I need Guidance: Cybersecurity assessment

The company that I work for is a small business and we’re growing. I have been tasked with developing and implementing a cybersecurity policy for the company.

I am a long-time IT Guy, but have never really delved that deep into cybersecurity. After googling until my head hurt (literally), I have decided to come talk to the community.

Where do I start? Our company doesn’t want to PAY for an assessment, because we’d rather learn to do it ourselves so that we can offer it as a service to our customers.

Once I know what our vulnerabilities are, I can work to correct them. However, the part about determining what they are is my problem. :frowning:

What resources do you recommend? Books? Videos? Online trainining?

IT Pro TV has classes for learning cyber-security and to get your CISSP

2 Likes

I’ll look into it. Any other more immediate (and cheaper) recommendations?

What’s your opinion of CBTNuggets? It’s a similar service that one of our techs has used in the past. Similar pricing.

Is NIST guidance too basic to start?

I looked at some of the NIST stuff and while it said what you need to have, it didn’t really give me a roadmap on what I need to test and how to remediate it to GET to the NIST standard, which is our goal because of increase in government jobs.

I thought CISSP had required that persons be actively employed in the infosec field for at least 10 years before you could qualify for it.

Back when I was in school for info-sec & IT (early 2000’s), Nessus was part of the syllabus but Nessus has long since ceased to be relevant (or at least that’s what i’ve heard) or free for non-profit use. What types of packages do you use for network vulnerability assessments?

I know there’s Kali linux, Meta-sploit, NMAP and some others out there. I’ve been out of touch with the info-sec side of things for some time since i’m not in the job market anymore, it is still a favorite reading subject of mine.

You need to show at least 5 years of experience in the covered domains. If you can’t, then you get an “associate” cert or something until you gain that experience and can then upgrade to the full cert. So you can still study and test and get the cert, provisionally.

So, I will get the cert, and I since I’ve been in IT for 30 years, I may be able to scrape together the required experience, lol. If not, I will quickly GAIN that experience.

With all respect, this is a TERRIBLE deciion on the part of the company " Our company doesn’t want to PAY for an assessment, because we’d rather learn to do it ourselves so that we can offer it as a service to our customers.".

You WILL sit with issues that will likely result in a breach , LONG before you or anyone in the company becomes experienced enough (never mind getting certified).

Get a good cyber sec company to come do an analyses (whats cheaper, this or a breach / ransomware ? ) and ask questions, tell them your interested in cyber sec, ask them why they do x etc . Maybe go job shadow them.

As you build the skills, apply them at home etc etc before in the work place. Right now the best thing you can do is 1) get a legit company to do an analyses and 2) send staff on training so they can be the most effective firewall AKA the human firewall.

Sadly, you’re probably right. But I have no control over those decisions. By educating myself, at least there are SOME mistakes that can be avoided.

I hear you. Aim for the low hanging fruit :

  1. BACKUPS & more backups.
    1.1) Do drills.
  2. SPF,DKIM,DMARC.
  3. DNS over SSH / similar.
  4. WAF + website sec
  5. Something like PFSense with IDS.

2-3 can be implemented in 48hrs of approval.
4 about the same (Cloudflare free + some manual config of it & Wordfence + some config will do you better than probably 60% of sites.
4 - Could take a while, prob good to setup on a spare PC / VM @ home and start learning it.

Please put something in writing to them , stating that their approach isn’t advisable due to xyz. This will save you ass later on.

I’m no CyberSec expert, or even a amateur, but if you want help with 2 & 4 I’ll happily help where I can for free, ideally publicly where possible, so that others can hopefully benefit aswell. :slight_smile: