High-Level FAQ on Attack Surface Mapping

Q:What is attack surface mapping?

A: Attack surface mapping is a technique used to identify and assess potential attack vectors on a system or network. It involves identifying and analyzing the various components, data flows, and security controls of a system to identify potential vulnerabilities.

Q:What are the benefits of attack surface mapping?

A:Attack surface mapping helps organizations to better understand their security posture, identify weaknesses, and deploy appropriate controls. It can also help reduce risk by providing visibility into the system’s attack surface, allowing organizations to better prepare for potential threats.

Q:What are the components involved in attack surface mapping?

A: Attack surface mapping involves examining the various components of a system or network, including hardware, software, infrastructure, data flows, and security controls. It also includes evaluating the system’s current security posture, identifying potential attack vectors, and deploying appropriate controls.

Q:What techniques are used in attack surface mapping?

A: Attack surface mapping typically involves using visual representations such as mind-maps, heat maps, and photos to illustrate the various components and data flows of a system. In addition, it may involve using video demonstrations to show how potential vulnerabilities can be exploited.

How Information Security and Risk Management Teams Can Support FinOps

As organizations continue to move their operations to cloud services, it is becoming increasingly important for information security and risk management teams to understand how they can support financial operations (FinOps). FinOps is a management practice that promotes shared responsibility for an organization’s cloud computing infrastructure and cloud cost management. In this post, we will explore some ways in which the information security and risk management team can support FinOps initiatives.

1. Establishing Governance: Information security and risk management teams can play a vital role in helping FinOps teams establish effective governance. This includes creating a framework for budget management, setting up policies and procedures for cloud resource usage, and ensuring that all cloud infrastructure is secure and meets compliance requirements.

2. Security Awareness Training: Information security and risk management teams can provide security awareness training to ensure that all cloud practitioners are aware of the importance of secure cloud computing practices. This includes data protection, authentication protocols, encryption standards, and other security measures.

3. Cloud Rate Optimization: Information security and risk management teams can help FinOps teams identify areas of cost optimization. This includes analyzing cloud usage data to identify opportunities for cost savings, recommending risk-based ways to optimize server utilization, and helping determine the most appropriate pricing model for specific services or applications.

4. Sharing Incident Response, Disaster Recovery, and Business Continuity Insights: Information security and risk management teams can help FinOps teams respond to cloud environment incidents quickly and effectively by providing technical support in the event of a breach or outage. This includes helping to diagnose the issue, developing mitigations or workarounds, and providing guidance on how to prevent similar incidents in the future. The data from the DR/BC plans are also highly relevant to the FinOps team mission and can be used as a roadmap for asset prioritization, process relationships, and data flows.

5. Compliance Management: Information security and risk management teams can help FinOps teams stay compliant with relevant regulations by managing audits and reporting requirements, ensuring that all relevant security controls are in place, auditing existing procedures, developing policies for data protection, and providing guidance on how to ensure compliance with applicable laws.

The bottom line is this: By leveraging the shared data and experience of the risk management and information security teams, FinOps teams can ensure their operations are secure, efficient, and completely aligned with the organization’s overall risk and security posture. This adds value to the work of all three teams in the triad. By working together, the teams can significantly enhance the maturity around technology business management functions. All-in-all, by working together, the teams can create significantly better business outcomes.


FAQ for Enterprise Authentication Inventory

Q: What is authentication inventory?

A: Authentication inventory is the process of identifying and documenting all of the systems and applications that require remote access within an organization, as well as the types of authentication used for each system and any additional security measures or policies related to remote access.

Q: Why is authentication inventory important?

A: Authentication inventory is important because it helps organizations protect themselves from credential stuffing and phishing attacks. By having a complete and accurate inventory of all points of authentication, organizations can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

Q: What steps should I take to properly inventory and secure my authentication points?

A: To properly inventory and secure your authentication points, you should: 1) Identify the different types of authentication used by the organization for remote access; 2) List all of the systems and applications that require remote access; 3) Document the type of authentication used for each system/application and any additional security measures or policies related to remote access; 4) Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely; 5) Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication; 6) Regularly review and update existing remote access authentication processes as necessary to ensure accurate data.

New Book Launch: We Need To Talk: 52 Weeks To Better Cyber-Security

I have released a new e-book titled “We Need To Talk: 52 Weeks To Better Cyber-Security.” I self-published through PublishDrive and MSI. It has been quite an interesting project, and I learned a lot in both writing/editing (with an AI), and in the publishing aspects.

The book provides a comprehensive approach to discussing cyber-security, addressing topics such as risk management, configuration management, vulnerability management, policy, threat intelligence, and incident response. The discussions that are sparked will lead to helping your team strengthen and mature your organization’s security posture.

The book is designed for information security professionals and their teams looking for a structured way to improve their organization’s cyber-security posture over one year. It is an ideal resource for those teams who wish to develop a well-rounded understanding of cyber-security and gain insight into the various elements that are needed for a successful program.

The book is 111 pages and sells for $9.99 in most of the ebook stores below:



Barnes & Noble

Check it out, and please leave a review if you don’t mind taking the time. It will be much appreciated.

Print-on-demand options and other stores will be coming shortly. Hopefully, the book helps folks build better infosec programs. As always, thanks for reading, and stay safe out there! 

Video: Auditing Authentication Mechanisms

Here’s a quick video walkthrough of the presentation around auditing authentication mechanisms. 

We are getting some great feedback on this one, and people are rising to the challenge of doing audits for their organizations. Many folks are finding some quite unexpected results! 

Let me know on Twitter (@lbhuston) what you discover! 


As always, thanks for reading and watching! 

Processes and Benefits of Conducting a CIS Controls Assessment

In my last paper I went over the reasons why conducting a Center for Internet Security (CIS) controls assessment is a good way to build a roadmap for establishing a solid information security program at your organization. This week I’m going to discuss how a CIS controls assessment is conducted, the control categories that make up the current CIS Critical Security Controls (version 8) and the results that you can expect to get from the assessment.

The first step in conducting a CIS controls assessment is determining which CIS implementation group (IG1, IG2 or IG3) your organization should aspire to achieve. For simple organizations that do not have a complex network, and that do not hold sensitive private or regulated data, IG1 may be appropriate. However, for most commercial businesses, implementation groups IG2 and IG3 are recommended. These higher levels of controls offer higher safeguards for private/regulated data and help the organization resist focused cyber-attacks such as ransomware. At this time, the organization also determines the amount of time they wish to allow for reaching their aspirational security goals. This can vary from one organization to the next, but a typical time frame for full implementation is three years.

The next step in the process involves interviewing knowledgeable persons in the organization in order to compare the CIS V8 controls to your current information security measures. The interviewer will question your personnel about each security control and rate your organization’s compliance as:

  • Steady-state operational: these are controls that are already being used by the organization and that are included in written policies and procedures. To assure that these controls are in place, the assessor will ask for proofs such as screen shots or records.
  • Ad-hoc: these are controls that the organization does employ at least somewhat, but that are not documented or applied systematically.
  • Non-existent: these, obviously, are controls that the organization does not employ at all.
  • Non-applicable: these are controls that are recommended by the standard, but do not apply to the technology stack or processes that are in use in the organization.

This interview process will probably take 2 or more sessions to complete as there are currently 18 control categories in version 8 of the controls. These include:

  1. Inventory and control of enterprise assets
  2. Inventory and control of software assets
  3. Data protection
  4. Secure configuration of enterprise assets and software
  5. Account management
  6. Access control management
  7. Continuous vulnerability management
  8. Audit log management
  9. Email and web browser protections
  10. Malware defenses
  11. Data recovery
  12. Network infrastructure management
  13. Network monitoring and defense
  14. Security awareness and skills training
  15. Service provider management
  16. Application software security
  17. Incident response management
  18. Penetration testing

In the next step of the process, the assessors will perform written gap analyses of both the baseline security controls (IG1) and the aspirational security controls (IG2 & IG3). These gap analyses will detail percentages of controls that are compliant, ad-hoc, non-existent and NA, and detail the levels of risk that these gaps pose to the organization.

Finally, the assessors will document a detailed roadmap for closing the gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months).

These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary.

As can be seen from this overview, conducting a CIS security controls assessment will provide your organization with a clear understanding of where you are now, where you need to be in the future and what you need to do to reach your security goals. This will bring an end to much of the confusion and frustration entailed in implementing an information security program. It will also give your organization the comfort of knowing that you are working with cutting edge information security controls that give you the most bang for your buck!

Need an Information Security Program? A CIS Controls Assessment is a Good Way to Start!

No matter what size business or organization you have, in today’s world, the ever-increasing cyber-menace we face affects all of us. To keep our heads above water, all concerns need to have at least a basic documented and monitored information security program in place. For small and medium concerns, how to accomplish this necessary task without breaking the bank can be a truly frustrating and confusing task to undertake.

For one thing, your concern has different information security needs depending on what type of organization you have. Is your network simple or complex? Do you hold or process regulated data such as personal private information, personal health information or financial information? Could compromise of your organization provide a portal for cyber-attackers to gain access to other organizations?

Another point of confusion is provided by the disparate security service organizations, security devices and security applications that are available. How do you know which of these you may need, and how do you pick between the varying offerings? What is the learning curve involved, and will you need extra personnel to handle the increased load? These are all questions that can be very difficult to get a handle on let alone answer decisively.

To help cut the confusion and avoid unnecessary frustration, it seems to me what is needed is a clear path to follow to your security goal. That means finding out where you are now, constructing a roadmap of what needs accomplishing and building a timeline for reaching each step in the process. This is where a Center for Internet Security (CIS) Critical Security Controls assessment comes into play.

The CIS was formed in 2000 with the goal of “making the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” To accomplish this goal, they publish a list of the most effective security controls available, which are arrived at through a consensus decision-making process of the cybersecurity community. These controls are constantly under scrutiny and are updated regularly. Currently, the CIS Security Controls are in version 8. In this version there are 18 safeguard categories, each with a varying number of individual information security controls to be implemented. These controls are further divided into three implementation groups (IG1, IG2 and IG3).

IG1 controls are those that provide “the basic cyber security hygiene that all organizations, regardless of size, complexity, and regulatory requirements should meet to resist basic attacks and breaches.”

IG2 controls are those at “the maturity level which is designed for distributed organizations with multiple sites, networks, and complex data structures but without regulatory concerns and a significant amount of sensitive data to protect…”

IG3Controls are at “the highest level of maturity, designed for complex environments with access to significant amounts of sensitive data who need to resist focused, well-resourced attacks.”

There are two basic factors that makes this type of information security controls paradigm most suitable for roadmapping the security needs of disparate organizations: The first factor is the effectiveness of the controls, especially when employed as a group. These are the controls that do the job and give your organization the most bang for your buck. The second factor is the granularity of the controls. The three implementation groups allow your concern to plan and implement your information security program in easy bites over a reasonable period of time.

In addition, knowing what you need to accomplish over a period of time allows your organization to choose how you want to implement your program with the end game in sight. This allows you to choose security service providers, devices and application wisely, avoiding unnecessary duplication and waste of resources. The fewer the number of these types of security assets you have, the easier they are to update and protect. This is in addition to the money savings you will incur.

In my next blog, I will describe what a CIS controls assessment entails and the different control categories that are included.

FAQ for the End of SMS Authentication

Q: What is the end of SMS authentication?

A: SMS authentication verifies user identity by sending a one-time code via text message to a user’s mobile phone number. With the rise of potential security risks, many financial websites, applications, and phone apps are phasing out SMS-based authentication and transitioning to authenticator apps that reside on user devices and smartphones.

Q: What are some of the potential security risks associated with SMS authentication?

A: Attackers have a variety of means of intercepting SMS text messages, thus defeating this type of authentication. This increases the risk of interception and misuse of the codes in question and decreases the security of the user’s account with the financial institution.

Q: What is an authenticator app?

A: An authenticator app is an application that resides in encrypted storage on the user’s device and, when prompted, provides a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is set up and the settings configured, it doesn’t need to communicate with the financial platform and thus is significantly more difficult for attackers to compromise.

Q: What are the steps for organizations to switch from SMS authentication to authenticator apps?

A: Here is a quick overview of what is needed:

1. Research and decide on an authenticator app that meets your organization’s needs. Most of the time, users can select their own apps, and the firm selects the libraries needed to support them. Open source and commercial solutions abound in this space now.

2. Update user accounts in each application and authentication point with the new authentication protocol and provide instructions for downloading and setting up the authenticator app.

3. Educate users on using the authenticator app, including generating one-time passwords (OTPs), scanning QR codes, etc.

4. Monitor user feedback and usage data over time to ensure a successful switch from SMS authentication to an authenticator app.


PS – Need a process for cataloging all of your authentication points? Here you go.

Inventorying Organization Authentication Points

Are you looking for threat-proactive ways to secure your enterprise? One of the best ways to do this is by inventorying all of the points of authentication within your organization. In this blog post, we’ll discuss the steps you need to take to properly inventory and secure your Internet-facing authentication points. While you should have a complete and accurate inventory of these exposures, starting the process with a focus on critical systems is a common approach.

Inventory Process

1. Identify the different types of authentication used by the organization for remote access (e.g. passwords, two-factor authentication). If possible, use vendor data to include cloud-based critical services as well.

2. List all of the systems and applications that require remote access within the organization. External vulnerability scanning data and Shodan are both useful sources for this information.

3. For each system/application, document the type of authentication used and any additional security measures or policies related to remote access (e.g., password complexity requirements). Vendor management risk data can be useful here, if available.

4. Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely.

5. Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication.

6. Regularly review and update existing remote access authentication processes as necessary to ensure the continued security of organizational resources over the Internet.

Why This Is Important – Credential Stuffing & Phishing

Inventorying all of the points of authentication within an enterprise is essential as protection against credential stuffing and phishing attacks. Credential stuffing is a type of attack where malicious actors use stolen credentials to gain access to different accounts, while phishing attacks are attempts to acquire confidential information through deceptive emails or websites. In both cases, it is important that organizations have proper authentication measures in place to prevent unauthorized access. Inventorying all of the points of authentication within an organization can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

In addition, having a detailed inventory of all points of authentication can help organizations identify any weak spots in their security measures. This allows them to take steps to strengthen those areas and further protect themselves from potential credential stuffing or phishing attacks. By regularly reviewing and updating their authentication processes, organizations can ensure that their resources remain secure and protected from any malicious actors.

Lastly, ensure that you feed this inventory and the knowledge gained into your enterprise risk assessment processes, incident response team, and other security control inventories. Make a note of any security gaps identified during the inventory process and ensure complete coverage of the logs and other intrusion detection systems at each potential point of authentication. By following these steps, you can ensure that your enterprise remains secure and protected from any potential threats associated with credential stuffing and credential theft associated with common phishing attacks.