Chad Peterson

Chad Peterson is Managing Director at NetSPI responsible for security program strategy, cybersecurity operations, security assessment and audit, and regulatory compliance. He has more than 25 years of experience in information assurance, risk management, and cybersecurity and specializes in the assessment, development, and maturation of strategic security programs and teams. He has his Masters in Information Security and holds CCISSP, CISA, CHC, CRISC, and ITIL-F certifications.
More by Chad Peterson
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "108"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "108"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "108"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "108"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "108"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "108"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "108"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "108"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{0f9351b4ef004ea9e7bd949b69dc35b18e2e701c9e51f22a426513d4d0f787af}\"108\"{0f9351b4ef004ea9e7bd949b69dc35b18e2e701c9e51f22a426513d4d0f787af}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{0f9351b4ef004ea9e7bd949b69dc35b18e2e701c9e51f22a426513d4d0f787af}\"108\"{0f9351b4ef004ea9e7bd949b69dc35b18e2e701c9e51f22a426513d4d0f787af}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 29729
                    [post_author] => 108
                    [post_date] => 2023-03-14 09:07:21
                    [post_date_gmt] => 2023-03-14 14:07:21
                    [post_content] => 

On March 14, an article on ransomware preparedness in healthcare by NetSPI Managing Director Chad Peterson was featured in Healthcare IT Today. Read a preview below or view it online.

+++

As ransomware attacks become more sophisticated, healthcare organizations have become desirable targets due to the valuable data shared across medical records and the constant need for service availability. In fact, a recent JAMA Health Forum report indicates that from 2016 to 2021, the annual number of ransomware attacks on the healthcare sector more than doubled. 

With the rise in these attacks, healthcare organizations must have an in-depth understanding of their security posture, including how breaches may occur and how to take an offensive approach to defend against them. As such, IT administrators must ensure they are addressing basic security needs. They can achieve this by taking the following three foundational steps.

Implement Standard Security Protocols

The first step for IT leaders to ensure ransomware preparedness is to implement security protocols that help prevent attacks before they occur. This includes checking for vulnerabilities and misconfigurations through vulnerability scanning and continuously patching systems when weaknesses are identified. Penetration testing should also be routinely conducted to proactively identify and verify exploitable vulnerabilities in IT systems. Continuous pentesting, which often takes the form of attack surface management, helps identify and protect assets exposed externally.

Awareness of an organization’s potential entry points is especially critical with the increased usage of connected medical devices and telehealth services. Furthermore, the transition to electronic health records (EHRs) has reinforced the need for tightened identity and access management processes. IT administrators should consistently remove user accounts that are no longer needed, implement multi-factor authentication (MFA), and utilize methods of least privilege or role-based access to ensure only appropriate users can access patient data. 

Continue reading at Healthcare IT Today for more foundational steps to address ransomware attacks including, how to prepare for a breach and best practices for creating a security awareness program.

[post_title] => Healthcare IT Today: Ransomware Preparedness in Healthcare – Are you Doing the Basics? [post_excerpt] => On March 14, an article on ransomware preparedness in healthcare by NetSPI Managing Director Chad Peterson was featured in Healthcare IT Today. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => healthcare-it-today-ransomware-preparedness [to_ping] => [pinged] => [post_modified] => 2023-03-17 12:25:30 [post_modified_gmt] => 2023-03-17 17:25:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29729 [menu_order] => 12 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 29464 [post_author] => 108 [post_date] => 2023-02-21 09:00:00 [post_date_gmt] => 2023-02-21 15:00:00 [post_content] =>

Since the inception of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, covered entities have had to navigate its murky waters. Those who fail to do so are penalized with hefty fines and requirements to adopt a corrective action plan. 

Last year, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) filed 22 HIPAA resolution agreements totaling over $1.12 million in settlement fines. In just the past two months, financial penalties have already surpassed that number, with two settlements totaling $1.27 million. This trend points to HHS becoming more stringent with its enforcement of HIPAA, a trend that could be driven by the increase in healthcare ransomware attacks and opportunistic nation state adversaries eyeing the industry as a key target. 

In my 25+ years working in cybersecurity, the majority of my time was spent in the healthcare industry, where I held roles such as HIPAA security officer, information security manager, health information technology director, and security auditor for several large health systems. 

In these roles, and still today, the HIPAA Security Rule has left me wanting more.  

The vague nature of the Rule leaves much of the compliance requirements up for interpretation. The Rule was written to ensure that healthcare organizations are doing what is necessary to protect ePHI – yet there is no explicit mention of penetration testing

HIPAA is notorious for telling security leaders what needs to be done to achieve compliance, without explaining best practices to get there. Let’s eliminate the gray area and examine penetration testing’s critical role in HIPAA compliance. 

What is HIPAA Penetration Testing? 

I will start this section off with a harsh truth: There is no such thing as a “HIPAA Penetration Test”. Though we often see the term used in marketing, pentesting has long been an unwritten component within the Security Rule. You can review the full Rule online here.  

The following items within the administrative safeguards section touch on security testing criteria: 

  • Standard 45 CFR 164.308(a)(1)(i): Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. 
    • Implementation specifications 45 CFR 164.308(a)(1)(ii)(A): Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 
  • Standard 45 CFR 164.308(a)(8): Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. 

Within this section, you will also find standards and implementation specifications around workforce security, information access management, security awareness training, and contingency planning. All of which can be evaluated and validated through a variety of offensive security engagements, such as pentesting, red teams, breach and attack simulation, or social engineering engagements

HIPAA does a great job highlighting the requirements clearly, without providing actionable steps to achieve compliance. To help, we put together a checklist to ensure your security testing program meets the needs of Security Rule. 

HIPAA Pentesting Checklist

  Continuous Penetration Testing

HIPAA requires “periodic” evaluations, particularly in response to environmental or operational changes. The rate of change in healthcare environments has increased exponentially over the years. Continuous pentesting can take form of more frequent tests enabled by a penetration testing as a service (PTaaS) delivery model, or through an attack surface management platform. As a rule of thumb, key moments of change could include version upgrades of software that houses ePHI or architecture changes. At the very least, perform penetration tests on a quarterly basis. 

  Risk Prioritization, With an Emphasis on Application Security

Are you targeting the applications that pose the greatest risk to your sensitive health information? A pentest that meets HIPAA standards should not stop at vulnerability discovery. Whether you are pentesting internally or working with a third-party partner, work together to identify which application pentests should be prioritized – and, more importantly, align on vulnerability severity definitions and remediation timelines based on your organization’s risk profile.  

  Validation of Security Controls

It is important to note that pentests can and should also be used to validate your security controls. Are your pentests alerting you to flaws and policy gaps within your identity and access management, threat detection, and other security controls implemented? Additionally, consider breach and attack simulation (BAS) platforms to help evaluate and improve the effectiveness of your detective controls. Learn about the top use case for BAS technology in this Gartner report.  

  Comprehensive Reporting and Historical Data

Standard 45 CFR 164.316(a) in the HIPAA Security Rule highlights the policies and procedures and documentation requirements. According to the standard, healthcare organizations must maintain a written record of each action, activity, or assessment. They also must retain documentation for six years from the date of its creation. Bonus points to pentesting partners who track and trend historical pentesting reports in a single platform. 

The Complete Guide to Healthcare Ransomware Attacks – Get Your Copy Today

The Relationship Between Pentesting and Privacy 

HIPAA and other privacy regulations (GDPR, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients. To accomplish this, these regulations all require that an organization's IT Infrastructure must be secure. 

As privacy regulations and standards have evolved, I’ve found that if you are compliant with PCI DSS and are HITRUST certified, it is likely you will be HIPAA compliant as well. Both are significantly more prescriptive and actionable than the HIPAA rules and can help you proactively secure ePHI. 

Securing an IT infrastructure involves many steps that we will not get into here, but instead will concentrate on how to ensure that an environment remains in a constant state of security. Regular and sometimes continuous penetration testing is the most effective way to provide continued assurance. 

Penetration Testing is used to identify how a hacker can gain access to an environment and provide an organization with a roadmap of how to address those vulnerabilities and findings. Pentesting does not inherently make you secure; it makes you aware of your security flaws. 

By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware. 

A Proactive Approach to HIPAA Compliance 

Healthcare security and IT teams should approach HIPAA with a foundational mindset. The requirements outline what you should already be doing and thinking about on an ongoing basis.  

