HELLOOOOOO BIG BREAK BAD WOLF RETURNS WITH SOME FUN EXPERIENCES
I'd been doing some one-off seminars and experiences with Clicked and IBM Skillsbuild so I decided to register for a team sprint with them and got in!! Finally began some public interaction after sooo loong. it was good-good fun tho. id love to do an experience like this again.
so basically the task was to develop a cybersecurity program for an edtech startup from scratch. it was a real scratch for me because while I've done some challenges and problems with specific cybersecurity skills this was more of a general and wider approach to cybersecurity that id already been feeling I lacked. I was doing more specific DFIR challenges and not exactly beginning foundationally as I should have. id already realised this and begun professor messer's sec+ series and some sec+ cheat sheets and magically this sprint came about. they required all attendants to start the IBM Fundamentals course on skillsbuild which was a good springboarding point for further general cybersec studies. I began the course and the sprint ran parallel.
(btw a good proper formal stiff upper lip report of the whole shebang is on my clicked portfolio and ill put the link in the postscript. ill put the ppt here tho. not that it's some straight out of the department of defence rosetta stone of cybersecurity program creation but still.)
The tasks to be completed were interviewing the CTO of Wonderschool, performing a risk assessment, developing a security program and compiling it into a final proposal presentation.
the first task was to perform a stakeholder interview with Jamie Dimon (Samy Anand) and ask them questions that would drive the program creation forward. I asked a couple questions and other people definitely asked much better and more elaborate questions. learnt a lot, I think I should have looked up previous experiences on the clicked youtube channel so I could have had more detailed questions. anyway, good lessons. a proper description of my questions and answers is on the portfolio.
the second task was to fill in a risk assessment template based on the questions everyone asked and other assumptions about the company assets we were asked to make. I went 2 steps back and busted out the one and only, bond gadget, my whiteboard - and researched Chegg. This edtech company faced security lapses and losses to get a better idea of the threats edtech companies face. then I did general edtech company market research.
are you ready?
here goes.
and if by chance anyone can decipher what I've written, congratulations! You're one step closer to understanding the Voynich manuscript.
to fill in the risk assessment template I catalogued the company assets and assessed the risks based on these assets and filled in the risk assessment template. Here it is
RISK ASSESSMENT TABLE
ID | RISK DESC | DEVICES/PPL AFFECTED | IMPACT | PROBABILITY |
#001 | DATA BREACH (sensitive data can be accessed through various means such as malicious attackers, accidental breach, third party leaks etc) | Employees, students, company laptops, | High | High |
#002 | MALICIOUS ATTACKS (social engineering attacks such as phishing, malware, ransomware, dos attacks ) | Networks, servers, third-party vendors, laptops, students | Medium | Medium |
#003 | LEGAL (risk caused due to non-compliance, non-governance etc) | Business profits, employees, customers) | High | Low |
#004 | WEB APP SECURITY/NETWORK SECURITY (security of the education platform, mobile app, third party storages, servers etc | Network servers, storage servers, | Medium | Low |
again, for the entire script, questions, answers etc etc, I've been really nice and sensible in the portfolio report. this is MY PLACE for MY NONSENSE.
the final task was to compile all this information and build a cybersecurity program from scratch.
and when I tell you I damn near lost my mind trying to understand what a cybersecurity program is, how you make one, what is an information security policy aaaaaaaghh. it always comes back to breadmaking for me.
tbh I'm being very dramatic honestly the coaches were SO helpful and gave really clear ideas and feedback. I presented the risk assessment template and even included all the stupid whiteboards and everything loll but they were really appreciative and humoured me well lmaooo.
so I scoured the internet end to end and found some excellent helpful resources but the most important resource was the Small Business Cybersecurity Workbook by the Connecticut small business development centre. it used the NIST CSF framework and asked questions that the business owners would answer and then would form the cybersecurity program. a much more useful but also much more extensive workbook was the cybersecurity planning guide by the Federal Communications Commission.
The small biz cyber planner basically asks you what categories and departments your business handles and builds a cyber security program planner. here are a few pictures from the pdf
anyway, the long and short of it is, after putting my brain through a potato ricer 64 times, and consulting several documents, planning guides and articles like the oracles of Delphi, I managed to somewhat put together some semblance of a program. granted, this program in an actual c level meeting would make them hang me outside the window, but still, I DID do it.
so first of all, welcome the infamous whiteboard one more time to see how I mapped out the CIA objectives to the CIS 18 controls to better streamline the goals and objectives of the company. be ready. wear your shades.
okay, after this I basically mapped out the ppt and inserted all the stuff I had already prepared and then created the most beautiful thing known to man which I shall heretoforthwith display in the coming pages.
before that, in all seriousness, the report I've made is actually quite good(at least I think so) and id really like it if all 0 of my readers would read it and review it. it also has reference links and a really cool datasheet I found scrolling on the internet and put in the appendix, which basically maps the NIST CSF to the CIS 18 controls and gives a really detailed approach to my mapping of the CIA triad to the CIS 18 and if I were a wiser and older human I would use it to further develop the Risk Mitigation strategy and maybe I will, one day. who knows. anyway, here goes the PPT.
and now if your eyes aren't hurting from all this brilliance, here follows my experience of the sprint.
all in all, it was a really good experience. a bit overwhelming sometimes, maybe because I was working alone and not in a team like these experiences are meant to be carried out. but I honestly did learn soooo much, not just in the sprint but also with the IBM Cybersecurity Fundamentals course, the coaches were so good. they explained everything very well. they kept all the participants engaged, answered all questions, and gave continuous feedback and industry perspectives. they kept sharing documents and spreadsheets and links for help too. really a fun fun fun fun time. I hope I get to do something like this again.
Oh and we also got into the IBM cybersecurity analyst course on Coursera!!!!!
see you with a new certi soon fam. good night.
Comments
Post a Comment