procainestart
procainestart Dork
6/12/21 11:47 a.m.

I'm an editor at an engineering consulting firm, but moving into an IT position working on governance of our cybersecurity certification (CMMC 3). They know I'm not a technical expert but I know about developing processes, communication, and how to deal with our staff, most of whom are going to be pretty stunned by the CMMC requirements when they go into effect. (We're not a big firm, not used to rigid rules, and many of our partners are certain that they're special snowflakes, exempt from rules they don't like.)

I'm poking around the web looking for certs or courses but stuff's technical and I can barely tell you what a subnet mask is. The firm wants me to do this work, but I'm uncomfortable going into it without knowing much.

Got any resources and/or advice on getting up to speed on cybersecurity compliance, in particular, governance? 

GameboyRMH
GameboyRMH MegaDork
6/12/21 3:27 p.m.

That's odd, usually it's hard enough for very experienced IT pros with plenty of cybersecurity experience, and even modest amounts of cybersecurity certification, to get cybersecurity jobs. Usually companies hold out for someone with many years of experience and a MSc in a related field while their pipeline gets casually shut down by ransomware that could've been stopped or at least mitigated against by anyone with half a clue what they're doing.

If you need technical knowledge of cybersecurity you're going to need some crash courses so get your training montage music queued up, I'd say you should start with a course in computer networking, basic computer security, and then a CEH cert. That should leave you with a more than acceptable level of cybersecurity knowledge by the typical IT department's standards. I also found this course on cybersecurity governance:

https://www.coursera.org/lecture/grc-approach-to-managing-cybersecurity/cybersecurity-governance-and-planning-Xvy38

I have experience with certifying systems and keeping them compliant, but the closest I've come to keeping people compliant is keeping coworkers compliant with the same rules I have to follow. Usually someone in top IT management, possibly a CIO or CSO, would be in charge of that.

procainestart
procainestart Dork
6/14/21 11:18 a.m.

Thanks for your response, and for tracking down the Coursera course and related training advice.

Yes, I agree -- it's unusual that they want me to help with this. We have a CSO and several sysadmins who are doing the technical work. They want me to help put processes together to track and log things like permissions requests from staff, make sure we're meeting our periodic internal audit requirements, etc. I'll also be handling our training for phishing, as well as rollout, when we get to tell everyone that much of the way they deal with computers will have to change...

Aaron_King
Aaron_King PowerDork
6/14/21 11:20 a.m.

If you have a library card, check with them about the Coursera stuff.  Our library gives free access the that stuff.

Robbie (Forum Supporter)
Robbie (Forum Supporter) MegaDork
6/14/21 12:07 p.m.
  1. by far, the biggest risks are your people
  2. by default, management and executives do not to hear that message well ("but WE are better than that")
  3. My belief is that the biggest impact you can have is by implementing training AND testing programs to improve your staff

For a real eye opener, send a fake phishing email to your entire staff and track how many employees report it, how many click the link, and how many enter their password into the resulting landing page.

This really is a lowest-common-denominator game, it only takes one employee to let the criminals in. 

 

 

Robbie (Forum Supporter)
Robbie (Forum Supporter) MegaDork
6/14/21 12:11 p.m.

Here's a good phish email:

Hello,

Microsoft Outlook needs your password. Please click the link below and verify your credentials in order to continue sending and receiving email.

Thank you, 

Pete Gossett (Forum Supporter)
Pete Gossett (Forum Supporter) MegaDork
6/14/21 2:59 p.m.
Robbie (Forum Supporter) said:
  1. by far, the biggest risks are your people
  2. by default, management and executives do not to hear that message well ("but WE are better than that")
  3. My belief is that the biggest impact you can have is by implementing training AND testing programs to improve your staff

For a real eye opener, send a fake phishing email to your entire staff and track how many employees report it, how many click the link, and how many enter their password into the resulting landing page.

This really is a lowest-common-denominator game, it only takes one employee to let the criminals in. 

 

 

Our company does stuff like this regularly. They also started sending out a monthly email with tips to avoid such problems, and we also have a short vid they send out each month about the topic that we're required to watch & answer a couple questions. It's definitely helped our company. 

procainestart
procainestart Dork
6/14/21 5:17 p.m.
Aaron_King said:

If you have a library card, check with them about the Coursera stuff.  Our library gives free access the that stuff.

Thanks for the tip. I've got got cards to two library systems -- one will likely have access to Coursera.

Meanwile, we have a vendor that does "spearphishing" (fake phishing emails) for us; we then take the list of people who fell for the email and beat them. Just kidding -- we make them take more training.

Bent-Valve
Bent-Valve Dork
6/14/21 6:54 p.m.

PM sent, I am a real person, please click on ALL the links in the PM...

 

Seriously I did add some links, check them on google or something.

Our phishing email (training) is seriously good, they look like they are from google, facebook, linkedIn etc. Then we have to watch a training video and answer questions.

Its worth being safe to avoid the videos. laugh

procainestart
procainestart Dork
6/15/21 7:07 p.m.

In reply to Bent-Valve :

Funny thing is, Gmail put a huge warning banner across the top of your email because they couldn't verify it came from your address, cuz it didn't -- it came from GRM.

californiamilleghia
californiamilleghia SuperDork
6/15/21 7:58 p.m.

if you use Linux for your email  will the spear phishing links  do the same damage or is this windows only ?

eastsideTim
eastsideTim PowerDork
6/15/21 8:46 p.m.
Bent-Valve said:

PM sent, I am a real person, please click on ALL the links in the PM...

 

Seriously I did add some links, check them on google or something.

Our phishing email (training) is seriously good, they look like they are from google, facebook, linkedIn etc. Then we have to watch a training video and answer questions.

Its worth being safe to avoid the videos. laugh

Ours is pretty good, too - they also make sure not to send the fake phishing mails to everyone, so you never know when one is going to end up in your inbox.  You click a link, you get to go and do the training course all over again.  Problem with that is, they've also done a great job of making sure I don't click links in legitimate emails, either.  laugh

jwagner (Forum Supporter)
jwagner (Forum Supporter) Reader
6/15/21 11:02 p.m.

I'm a cybersecurity analyst so I have some level of expertise on this.  Without knowing what your organizations security posture is, I'll make some speculative comments.  Asking you to take the lead on a CMMC3 implementation and audit/certification is a really big ask.  It would be even for a experienced cybersecurity professional.  I'm not sure I'd bother with certifications but would focus on the requirements for CMMC3 certification which I think are largely based on the NIST 800-171 standard, and also finding appropriate consulting help to assist in an implementation which will hold up to a third party audit.  You do need a good overview understanding of cybersecurity, but prep for certification tests is probably just a distraction from the main task.  (and you'll be more ready for certification after you have some hands-on experience)   (also take a look at Pluralsight for online training)

It's important that you make management understand the level of commitment needed and a reasonable timeline, and set expectations for resources and schedule that can be met.  Without that you're getting setup for failure.  There's a whole lot of policies and procedures that need to be written and implemented and this also means executive commitment and change, and probably some significant investment.  An experienced consulting group is useful through all of this since they can speak with authority and from experience.

zoomies
zoomies New Reader
10/27/23 1:49 p.m.
californiamilleghia said:

if you use Linux for your email  will the spear phishing links  do the same damage or is this windows only ?

It depends. Some links will try to install something that's likely for Windows. 

But others are meant to collect your credentials to online applications hosted not on your device or mail server.

zoomies
zoomies New Reader
10/27/23 2:36 p.m.

In reply to procainestart :

This is the most dull topic in cyber, but you have to learn the lingo to develop credibility so your change management and project management skills can go to work.

When was the last time your company had a third party come in to do a cybersecurity maturity assessment (doesn't have to be a comprehensive one by C3PAO, just a "strategic" one against NIST CSF)? If it's been more than two years, I would really push to get one done and volunteer to be the PM who oversees the work (and sits in on all the interviews and debriefs).

Otherwise I would be scrappy and start by at the main cybersecurity vendor's marketing materials (like CrowdStrike's Cybersecurity 101 and Palo Alto Networks' Intro to Cyber Video) and Google/Youtube terminology you don't understand. If you have a long commute there are podcasts (Mandiant hosts one) 

If you really want to go the booksmart way...  Security+ is the noob level course but most in the industry will chuckle at it.  Look at the SANS intro courses but make sure your employer pays for it all. A course can be close to $10,000 (but sometimes they run promos for a free iPad...)

Congrats on getting into cybersecurity. Change management skills are valuable to make sure the controls you are implementing are successful. DM me for more details, always happy to chat.

procainestart
procainestart SuperDork
11/27/23 12:10 p.m.

In reply to zoomies :

Epilogue to this old thread: I quit. The department was completely dysfunctional, I couldn't magically become a CISO, and their CMMC consultant hadn't ever worked on NIST 800-171 compliance. I ended up knowing more about it and government procurement (FAR/DFARS) then they did, but I was the newb, so my input was routinely ignored. If they get certified in the next 2 years, I'll be very surprised.

DirtyBird222
DirtyBird222 PowerDork
11/27/23 12:29 p.m.
procainestart said:

I'm an editor at an engineering consulting firm, but moving into an IT position working on governance of our cybersecurity certification (CMMC 3). They know I'm not a technical expert but I know about developing processes, communication, and how to deal with our staff, most of whom are going to be pretty stunned by the CMMC requirements when they go into effect. (We're not a big firm, not used to rigid rules, and many of our partners are certain that they're special snowflakes, exempt from rules they don't like.)

I'm poking around the web looking for certs or courses but stuff's technical and I can barely tell you what a subnet mask is. The firm wants me to do this work, but I'm uncomfortable going into it without knowing much.

Got any resources and/or advice on getting up to speed on cybersecurity compliance, in particular, governance? 

I don't know what the scope of your work is going to be, how big your organization is, or any of that but the basics are always going to be the NIST 800 series of documents. 800-171 and 172 are the CMMC baselines. 800-53 is your security and privacy controls document that you will be assessed against, and 800-61 is your incident handling guide. 

I've always built and tailored my Security Plans and Incident Response Plans to the requirements of the contract and program I'm working on and the size and resources available within the organization. 

Most universities also offer cyber security certification courses that will run you through the basics of all the government compliance side of things; however, falling back on the NIST documents is the crux of those courses. 

 

DirtyBird222
DirtyBird222 PowerDork
11/27/23 12:30 p.m.

Oh dang didn't even see this was an old thread. 

You'll need to log in to post.

Our Preferred Partners
2X2fpJS7uBIpbaSTLfDqkGReBzSB458FpfNmlrKVxlyzLTUm87dOMYwxJ1aQyXFs