Mature healthcare organizations have comprehensive vulnerability management and pentesting programs in place. Pentesting is a powerful first step towards compliance – when done right. 

Be proactive, not reactive. Be a leader, not a pawn. 

NetSPI’s penetration testing solutions can help you chart a clear path to HIPAA compliance. Contact us today.

[post_title] => Pentesting: The Forgotten HIPAA Requirement [post_excerpt] => xplore penetration testing’s critical role in HIPAA compliance and get our checklist for healthcare penetration testing. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => forgotten-hipaa-requirement [to_ping] => [pinged] => [post_modified] => 2023-02-24 15:20:43 [post_modified_gmt] => 2023-02-24 21:20:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29464 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 29376 [post_author] => 108 [post_date] => 2023-01-31 09:00:00 [post_date_gmt] => 2023-01-31 15:00:00 [post_content] =>

On January 31, NetSPI Managing Director Chad Peterson was featured in the SecurityWeek article called Cyber Insights 2023 | Attack Surface Management. Read the preview below or view it online.

+++

SecurityWeek Cyber Insights 2023 | Attack Surface Management – Attack surface management (ASM) is an approach for delivering cybersecurity. IBM describes the attack surface as “the sum of vulnerabilities, pathways or methods – sometimes called attack vectors – that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.”

ASM requires “the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.”

ASM is consequently predicated on total visibility of assets, vulnerabilities, and exploits.

Management is the key word in ASM

The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It’s a question of risk management.

Chad Peterson, MD at NetSPI, believes the nature and effectiveness of pentesting will evolve over 2023, “The attack surface has become more fluid, so you have to be able to scan for new assets and entry points continuously,” he says. “In 2023, organizations will combine traditional pentesting, which in many cases will still be required for regulatory needs, with the proactive approach of more continuous assessment of their attack surface. The result will be better awareness of the attack surface and more comprehensive traditional pentesting as there is more information about the true attack surface.”

Read the full article at SecurityWeek!

[post_title] => SecurityWeek: Cyber Insights 2023 | Attack Surface Management [post_excerpt] => NetSPI Managing Director Chad Peterson was featured in the SecurityWeek article called Cyber Insights 2023 | Attack Surface Management. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => securityweek-cyber-insights-2023-attack-surface-management [to_ping] => [pinged] => [post_modified] => 2023-02-16 17:26:05 [post_modified_gmt] => 2023-02-16 23:26:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29376 [menu_order] => 25 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 29248 [post_author] => 108 [post_date] => 2023-01-26 10:02:21 [post_date_gmt] => 2023-01-26 16:02:21 [post_content] =>

On January 26, NetSPI Managing Director Chad Peterson was featured in the VMBlog article called Data Privacy Day 2023: Tips and Views from Top Industry Experts. Read the preview below or view it online.

+++

Data Privacy Day, an international "holiday" that occurs each year on January 28, was created to raise awareness and promote privacy and data protection best practices. Data Privacy Day began in the United States and Canada in January of 2008. It is an extension of Data Protection Day in Europe, which commemorates the January 28, 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.

Two years ago, the National Cybersecurity Alliance (NCA) expanded Data Privacy Day beyond just January 28th, and instead, many have chosen to celebrate it all week long. And they did so because your data is simply that important! 

Data Privacy Day's educational initiative originally focused on raising awareness among businesses as well as users about the importance of protecting the privacy of their personal information online, particularly in the context of social networking. In addition to its educational initiative, Data Privacy Day promotes events and activities that stimulate the development of technology tools that promote individual control over personally identifiable information; encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.

With this in mind, VMblog has compiled some detailed perspectives, as well as some tips for better protection of sensitive corporate data, from a few industry experts ahead of Data Privacy Day 2023.

Chad Peterson, Managing Director, NetSPI

"Several privacy regulations (GDPR, HIPAA, FERPA, CPRA) are in place to protect data from being exposed to unintended recipients, however the increasingly sophisticated threat landscape means the focus in 2023 and beyond must be on on how to ensure that an environment remains in a state of security. The proliferation of social engineering attacks such as vishing and deepfakes makes employees and consumers particularly vulnerable to hackers, making the need for security education more and more important. By conducting regular penetration testing, an organization can check that they have successfully remedied known issues and identify any new concerns due to new equipment, configuration changes, or even missed patches on software or hardware."

