GRC

 How confident are you in your security program (Tools, systems, controls etc)?

In the context of information security, the terms validated confidence and assumption confidence reflect different levels of assurance in the accuracy or reliability of information, decisions, or controls:

Validated Confidence

Definition: Confidence based on evidence, verification, and thorough testing. This involves using measurable, repeatable methods to confirm that a security control, process, or decision is effective and aligned with expectations.

Characteristics:

• Supported by data, documentation, or third-party assessments.
• Includes security audits, penetration testing results, risk assessments, or compliance certifications.
• Provides higher assurance due to objective validation.

Example in Information Security:

• Confidence in a firewall's effectiveness after it has been tested against specific threat scenarios.
• Belief in the accuracy of a vulnerability scan after reviewing detailed scan results and cross-checking with known vulnerabilities.

Assumption Confidence

Definition: Confidence based on beliefs, expectations, or untested assumptions rather than direct evidence or verification.

Characteristics:

• Lacks strong evidence or rigorous validation.
• Often used in the absence of time, resources, or information to verify controls or processes.
• Carries a higher risk due to potential blind spots or overlooked issues.

Example in Information Security:

• Assuming a system is secure because it has never been breached, without conducting regular security assessments.
• Believing an employee understands phishing risks because they completed one training session, without verifying behavior through phishing simulations.

Importance of Distinguishing

• Relying on validated confidence ensures robust security and minimizes risks of vulnerabilities or breaches.
• Over-reliance on assumption confidence can lead to unmitigated risks and a false sense of security.

Practical Recommendation

To strengthen information security posture:

1. Identify areas where assumption confidence exists.
2. Transition to validated confidence by implementing regular assessments, monitoring, and testing.
3. Document and track validation processes to ensure continuous improvement.

If you found this information insightful, please leave a comment and share with your network.

To strengthen or take the guessing out of the effectiveness of your security measures, connect with my friend Pradeep Karasala (PK) over at grcexperts https://grcxperts.com/

CONFIGURING A PHISHING CAMPAIGN IN MICROSOFT DEFENDER.

Configuring a phishing campaign in Microsoft Defender (specifically Microsoft Defender for Office 365) involves creating a simulated attack to test and educate users on recognizing and responding to phishing attempts. Here’s a step-by-step guide:

Firstly, you check Jira ticket, find the previous or current phishing monthly campaign. The previous report would have taken a screenshot and what the payload. The payload is the technical link, it's also what and how it is delivered. 

Access Microsoft Defender for Office 365

1. Sign in to the Microsoft 365 Defender portal at https://security.microsoft.com.
2. In the left-hand navigation pane, select "Email & collaboration".

Navigate to Attack Simulation Training

1. Under "Training & simulation", click on "Attack simulation training".
2. If this is your first time using the feature, you might need to go through a brief setup process to enable the Attack simulation training feature.

Create a New Simulation

1. Click on "Simulations & Training" in the top menu.
2. Click "Create a simulation".

Define Simulation Details

1. Simulation Name: Enter a descriptive name for the phishing campaign.
2. Target Users: Choose the users or groups you want to target. You can select specific users, groups, or even upload a CSV file with the targeted email addresses.

Choose an Attack Technique

1. Choose "Phishing" as the attack technique.
2. Select a specific type of phishing attack, such as credential harvesting, link in attachment, or link to a fake login page.

Select a Template

1. Microsoft provides various phishing templates. Choose a template that best fits the campaign you want to run.
2. You can preview the template to see how the phishing email will appear to the end-user.

Customize the Phishing Email

1. You can either use the selected template as is or customize the content to better fit your organizational needs.
2. Modify the subject line, body content, and sender name if necessary.

Set Launch Options

1. Choose the launch date and time for your simulation. You can launch immediately or schedule it for a future time.
2. Optionally, you can choose to repeat the simulation to cover different users or to run periodic tests.

Assign Training

1. After the phishing simulation, users who fall for the attack can be assigned training automatically.
2. Choose or create specific training courses that will be assigned to users who clicked on the phishing link or submitted credentials.

Review and Launch

1. Review all your settings and make sure everything is configured as desired.
2. Click "Launch simulation" to start the campaign.

Monitor the Campaign

1. Once the campaign is launched, you can monitor its progress from the "Simulation & Training" dashboard.
2. Track which users received the phishing email, who clicked on it, and who submitted credentials.

Analyze Results

1. After the campaign concludes, go to the "Reports" section to analyze the results.
2. Review metrics such as click rates, credential submission rates, and completion rates for any assigned training.
3. Use these insights to understand the organization's susceptibility to phishing and to refine future training efforts.

Follow Up

1. Based on the results, consider scheduling additional training sessions for users who were susceptible to the phishing simulation.
2. Continue to periodically run phishing simulations to track improvement and maintain user awareness.

Reference:

Microsoft

PHISHING STIMULATION

Ensuring Compliance in Phishing Campaign Training.

At Company ABC, a recent phishing campaign report revealed that six employees failed their internal mandatory phishing awareness training. The campaign was designed to educate employees on recognizing and avoiding phishing attempts, with automated reminders set to encourage timely completion. However, the compliance team noticed that some employees were still vulnerable due to incomplete training.

The compliance team's objective was to ensure that all employees completed the training within the designated timeframe. The team aimed to prevent the accumulation of unfinished training from multiple campaigns, which could lead to delays and employee fatigue. The goal was to maintain a security-first mindset across the organization by reinforcing the importance of cybersecurity awareness.

