loader from loading.io

4 - Vulnerability Management

Cyber Compliance & Beyond

Release Date: 07/02/2024

8 - The CMMC Rule … Finally show art 8 - The CMMC Rule … Finally

Cyber Compliance & Beyond

CMMC’s security requirements are not new. What is new about CMMC is the level of rigor. With the recent publication of the CMMC rule, DoD is ever closer to requiring contractors to comply with CMMC security requirements and back them up with an assessment. The CMMC Rule, like any new regulation, is packed with details. Details that have been rumored, speculated, and drafted. Now that they’re known and final, we’re here to help you see clearer. In today’s episode, our host, Cole French becomes the expert guest. As Director of Cybersecurity Services and CMMC Capability Lead at Kratos,...

info_outline 7 - AI and Cyber Compliance show art 7 - AI and Cyber Compliance

Cyber Compliance & Beyond

AI is bringing speed and velocity never seen before. Some studies show that the output is the equivalent to what 35-40 humans can produce. This speed and velocity is applied to countless use cases across just about every economic sector. Cybersecurity compliance is laden with repetitive, redundant, and time-consuming manual tasks. While humans bring nuanced ingenuity and problem-solving capabilities, we are prone to errors, especially across such repetitive, redundant, and time-consuming tasks. Worse, cybersecurity compliance requirements are far from standardized, though there is a tremendous...

info_outline 6 - Supply Chain Security show art 6 - Supply Chain Security

Cyber Compliance & Beyond

Supply chain security is not new, though it certainly feels as though it is. Thanks to globalization, supply chains are ever growing in their depth, complexity, and interconnectedness. Unfortunately, like so many other systems, security of supply chains hasn’t been at the top of the list of things to consider when evaluating supply chains. Understandably, economics led the way. A supply chain exists to foster economic growth and profit-making. None of these are bad but there’s a painful irony: the less security is considered, the greater the costs, which drives down growth and...

info_outline 5 - The Market for Lemons show art 5 - The Market for Lemons

Cyber Compliance & Beyond

IT support is tricky for most businesses, especially for those not in the IT business. Thus, IT is a cost of doing business and a high cost at that. High costs drive down profits. Less profit makes it harder for businesses to invest in the products or services that they’re making and selling. Retaining IT staff is even more difficult. This is due to the extremely low unemployment rate and the higher-than-average annual salary. These two factors almost guarantee that IT staff hired by non-IT businesses will eventually get a better offer some place else. To mitigate the problem with IT staff,...

info_outline 4 - Vulnerability Management show art 4 - Vulnerability Management

Cyber Compliance & Beyond

Vulnerabilities are everywhere and on every IT asset within an organization. This makes vulnerability management one of the most important – if not the most important – risk mitigation activities an organization undertakes. But, the complexities inherent in many organizations combined with the sheer number of vulnerabilities leaves many not knowing where to even begin when it comes to vulnerability management. On today’s episode, we’ll demystify vulnerability management by defining some context, outlining an effective vulnerabilities management program, discussing potential challenges,...

info_outline 3 - Export Compliance Overlap show art 3 - Export Compliance Overlap

Cyber Compliance & Beyond

The number of compliance frameworks is seemingly endless. The lack of standards is problematic enough. Even more problematic, however, is how the compliance frameworks overlaps with one another. When it comes to International Trade and Export Compliance, the problem is overlap is accentuated by the fact that there is not a definitive ‘framework’ for export compliance. Nearly everything is determined on a case-by-case basis. Today’s guest is Sara Hougland, Director of Trade Compliance here at Kratos. During our conversation, we cover export compliance at a high level, discuss the concept...

info_outline 2 - Encryption, FIPS 140, and Compliance show art 2 - Encryption, FIPS 140, and Compliance

Cyber Compliance & Beyond

Some recent estimates have postulated that data is now the world’s most valuable asset. Unlike other assets, like oil, for example, data proliferates on a staggering scale. In other words, it doesn’t seem to be finite, subject the law of scarcity. This hammers home the importance of answering the question that each of you are wrestling with: how do I protect all this data? A simple answer to this question is encryption. But any simple answer has you immediately asking more questions: what encryption should I use? How should I configure it? How can I be sure it is adequate? And, perhaps...

info_outline 1 - FedRAMP Exception Cases show art 1 - FedRAMP Exception Cases

Cyber Compliance & Beyond

info_outline
 
More Episodes

Vulnerabilities are everywhere and on every IT asset within an organization. This makes vulnerability management one of the most important – if not the most important – risk mitigation activities an organization undertakes. But, the complexities inherent in many organizations combined with the sheer number of vulnerabilities leaves many not knowing where to even begin when it comes to vulnerability management. On today’s episode, we’ll demystify vulnerability management by defining some context, outlining an effective vulnerabilities management program, discussing potential challenges, tying it all to compliance, and decoupling vulnerability management from the inherent complexities.

Today’s guest is Andrew Overmyer, Security Assessor, subject matter expert, and general cybersecurity jack-of-all-trades at Kratos. During our conversation, we distill this often-nebulous concept into the concrete tenets necessary to build an effective program to drive vulnerability remediation efforts.

Resources:

·       The Core Tenets of Vulnerability Management

o   Asset Management: a tool or set of tools accompanied by a process that build and maintain an accurate asset inventory; an asset inventory must include but not be limited to network segments and IT assets across all types

o   Patch Management: a tool or set of tools accompanied by a process that supports identifying and applying patches

o   Vulnerability Scanning: a tool or set of tools accompanied by a process that support identifying vulnerabilities on IT assets; vulnerability scans must be run with credentials, to the greatest extent possible, to fully identify vulnerabilities present

o   Compliance Scanning: a tool or set of tools accompanied by a process that support identifying misconfigurations on IT assets; misconfigurations are deviations from a defined baseline (e.g., Center for Internet Security benchmarks)

·       Vulnerability Scanning Schedule

o   Daily: Asset scans to identify assets on the network; these are not vulnerability scans, but rather simple scans to identify assets on the network

o   Weekly: Vulnerability scans of all assets on the network

o   Monthly: Compliance scans of all applicable assets on the network

·       CVSS: Common Vulnerability Scoring System Version 4.0

·       EPSS: Exploit Prediction Scoring System

·       SSVC: Stakeholder-Specific Vulnerability Categorization