You can read the full article at VMBlog!

[post_title] => VMBlog: Data Privacy Day 2023: Tips and Views from Top Industry Experts [post_excerpt] => NetSPI Managing Director Chad Peterson and other security experts shared tips and advice to raise awareness and promote privacy and data protection this Data Privacy Day. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-data-privacy-tips-from-top-industry-experts [to_ping] => [pinged] => [post_modified] => 2023-01-31 10:12:46 [post_modified_gmt] => 2023-01-31 16:12:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29248 [menu_order] => 29 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 27166 [post_author] => 65 [post_date] => 2022-01-18 07:00:00 [post_date_gmt] => 2022-01-18 13:00:00 [post_content] =>

Today’s business environment extends far beyond traditional brick and mortar organizations. Due to an increased reliance on digital operations, the frequency and complexity of supply chain cyber attacks — also known as vendor risk management or third-party security — are growing exponentially. It’s apparent that business leaders can no longer ignore supply chain security.

Not only did we see an increase in supply chain attacks in 2021, but the entire anatomy of an organization’s attack surface has evolved significantly. With more organizations shifting to a remote or hybrid workforce, we’ve seen a spike in cloud adoption and a heavy reliance on digital collaboration with third-parties.

Over the past few years we’ve introduced many new risks into our software supply chains. So, how do we ensure we don’t become the next SolarWinds or Accellion? In this blog, we reveal four supply chain security best practices to get you started on solid footing.

First, understand where the threats are coming from. 

With so many facets of the supply chain connected through digital products, organizations and security leaders need to understand which sectors are most vulnerable and where hackers can find holes — both internally and externally.

A recent study found that 70% of all breaches are caused by an outside force, and 17% were specifically from malware. This is to be expected. As software developers have been outsourced more frequently, the doors have opened to traditional malware attacks and breaches. Businesses need to understand how and where their resources can be accessed, and whether these threats can be exploited. However, malicious code detection is known to be very difficult. Standard code reviews won’t always identify these risks, as they can be inserted into internally-built software and mimic the look and feel of regular code. This is one of the biggest trends leaders must be aware of and fully understand which threats could impact their organization.

In addition to malware, hackers have begun attacking multiple business assets outside of an organization's supply chain through “island hopping.'' We’re seeing 50% of today’s cyber attacks use this technique. Security leaders need to identify and monitor island hopping attacks frequently to stay ahead of the vulnerability. Gone are the days where hackers target an organization itself — instead adversaries are going after an organization's partners to gain access to the initial organization's network.

Supply Chain Security Best Practices

How do organizations ensure they don’t become the weakest link in the supply chain? First and foremost, be proactive! Businesses must look at internal and external factors impacting their security protocol and implement these four best practices.

1. Enforce security awareness training.

Ensure you are training your staff not only when they enter the organization, but also on a continuous basis and as new business emerges. Every staff member, regardless of level or job description, should understand the organization's view and focus on security, including how to respond to phishing attempts and how to protect data in a remote environment. For example, in a retail environment, all internal employees and third-party partners should understand PCI compliance, while healthcare professionals need a working knowledge of HIPPA. The idea is to get everyone on the same page so they understand the importance of sensitive information within an organization and can help mediate a threat when it is presented.

2. Enact policy and standards adherence.

Adherence to policies and standards is how a business keeps progressing. But, relying on a well-written standard that matches policy is not enough. Organizations need to adhere to that policy and standards, otherwise they are meaningless. This is true when working with outside vendors as well. Generally, it’s best to set up a policy that meets an organization where it is and maps back to its business processes – a standard coherence within an organization. Once that’s understood, as a business matures, the policy must mature with it. This will create a higher level of security for your supply chain with less gaps.

In the past, we’ve spent a lot of time focusing on policies and recommendations for brick and mortar types of servers. With the new remote work and outsourcing increasing, it’s important to understand how policies transfer over when working with vendors in the new remote setting. 