The compliance team investigated the training campaign's setup and discovered that automated reminders were sent bi-weekly during the phishing campaign. Additionally, employees were given an extra seven days to complete the training after the campaign ended. If employees still failed to complete the training, manual reminders and training assignments were issued. The compliance team emphasized the need for consistent follow-up to avoid piling up training obligations, which could dilute the effectiveness of the program.

The team also considered the impact of delayed training on employees' vulnerability to phishing attempts. To address this, they coordinated with the training administrators to ensure that training deadlines aligned with the company's overall cybersecurity strategy. They also set up escalation procedures for repeat offenders who failed to complete multiple training sessions.

As a result of these efforts, the company was able to significantly improve its training completion rates. By enforcing strict deadlines and providing consistent reminders, the compliance team ensured that all employees completed their training before the next phishing campaign.

This proactive approach not only reduced the risk of phishing attacks but also reinforced the organization's commitment to cybersecurity. The team successfully instilled a security-first mindset among employees, emphasizing that everyone plays a crucial role in protecting the organization.

END OF INTERVIEW.

 

Leaving a Lasting Impression: Five Questions to Ask at the End of Your Interview

You've reached the end of your interview, and the hiring manager asks, "Do you have any questions?" This is your golden opportunity to shine and leave a lasting impression. Here are five insightful questions to ask:

1. How Do You See the Team Evolving in the Next Five Years?

Asking about the team's future shows that you're interested in long-term growth and stability. It also provides insight into the company's strategic vision and how you might fit into their future plans.

2. Could You Tell Me More About Your Goals and How the Team Supports Them?

Understanding the hiring manager's goals and the team's role in achieving them demonstrates your interest in contributing to the company's success. It also helps you gauge how your potential role aligns with the broader organizational objectives.

3. Can You Provide Examples of the Types of Projects I Might Work On and How I Can Succeed in Them?

This question shows your eagerness to hit the ground running and succeed in your new role. It also gives you a clearer picture of what to expect and how to prepare yourself for the challenges ahead.

4. Are There Opportunities for Stretch Assignments Where I Can Learn and Develop New Skills?

Expressing a desire for continuous learning and skill development highlights your ambition and commitment to personal growth. It also indicates that you're looking for a dynamic environment where you can take on new challenges.

5. Could You Share a Project You're Particularly Proud Of and Its Impact on the Business?

This question not only allows the hiring manager to share their achievements but also helps you understand the type of work that is valued and recognized within the company. It can provide insights into the company's culture and what it takes to succeed

QUESTIONS TO ASK AUDITOR

Depending on your organization, if your organization is yet to acquire SOC 2 certification. The project manager will liaise with the audit team to get the project framework in acquiring a SOC 1 & 2 certification. 

 For study purposes;You can start your conversation or email like this:

I am the cybersecurity compliance analyst. The essence is to understand the timeline and the expectation from me and you with regards to SOC

Questions:

What should be done on our side.

Scope and purpose:

1. Can you provide a detailed explanation of the scope and purpose of the 13 SOC list you sent us? 

2. Are we getting more SOC list? How will the information be exchanged.

Controls:

3. Could you specify the exact controls and criteria we need to implement and document for each SOC list.

4. How often should we plan for progress review meetings to ensure we are on track.

AUDIT EVIDENCE -SOC 2

  When it Comes to a SOC 2 Report

In terms of common audit evidence, there are three categories:

1. Governance and Risk Management

This includes evidence such as:

• An organizational chart
• Policies and procedures
• Leadership meetings to govern the organization (e.g., information risk council)
• Risk assessment and risk register
• Penetration tests and vulnerability scans, along with evidence that actions are being taken based on those results
• Incident response and business continuity policies and procedures, including tabletop exercises
• Vendor risk assessments

2. Human Resources (HR)

Many do not realize that SOC 2 includes HR controls. HR will need to provide:

• Employee roster
• Documentation for employee onboarding and offboarding
• New hire checklist compliance
• Onboarding processes, including background checks and performance reviews
• Employee handbook
• Evidence of security awareness training

3. Technical Controls

This includes evidence such as:

• IT asset inventory
• Network and data flow diagrams
• Access lists for networks, key systems, and cloud environments
• Configuration settings for hardware, laptops, and password policies
• Multifactor authentication status
• Endpoint protection measures (e.g., antivirus software on laptops)
• System development life cycle documentation (e.g., change tickets, QA and testing evidence)
• Monitoring and alert configurations
• Backup procedures for system recovery

Audit Workflow

The majority of your audit will involve providing audit evidence to the auditor, reviewing that evidence, and engaging in a cycle of acceptance or rejection. Here's a typical workflow between you and the auditor:

1. Information Request: The auditor will send you a SOC 2 request list, detailing nearly 100 different requests.
2. Gather Evidence: You will interpret these requests, gather screenshots of configuration settings, download access lists, and retrieve policies.
3. Upload Evidence: Typically, you will upload these documents to a cloud repository like ShareFile or OneDrive.
4. Review and Feedback: The auditor will review each file and determine whether to accept or reject the evidence. If accepted, you move forward. If rejected, you will receive an email detailing additional information needed.

Common Challenges

• File Naming: Ensure files are named accurately to avoid confusion.
• Feedback Visibility: Lack of visibility into whether the auditor has reviewed your evidence can be frustrating.
• Coordination: Coordinating with stakeholders (e.g., engineers) to gather necessary evidence can be complex.

Best Practices

1. Ask Your Auditor: Clarify how information will be exchanged.
2. Request Process: Understand the process for requesting evidence.
3. Feedback Process: Ensure you know how feedback will be provided and what constitutes acceptable evidence.

*************