Pratum Blog

Smart Security Video Series with Pratum and The Technology Association of Iowa

Pratum, Iowa-based information security consulting and managed security services firm, today announced its cybersecurity video series partnership with The Technology Association of Iowa (TAI). The monthly series “Smart Security” will consist of 60-90 second videos providing viewers with cybersecurity content delivering actionable takeaways and thought-provoking ideas.

"TAI is excited to partner with Iowa cybersecurity leader, Pratum, to produce a new monthly video series “Smart Security”. TAI members will learn information security insights from Iowa professionals and gain the knowledge needed to protect a company's most valuable asset: its data," said Brian Waller, President of The Technology Association of Iowa.

New cybersecurity videos will be delivered each month through the TAI Newsletter and social media channels. The videos encourage executives to think strategically about cybersecurity and how it impacts their business.

“You can only cover so much in 60 to 90 seconds, but the goal is to get the cybersecurity dialogue started. For those who want more information, each video will be accompanied by supplemental written content with more comprehensive insight,” said Dave Nelson, President and CEO of Pratum.

“Smart Security” will debut January 31, 2019 in TAI’s monthly newsletter. To subscribe to the newsletter, visit technologyiowa.org.

Vendor Management

Vendor Management is receiving a lot of attention due to the increase of outsourced technology services. Vendors can provide great value, but they can also introduce a high level of risk. The 3rd annual “Data Risk in the Third-Party Ecosystem” study released by the Ponemon Institute found that 59 percent of companies surveyed reported a data breach by the action of a vendor.

If you’re part of a large organization that doesn’t have an established vendor management program, your head is probably spinning thinking about all your vendors and how to assess them. Even in smaller companies it can be an overwhelming task. It takes time to mature a vendor management program, so take a deep breath and follow these steps to get started.

1. Identify Your Vendors

Work with each business unit or department to develop a list of their IT vendors. It is also important to get a short description of the type of service being provided. If you are part of a large organization, it is best to start with critical IT vendors.

If you answer YES to any of the following questions about a vendor, add them to the critical list.

  • Does the vendor have access to your organization’s network or systems?
  • Does the vendor have access to your organization’s data?
  • Does the vendor have access to Personal Identifiable Information (PII), Personal Health Information (PHI), etc.?
  • Does the vendor have an impact on the availability of your systems/data or play a critical role in keeping the business running?

2. Prioritize Your Vendors

Once you have identified your vendors and categorized them based on access level, identify the criticality of the service they provide. If their services became unavailable to you, how would that impact your organization? How long could your organization continue doing business without their service? Your vendor’s ability to respond to a crisis or disaster may have a direct effect on your organization’s business continuity efforts. Prioritize your list of vendors to match their importance to your business operations.

3. Create a Schedule and Process

Most organizations don’t have the time or resources to simultaneous audit all their vendors. If necessary, create a schedule to extend the efforts over the course of a year. From your prioritized list, create a timeline that outlines which vendors you are going to audit and when. You may start with only 2-3 vendors a month, and that is okay.

The second part is to create a process and a plan that includes at a minimum the following:

  • Establish the owner of the vendor relationship. This individual is responsible for communicating with the vendor, collecting the information, staying on schedule, etc.
  • Understand the type of information you will be requesting. This could be compliance/security reports (SOC2, HITRUST, ISO, etc.) or your organization may require the vendors to complete a security questionnaire.
  • Create a form to document the assessment and track results. This form can be provided as evidence for the vendor review during a compliance audit.
  • Know where the information will be stored. Designate a central repository for all information pertaining to that vendor. This helps to keep the assessment organized and efficient.

4. Track & Monitor Vendors

You will likely identify at least one vendor that doesn’t adhere to best practices to adequately safeguard your organization. If you decide to continue with their service, make sure they have a remediation plan for the security gap and track their progress to ensure a timely resolution. Vendor management is an ongoing process. Some gaps can take months to resolve, so having a process in place to track them will help immensely.

These steps give you a high-level overview of auditing your vendors. Critical IT vendors should be audited on at least an annual basis to ensure their security is evolving with growing threats. Keep in mind, it takes time to mature a vendor management program. It’s impossible to eliminate all risk from your vendors, but there are ways to manage it.

For help with Vendor Management and Information Security Assessments:

Reference: https://www.opus.com/ponemon/
2018 Secure Iowa Capture the Flag Competition

Earlier this month Pratum sponsored the ISSA Secure Iowa Conference, and we are proud to announce that Team Pratum (AKA Pratumeers) placed 2nd in the Capture the Flag (CTF) competition hosted by SecDSM!

What is a CTF?

Capture the Flag is an information security competition designed to increase the knowledge and speed of penetration testing workflows. Each “flag” (challenge) is obtained by exploiting vulnerabilities, reconstructing encrypted messages, or by solving cryptographic puzzles. Team members submit flags on a Jeopardy-style board that tracks each team’s overall point count. The goal is simple: solve as many challenges as possible in one day.

Our Experience at Secure Iowa 2018

Following the conference keynote, the teams filed into the CTF conference room and eagerly began solving challenges. The first flag was solved within minutes after the keynote, and Team Pratum promptly responded with 2 flags submitted. Everyone started to get into a rhythm, and the solved challenges began flooding into the scoreboard with Team Pratum in the lead.

Not surprisingly, we were first to pick one of the challenge locks, and shortly after picked another MasterLock. Only two locks were left unpicked, as we began strategizing our time for higher-value flags.

Pratum participating in 2018 Secure Iowa CTF
Team Pratum (Pratumeers) competing in 2018 Secure Iowa - Capture the Flag (CTF)

A total of 6 flags were in the Packet Capture (PCAP) category, which we scored 300 points from. We learned a few new Wireshark tricks, specifically carving image files out of HTTP frames. Our brilliant challenge writers hid some cat memes, which brought some much-needed laughter.

After lunch, Pratumeers were able to divide into respective roles and almost complete the entire Misc category. Some Docker images were broken, rebuilt, and then broken again to compromise accounts containing the flags. Pratum’s CTO Steve Healey dove into some PCAP files while our Security Consultant Jason Moulder started to brute force the vulnerable web applications.

2nd Place finish at CTF 2018 Secure Iowa
From Left: Chad Porter, Steve Healey, and Tanner Klinge

As the conference came to a close, the race was tight and Team Pratum decided to try out some SDR (Software Defined Radio) tools. Pratum’s Security Analyst Tanner Klinge tuned into an unlicensed pager channel to intercept an encrypted Morse Code message, while the rest of the team chased after a mini-bug bounty challenge.

The Pratumeers placed 2nd overall and were awarded some prizes sponsored by SecDSM. We certainly learned a lot, enjoyed the opportunity to compete and look forward to new challenges next year.

Capture the Flag Key Takeaways

  1. Constant CTF team communication is vital, leveraging something like Microsoft Teams.
  2. Test and become comfortable with all tools prior to competing.
  3. Time management based on point value of the target.
  4. Debrief with your team afterwards and have them show other people how a particular challenge was solved so everyone can learn new tactics.
  5. Contact Pratum
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.
Privacy Policy Ok