What is Enterprise Patch Management (a.k.a. the application of software security updates according to NIST SP 800-40r4)? The National Institute of Standards and Technology (NIST) just released Report 800-40r4: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology. [...]
A new threat actor group is behind an infamous wave of attacks impacting companies like Microsoft, Nvidia, Okta, and most recently Globant, among others. LAPSUS$, tracked as DEV-0537 by Microsoft, is relatively less sophisticated than other hacking and extortion groups [...]
In the past few days since the Russia/Ukraine conflict, there have been some changes in the cybersecurity landscape. Below are some of my personal observations from our Ransomware Recovery business unit. I am curious if other incident response professionals, ransomware [...]
Last year, there was considerable evolution in terms of ransomware trends and techniques. In the US, and abroad, we saw many high-impact attacks being carried out against critical infrastructure entities. These highly disruptive and highly publicized attacks brought increased pressure [...]
If your company was hit with ransomware, you might be wondering if you should contact the FBI after a ransomware attack, or other law enforcement. The quick answer is mostly yes, but with important caveats to consider. Because of the [...]
The last two years have been a bloodshed for cyber breach insurers. From 2016 through 2019, the payouts on each dollar of cyber breach insurance billed ranged from $0.43 to $0.48. In other words, loss ratios were 43% to 48%. [...]
Is Your Business More Likely to Burn Down, or Get Hit with a Cyber Attack? What is most likely to happen to your business in the next two years? Will it burn down, or will you experience a cyber [...]
With the holiday season now in full swing, we wanted to share some helpful cyber safety tips and guidance when it comes to your cybersecurity strategies (or lack thereof). The Cybersecurity and Infrastructure Security Agency, as well as the FBI, [...]
Firewall patching (updating firmware) is one of the most prudent aspects of network security management that, if neglected, can have dire consequences for your company. Now more than ever, consistent firewall patching is a must have for every business, big [...]
Though cyber attacks have continued to grow in both scale and destructive power, there has also been an increase in the choices available to insure against the many types of cybersecurity threats and losses. But business decision makers might be [...]
Mr. Nichols has over 25 years of experience in the Information Security and Healthcare Technology industries. Mr. Nichols leads the Global Product Security program at Danaher Corporation, representing over 30 companies, including 4 medical device manufactures and 8 life sciences companies. Focusing on security by design for Danaher’s medical devices, diagnostics, life sciences, water quality, environmental and applied solutions product portfolios. Mr. Nichols is the chairman for the Danaher Global Product Security Council and serves on the steering committee for the Medical Device Innovation Consortium (MDIC). He is a certified healthcare information security and privacy practitioner (HCISPP) and a certified HIPAA privacy security expert (CHPSE).
Hamlet Khodaverdian is Vice President of Americas at LMNTRIX, a company specializing in threat detection and response to address advanced and unknown cyber threats that bypass perimeter controls. As a business technology executive with more than 20 years’ experience, he has held various roles in multiple companies, leading sales teams, software engineering teams, IT infrastructure teams, business intelligence and data science teams. Previously, he has been at Canon R&D, Western Mutual Insurance Group, Alliance Funding Group, Quick Bridge Funding, and has been involved in a number of startups.
Through his various leadership roles, Hamlet has gained extensive experience in building high- performance teams, in addition to extensive experience with enterprise risk management, security architecture (both infrastructure related and software engineering related), governance and compliance.
Len Tateyama is the Director of IT at NetSecure, by Alvaka Networks, leading the company’s Network Operations Center and Field Services teams. Len is responsible for the developing and maintaining technical infrastructure and the delivery of managed and consulting services to clients. With twenty years of experience leading information technology, he has held various executive positions in the highly regulated environments of financial management and banking sectors.
Areas of expertise include managing operational support teams; data center build-outs; selection and management of managed services providers; service delivery models; network and security systems design; storage area networks; disaster recovery/business continuity; application development and maintenance; large scale project management; vendor and contract management; risk assessment; and budgeting.
David McNeil is the principal for a leading risk management and commercial insurance brokerage, EPIC Insurance Brokers and Consultants. David speaks on cyber issues for business. He is a recruited member of the Orange County Sheriff’s Technology Advisory Council (TAC); Anaheim Police Department Special Operations TAC; FBI InfraGard (SIG’s Cyber, Dams, Water and Wastewater); and the Homeland Security Defense Group. Specialties include the fields of High Tech, Manufacturing, and U.S. Infrastructure protection regarding the water industry.
Mark Essayian is President of KME Systems Inc., an IT support company he founded in 1993 that provides technology products, process, security and business continuity consulting to a wide range of clients. KME Systems helps clients improve profitability via the way they communicate with and assist their respective clients.
Mr. Essayian’ s background has involved technology for over 30 years. He attended the University of California Irvine where he earned a degree in Physics with an emphasis in computer science and engineering. Mark is expert and passionate about assisting clients along their IT journey to protect their assets, culture and people.
Mark has presented for the Wall Street Journal, SCORE, Microsoft partner network, technology manufacturers, IT peer groups and numerous executive meetings. Mark also currently serves on advisory boards for several manufacturers and is a source of information to the IT industry.
Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.
Investigator Lance Larson. Ph. D., – Lance Larson is a Cyber Investigator for the Orange County Intelligence Assessment Center (OCIAC), a Department of Homeland Security-funded fusion center. Lance has been a police officer with a law enforcement agency for nineteen years. During his tenure with the department, he has served multiple assignments including a role as the technical leader for the first online crimes against children sting in California, patrol, special investigations, and his current role helping to protect the cyber security infrastructure within Orange County at OCIAC. Dr. Larson holds a Ph.D. in Applied Management and Decision Sciences – Information Systems management, is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), GIAC Certified Cybersecurity Incident Handler (GCIH) has authored two books, and teaches both undergraduate and graduate information systems and homeland security courses for the California State University System in San Diego.
Frank Ury is an Orange County leader in both governance and technology operations, sales and business development with a background in setting infrastructure, and IT operations strategies and roadmaps. Frank’s technology career includes senior technology positions in many major companies, including DXC Technology, HP Enterprise Services, Intel Corporation and Black and Decker. Having served for 12 years as a Councilmember and Mayor of the City of Mission Viejo, Frank was influential in assisting the District with the development and financing of the Lake Mission Viejo Advanced Water Treatment Plant. Frank currently serves on the Big Data-Open Data Committee for the Southern California Association of Governments, and on several regional cybersecurity advisory boards.
Sheriff Don Barnes has over thirty years of law enforcement service to the people of Orange County, joining the Orange County Sheriff’s Department in 1989. Over the course of his career with the department, he has held every leadership rank, culminating with his election as the 13th Sheriff-Coroner for Orange County in November 2018.
The Sheriff has worked to be an advocate for law enforcement and public safety both at the state and federal level. He currently serves as an executive officer with the California State Sheriffs’ Association (CSSA) and serves as the chair of CSSA’s Technology Committee. At the national level, he serves as chair of the Major County Sheriffs of America’s (MCSA) Intelligence Commander Group. In that capacity the Sheriff is working to ensure open communication amongst local, state and federal law enforcement regarding critical threats facing our nation. This work is also accomplished through his service as MCSA’s representative to the Department of Justice’s Criminal Intelligence Coordinating Council (CICC).
Brian Keith serves as a Protective Security Advisor (PSA) for the Los Angeles District. As a PSA, he coordinates, facilitates, and performs vulnerability assessments for local critical infrastructure owners and operators, and serves as a physical and technical security advisor to federal, state, and local law enforcement agencies. In addition to conducting vulnerability assessments, Brian supports homeland security efforts by serving in an advisory and liaison capacity for the State Homeland Security Advisor. Prior to serving as a PSA, Brian was appointed as Deputy Director for Critical Infrastructure Protection (CIP) to Governor Arnold Schwarzenegger’s Office of Homeland Security (OHS). Throughout the past 20 years, he has conducted several law enforcement technology presentations at the Federal Bureau of Investigation’s (FBI) National Academy in Quantico, Virginia, and the New York State Police Union Association.
Pierson Clair is a managing director in Kroll’s Cyber Risk practice, based in Los Angeles. Pierson brings an uncommon perspective to cyber risk challenges from his years as a leading digital forensic examiner, technical security consultant, researcher, and educator. He has conducted extensive academic research at the forefront of cyber risk, most currently on changes of investigative significance in Mac and mobile device hardware and software. Prior to this emphasis, he focused on the dynamics within the complex framework of protecting critical national infrastructure as well as intelligence, espionage, and terrorism. In addition to working on analytical projects with members of the Intelligence Community and the U.S. Department of Homeland Security, Pierson has provided sophisticated digital forensic services for a wide range of private sector clients and law enforcement agencies.
Smoke testing is a term used to describe the testing process for servers after patches are applied. The process typically involves making sure servers are rebooted in the right order, making sure they have completely rebooted, restarting applications in the right order, and then testing to be certain everything is working properly when users return to work in the morning.
This typically takes 30 minutes per server, depending upon your environment.
PCs are not typically smoke tested, or if so, not all of them.
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
There are many variables to consider. Some are:
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour. Of course, rates of pay, taxes and benefits will vary from city, state and company; but 30% is usually a good number to use. Don’t forget to account for time-and-a-half or after-hours rates of pay if patching is being done in the late evening, early morning, or weekends (in order to avoid impacting user productivity).
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
If you are presenting to management for a budget, and using this calculator as the basis for a Return on Investment (ROI), you will need to do more homework. An ROI measures as a ratio of the cost of investment against its expected benefit. For patching, calculating benefit can be very difficult to determine. How do you measure the cost of a system breach you have not yet had? You can estimate what expenses, penalties, and losses a company might incur when a breach occurs; but there is no certainty of a breach event and what those costs actually are. There are also regulatory compliance issues and/or potential fines for not patching, but those, too, can be vague. For calculating these potential risks and costs, it is advisable to enter into a discussion with your management team.