3. Implement a vendor risk management program.

How we exchange information with people outside of our organization is critical in today’s environment. Cyber attacks through vendor networks are becoming more common, and organizations need to be more selective when choosing their partners.

Once partners are chosen, security teams and business leaders need to ensure all new vendors are assessed with a risk-based vendor management program. The program should address re-testing vendors according to their identified risk level. A well-established, risk-based vendor management program involves vendor training — follow this three-tiered approach to get started: 

  • Tier one: Organizations need to analyze and tier their vendors based on business risk so they can hone in on different security resources and ensure they’ve done their due diligence where it matters most. 
  • Tier two: Risk-based assessments. The higher the vendor risk, the more their security program should be accessed to understand where an organization’s supply chain could be vulnerable – organizations need to pay close attention here. Those categorized as lower risk vendors can be assessed through automated scoring, whereas medium risk vendors require a more extensive questionnaire, and high-risk vendors should showcase the level of their security program through penetration testing results. 
  • Tier three: Arguably most important for long term vendor security. Re-testing vendor assessments should be conducted at the start of a partnership, and as that partnership grows, to make sure they’re adhering to protocol. This helps confirm nothing is slipping through the cracks and that the safety policies and standards in place are constantly being met. 

4. Look at the secondary precautions. 

Once security awareness training, policy, and standards are in place, and organizations have established a successful vendor risk management program, they can look at secondary proactive measures to keep supply chain security top of mind. Tactics include, but are not limited, to attack surface management, penetration testing services, and red team exercises. These strategic offensive security activities can help identify where the security gaps exist in your software supply chain.

Now that so many organizations are working with outside vendors, third-party security is more important than ever. No company wants to fall vulnerable due to an attack that starts externally. The best way to prepare and decrease vulnerability is to have a robust security plan that the whole company understands. By implementing these four simple best practices early on, businesses can go into the new year with assurance that they won’t be the weakest link in the supply chain — and that they’re safeguarded from external supplier threats.

Want to learn more about how to strengthen your software supply chain security? Watch the on-demand webinar: "How NOT To Be The Weakest Link In The Supply Chain"
[post_title] => Best Practices for Software Supply Chain Security [post_excerpt] => Take these four steps to improve your software supply chain security. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => best-practices-software-supply-chain-security [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:57 [post_modified_gmt] => 2023-01-23 21:10:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27166 [menu_order] => 190 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 26771 [post_author] => 108 [post_date] => 2021-11-30 13:50:00 [post_date_gmt] => 2021-11-30 19:50:00 [post_content] =>

Let’s start by defining the goal: a risk-based vulnerability management program. A risk-based vulnerability management program focuses on finding and fixing the vulnerabilities based on the damage it could cause if exploited and how likely exploitation is… in other words, the ones that pose the greatest risk to your business.  

Even the majority of board members across the globe view cybersecurity as a business risk versus a technology risk, according to a survey from Gartner. It makes sense why most security leaders are working hard to shift to this model as organizations are swamped with vulnerabilities – notably, high-severity, business critical vulnerabilities

Last year, a record number of critical vulnerabilities were disclosed to the National Institute of Standards and Technology (NIST): 10,342 (source: Security Magazine). A check-the-box, compliance-driven vulnerability management program will no longer cut it. As serious vulnerabilities are on the rise, it’s up to us to determine which are fixed first. 

Before you can successfully implement a risk-based program, there are four realities you must face: 

  1. You will have security vulnerabilities that you will never address 
  2. CVSS scores do not represent business risk 
  3. To have an effective risk-based program, we have to lessen the gap between IT and business  
  4. We must adopt a “we’re all in this together” mentality to tackle cybersecurity risk 

In this blog post, I’ll dig into each of these realities and the steps you can take to come to terms with and, in many cases, overcome them. First, a quick primer on risk scoring, a key component to risk-based vulnerability management

An introduction to risk scoring 

At NetSPI, one way we’re helping our clients address these challenges, or “realities” as I refer to in this article, is through risk scoring. In simple terms, a risk score quantifies risk for more accurate and efficient vulnerability remediation prioritization.

Risk Overview Dashboard

If you’re a NetSPI customer, you may have noticed the new Risk Overview Dashboard in Resolve™, our PTaaS platform. The dashboard features an aggregate risk score, composite risk scores for applications, networks, and cloud, an industry benchmark, the number of open critical vulnerabilities, the riskiest projects or assets, the top 10 highest risks, and more. 

NetSPI’s Risk Score is calculated based on transparent methodology that considers vulnerability risk (impact, likelihood, environmental modifiers, and temporal modifiers), threat actor risk, remediation risk, and industry risk to quantify risk levels on any given asset, project, network, or an entire organization. Read more about NetSPI’s risk score methodology in our whitepaper, How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward

Risk scores can be used for remediation prioritization, resource allocation, cybersecurity spend validation, risk management tracking, industry benchmarking, and more. I like to think of it as a behind-the-scenes program manager for risk-based vulnerability management programs – continue reading to learn why. 

You will have security vulnerabilities that you will never address 

It is unrealistic to assume that any organization is vulnerability-free. Once you come to terms with this, risk’s role in vulnerability management becomes a lot clearer. 

You can have the same vulnerability across 6 different assets, but is it wise to fix them all at once? 

Traditionally, this is how many have approached vulnerability management, but the answer is, in most situations, no. It is important to focus on the system with the most risk versus solving the vulnerability across all systems. This holistic approach to vulnerability management is key as it allows you to incorporate business risk into your decisions. 

When you start to factor business risk into the mix, you can identify which assets or systems are most likely to be taken advantage of AND create the most damage if exploited. Then, prioritize remediation, budget, and time accordingly.  

Risk scoring can help expedite this decision-making process. The higher your risk score, the higher priority that system, asset, network, finding, project, etc. And some with very low risk may not warrant remediation at all. 

CVSS scores do not represent business risk 

A Common Vulnerability Scoring System (CVSS) score alone cannot provide a full picture of business risk, but it is a strong starting point for the basis of a risk score. CVSS scores are helpful for vulnerability-specific ratings, but they do not incorporate aggregate factors such as active threat intelligence or correlation to other penetration testing data points.  

Additionally, CVSS scores follow a standard formula, regardless of the size, industry, or other business factors, leaving little to no room for customization. This results in organizations not getting the complete picture of a vulnerability’s potential impact.  

CVSS scores are often used as a metric for return on security investments. I believe they should not be used as such. As an alternative, if you are utilizing a true risk program, risk scoring can be used as a quantitative metric to represent business risk across your organizations. 

To have an effective risk-based program, we have to lessen the gap between IT and business  

There’s a knowledge gap between IT and the business and we cannot achieve a risk-based vulnerability management program until that gap shrinks.  

In the healthcare industry, risk alignment between IT and the business is critical. The business is patient health and safety and its up to security and IT leaders to help the business understand how it directly impacts and protects patient health and safety, whether that’s through protecting Personal Health Information (PHI) or saving lives through ransomware prevention activities. 

This is the same with any business. You have to find common ground between what you’re doing from an IT perspective to show how you’re a part of the business and are critical in the day-to-day operations. 

A simple shift in the way we talk about cybersecurity to business leaders could make a massive difference. A risk-forward approach is key. Here are two examples of this: 

🚫 What does it cost us to protect the business

🚫 How do we secure our technical systems

✔️ What will it cost us if we don’t
 

✔️ How do we secure our business processes

We must adopt a “we’re all in this together” mentality to tackle cybersecurity risk 

Industry benchmarking is an incredibly powerful tool to communicate your risk-based vulnerability management program successes and progress.  

However, we must not fall into the pattern of comparing our programs against others in our industry. There is an analogy that we need to retire. It’s used so often that Red Bull even uses it as the premise for one of its most popular commercials. It’s the idea that, if you’re better than your industry peers, you’re less likely to fall victim to a cyberattack. 

It is important to remember that we’re all fighting the same fight: to eliminate or alleviate the cybersecurity risks that lurk not only in specific industries but across all organizations. We need to work together, not against one another, for the greater good – and a risk-based vulnerability management program is a step in the right direction. Even auditors and cyber insurers are recognizing this shift towards risk-based programs to steer security programs towards maturity. 

With these four realities addressed, there’s no better time to get started. Focus your attention on high-risk vulnerabilities, use risk scores to communicate business risk, shrink the gap between IT and business, and work together to make the shift to a risk-based vulnerability management program a reality for your organization.  

