may or may not be compensating depending on who is looking at them.
A: Be as transparent as you can be.
Q: For Lockton, this covers the basic IT functions, but how does this model change for companies that develop/integrate applications to push out software products?
A: These types of companies need to address those risks with other insurance programs.
Q: Does this make security integration into those processes for the product mandatory?
A: Privacy by Design needs to be integrated and implemented.
Q: Describe “automatic network segmentation.”
A: We’ve got a lot of static network segmentation. Auto-containment ensures an attack can not scale and cascade causing a catastrophic loss.
Q: Are insurers requiring K-12 education to use MFA for young students?
A: No, however, they are for staff.
Q: We are protecting our solutions (email, CRM, etc) with MFA but we do not have workstation-level or desktop-level MFA. Are you saying that MFA is required even at the workstation level now?
A: Yes.
Q: Are they looking at MFA at the desktop, server, network device levels, or just the mobile device?
A: All of the above, to include systems connecting with systems.
Q: Are cyber insurance companies developing standards for us to follow to maintain coverage and at the lowest cost?
A: They follow industry best practice frameworks.
SEACHANGE
Session topic – How to Build a Security Program from the Ground Up
Q: Do you have any guidance on these [IS Committee] meetings? How do we push a culture that includes information security?
A: Set up your Information Security (IS) Committee with a charter that defines its purpose, responsibilities, and membership. Once the charter is in place, the committee’s meetings should focus on agenda items such as:
- Policy review and approval
- Reviewing status reports on awareness training, incident response, vulnerability management, risk assessments, etc.
- Identifying and handling non-compliance and disciplinary actions
- Decision-making for all the above
In the end, your IS committee provides clear direction and visible management support for your information security program. With this support trickling down from the top, it will be easier to form a culture that embraces security versus “pushing” it. And don’t underestimate the power of an information security team that is friendly and likable!
Q: I have seen “policies” be complex and thrown out with all kinds of legal terms. I do not very often see the stuff being enforced. Is that a maturity thing?
A: As we should know by now, complexity is the enemy of security.
It’s a best practice that your security policies should be general, easy to understand (and follow), and should fit your business.
First, management must review and approve the policies. Employee awareness and training are next, not only on the policies themselves but on the approved disciplinary actions for non-compliance. Employees should sign off on their acknowledgment and acceptance of the policies. Only then should you enforce any disciplinary actions, and it should be consistent throughout the organization.
So, yes, it’s a bit of a maturity thing.
Q: What are some of the key milestones that companies should meet to ensure their security program is maturing effectively and efficiently?
A: It depends on your business objectives, but starting with a third-party risk assessment that will help identify your most critical risks (and then address those) will give you some assurance that the largest gaps are addressed. From there, doing an assessment like a SOC2, or other industry-specific assessment can help validate that you have the right pieces in place for a strong IS Program.
Ostra Cybersecurity
Session topic – The Problem With Tech Providers and MSSPs
Q: How do we find these tools and get that training so we can find work with a company like yours?
A: Finding tools and getting the training to be able to work with a company like Ostra is simple. Doing research and online training can help you educate yourself. Some examples include Google, YouTube, follow people in the industry, volunteer with organizations, network, etc. As a company, Ostra hired a large amount of entry-level people, and we hire them based off their community engagement.
Here’s some training resources: https://www.splunk.com/en_us/training/free-cources/splunk-fundamentals-1.html
Q: So, if you all have so many gaps in how you work with clients, how do we as customers know how to choose and who to work with? All day we heard how much of a mess we’re in with who we are supposed to trust.
A: Customers can know how to choose and who to work with by simply doing your research and learning about them. Look at people who are out there and you should be able to get a fairly accurate assumption if you can trust them. Look for people who are agnostic, look at their LinkedIn and what they are posting. In addition, ask them the right questions:
- How are you maintaining locks?
- How do you guys provide service?
- What do you do if there is an incident?
- Have you ever had an incident you had to remediate?
Start the conversation and start talking to people. Explain your gaps, ask what you should prioritize. Main idea is to listen, and trust the people you build a relationship with.
Q: How do you recommend keeping up with tech tools? And how would you go about evaluating tools to make the right choice?
A: The tech industry is moving at an insanely fast pace, and in paying attention to the noise, there are a lot of players saying the same thing. The best way to keep up and evaluate if you cannot run POC’s, work with a trusted advisor, do a demo, and leverage social media to ask industry leaders what is good. Talk with your team and figure out what you can support. Find tools that work together with other tools, tools that fit in your environment and make sure you’re able to stitch all those tech tools together successfully.
Q: Does Ostra help address the associated compliance side of security? Such as PIPEDEA, CCPA, GDPR, etc.
A: Ostra does address and help the associated compliance side of security, however we do no cover all the needs associated with it. That said, we partner with companies like FRSecure to assist in the compliance area. Our singular goal is to keep our clients safe, not just to check a box; often that means an even higher standard than typical compliance measures require. tools that work together with other tools, tools that fit in your environment and make sure you’re able to stitch all those tech tools together successfully.
Q: Finding a balance between systems ease-of-use vs securing the business. Attempting to make the company more secure without making everyone’s job more difficult to do their job. What is the breaking point where too much is just too much or is there never too much?
A: One of the biggest challenges with cybersecurity is piecing together all the different tools and ensuring they work together in harmony. This is exactly why Ostra was created – to simplify cybersecurity for SMBs. By having an external partner like Ostra as your professional outsourced cybersecurity team, you have a healthier environment for exactly these types of discussions. Ultimately it comes down to education, evaluation, and prioritization. Our solutions are designed to prioritize security without detracting from business processes.
Q: Mike – Looking at your own company, what’s something you want to be more honest and transparent about?
A: For us at Ostra, it is ensuring a mobile device policy. For example, ensuring employees do not bring their kids laptops into the office. However, we understand that it’s okay to be in progress if you’re moving forward and working on something.
Closing
We’re very proud of how this year’s conference went. We hope this recap helped answer any questions you may have around these topics, and we’re thrilled we can continue to play a part in your security programs by bringing you resources like this.
Stay tuned with us to find out how we’ll keep up the momentum and continue to build on the event for years to come.
Have any suggestions for making the next Hacks and Hops the best one yet? Feel free to drop us a line via our contact form.