Breakfast Bytes-June 3, 2023

June 3, 2023

Breakfast Bytes with Felicia King for Saturday, 3 June 2023.

Zero trust is not a product you buy.  The problem that most organizations have is that they are still not doing the fundamentals well.
CIS has a community defense model.

I did a detailed webinar on it where I covered a lot of these fundamentals.
https://www.qpcsecurity.com/2023/02/16/addressing-information-security-fundamentals-with-cis-and-community-defense-model/

Let's look at inventory management, asset management, change management, onboarding and offboarding.

You must have checks and balances. There must be practices codified in policy with a shared responsibility model which make it so that the issues that are created by mistakes in onboarding or offboarding are caught.  Fundamentally, the most effective thing in zero trust are the protections that are in an always on state.
Like for example the recent revelation about flaws in UEFI and SecureBoot.
These have prerequisites like TPM, BIOS configs, bios adm pwds, automated firmware updates, procurement policy alignment for supported hardware, onboarding configuration done properly on those endpoints, monitoring of the firmware updates, and of course, no admin access for end users!!!

FUNDAMENTALS MUST BE MASTERED

When an organization does not have a CISO that has policy and management authority over IT, you are guaranteed to have problems.
Forget CIO and CTO. I think those are old modes of thinking. Find a CISO that can be the leader of all IT strategy.