Connect with NetSPI to learn how to achieve risk-based vulnerability management with PTaaS
[post_title] => 4 Risk-Based Vulnerability Management Realities Cybersecurity Leaders Must Face [post_excerpt] => Read about the four realities you must face before you can successfully implement a risk-based vulnerability management program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 4-risk-based-vulnerability-management-realities [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:41 [post_modified_gmt] => 2022-12-16 16:51:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26771 [menu_order] => 211 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 26525 [post_author] => 53 [post_date] => 2021-10-08 15:09:54 [post_date_gmt] => 2021-10-08 20:09:54 [post_content] =>

Supply chain security, vendor risk management, third-party security. Each of these synonymous cybersecurity terms has become widely used over the past year, thanks to the increase in the exploitation of threat vectors from outside of an organization.

So, what can software vendors and third-party technology partners do to ensure they don’t become the weak link in the supply chain?

In this webinar you’ll get two different viewpoints on supply chain security from two NetSPI Managing Directors: Nabil Hannan, who will explore the topic from the software development perspective, and Chad Peterson, who will approach it from a business risk perspective. Together, they’ll discuss:

  • Their differing views on supply chain security 
  • The anatomy of a supply chain attack 
  • Considerations and best practices for securing the supply chain  
  • How vendors can get proactive to show potential partners that they are NOT the weakest link 
  • The future of supply chain security… what’s next? 
[post_title] => How NOT to be the Weakest Link in the Supply Chain [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-not-to-be-the-weakest-link-in-the-supply-chain [to_ping] => [pinged] => [post_modified] => 2021-11-16 13:12:01 [post_modified_gmt] => 2021-11-16 19:12:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26525 [menu_order] => 24 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 7 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 29729 [post_author] => 108 [post_date] => 2023-03-14 09:07:21 [post_date_gmt] => 2023-03-14 14:07:21 [post_content] =>

On March 14, an article on ransomware preparedness in healthcare by NetSPI Managing Director Chad Peterson was featured in Healthcare IT Today. Read a preview below or view it online.

+++

As ransomware attacks become more sophisticated, healthcare organizations have become desirable targets due to the valuable data shared across medical records and the constant need for service availability. In fact, a recent JAMA Health Forum report indicates that from 2016 to 2021, the annual number of ransomware attacks on the healthcare sector more than doubled. 

With the rise in these attacks, healthcare organizations must have an in-depth understanding of their security posture, including how breaches may occur and how to take an offensive approach to defend against them. As such, IT administrators must ensure they are addressing basic security needs. They can achieve this by taking the following three foundational steps.

Implement Standard Security Protocols

The first step for IT leaders to ensure ransomware preparedness is to implement security protocols that help prevent attacks before they occur. This includes checking for vulnerabilities and misconfigurations through vulnerability scanning and continuously patching systems when weaknesses are identified. Penetration testing should also be routinely conducted to proactively identify and verify exploitable vulnerabilities in IT systems. Continuous pentesting, which often takes the form of attack surface management, helps identify and protect assets exposed externally.

Awareness of an organization’s potential entry points is especially critical with the increased usage of connected medical devices and telehealth services. Furthermore, the transition to electronic health records (EHRs) has reinforced the need for tightened identity and access management processes. IT administrators should consistently remove user accounts that are no longer needed, implement multi-factor authentication (MFA), and utilize methods of least privilege or role-based access to ensure only appropriate users can access patient data. 

Continue reading at Healthcare IT Today for more foundational steps to address ransomware attacks including, how to prepare for a breach and best practices for creating a security awareness program.

[post_title] => Healthcare IT Today: Ransomware Preparedness in Healthcare – Are you Doing the Basics? [post_excerpt] => On March 14, an article on ransomware preparedness in healthcare by NetSPI Managing Director Chad Peterson was featured in Healthcare IT Today. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => healthcare-it-today-ransomware-preparedness [to_ping] => [pinged] => [post_modified] => 2023-03-17 12:25:30 [post_modified_gmt] => 2023-03-17 17:25:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29729 [menu_order] => 12 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 7 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => cb3d478eb4778959d92b5debfb966724 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )