Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 13 - Frameworks Vs. Compliance

This week, the guys discuss one of their favorite topics the comes up frequently in the Cybersecurity World: The difference between companies reaching out to meet cybersecurity compliance, rather than aligning to a secure Cybersecurity Framework, and how being compliant does not always mean being secure. The latest cybersecurity infrastructure information can give you the latest tips and tricks on which framework would be best for your company, along with their own experience on the struggles in this topic.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about on  their fancy website and trade show giveaways all  
to protect you from cyber security criminals and  now here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to the cyber rants  podcast this is your co-host zach fuller joined  
by mike rotondo and lauro chavez we have a topic  that applies to many to discuss today so we will  
dive into that shortly but before we do mike why  don't you kick us off with the news a good day and  
welcome to 2021's third podcast got a lot of news  today um we purposely avoided anything regarding  
the inauguration because i'm sure we're all tired  of hearing about the potential end of western  
society so here we go hackers leaked altered  pfizer data to sabotage trusts and vaccines yay  
hackers you are now creating even more of a panic  uh they in europe they released uh false data on  
the vaccine that's being provided there for  covet 19. dns mask vulnerabilities open network  
devices linux distros to dns cache poisoning  not even linux is safe so keep that in mind  
make sure you're patched all the way fireeye and  good news releases tool for auditing networks for  
techniques used by solarwinds hackers uh this is a  pretty cool tool they also have a document out it  
deals with the cves for solarwinds it's definitely  worth looking into the successful mauler incidents  
rise as attackers shift tactics attackers are  cyber criminals are of course a nimble bunch  
and they are continually coming up with  new and exciting things and ways to exploit  
and there's a new new one new mall route called  freak out which exploits critical bugs to infect  
linux hosts i just have to applaud them on the  name but keep it up keep it pretty good yeah i  
like it and we've come to some good names lately  uh but yeah freak out anyway that's a new one  
it's tied to ddos attacks and other types of  issues microsoft and their ever continuing  
uh efforts to make you safe has created zero  login flaw enforcement mode so they were mandatory  
lock down your active directory servers  starting february 9th default mode so keep that  
in mind if stuff starts breaking the list of dns  vulnerabilities advisories patches and updates is  
out the dns mass vulnerabilities were disclosed  collectively known as dns poke so keep that in  
mind that's out there for dns cache poisoning  again and then in kind of sad news because i use  
this tool myself malwarebytes was breached by the  solarwinds attackers keep that in mind when you're  
using your malwarebytes that there is uh there  was an issue and i would definitely check that out  
solarwinds mall where arsenal winds with another  piece of malware called raindrop it's a new  
back door that loads uh drops a cobalt strike  beacon in there and um another way of exploiting  
fireeye has released another tool new open  source tool in response to the solarwinds  
hacks so there's another one named azure excuse  me azure ad investigator i've had a couple  
clients that have turned this on already  and love it so it's a good thing to check  
out one important thing companies turn to  msps as the tax vectors get more sophisticated  
companies are starting to reach out to  professionals there still is the debate of msp  
versus the managed security providers like silent  sector who would be better to manage your security  
i.t professionals destroying end-of-life hardware  over fears of data breaches anybody who's been  
through an m a or didn't manage the decon project  is happy to hear this because how often have you  
gotten rid of your hardware and then found  it in a store somewhere and it hasn't been  
wiped properly by your vendor so it's good people  are moving to actually destroying it instead of  
reselling it so that extra seven dollars you get  for having a hard drive in it when you turn it in  
is no more an issue um and with that we can move  forward zach lauro i've got a couple exploits to  
talk about this week uh i think they're probably  pretty interesting so oracle weblogic server 14's  
got a remote code execution that is being tested  right now so if you if you're running oracle  
weblogic server 14 make sure you're getting  upgraded to at least 1.2 or something else but  
it's the 14 1.1 is the exploited development right  now for that rce but more i think i think more  
more brutal than that is is those of you out there  using at last again especially the confluence  
there's a widget connector macdrow that's like  really really bad it's in dev right now so it's  
not working but it from looking at it briefly  it doesn't look like it's going to need much to  
get it working so the way that it does this is it  basically it does a traversal for file disclosure  
and then basically by uploading a  template the template is the payload  
so so confluence is the document management  document sharing product through atlassian and  
so by uploading this arbitrary template you  can cause all kinds of issues apparently so  
again it's still in dev but um certainly something  to be be out for and if you're looking for a um  
cvd or i'm sorry cbd if you're looking for a cvs  form i'm just kidding if you're looking for the  
cbe it's 2019-3396 um so make sure you're  at least um past 16 12.1 and i think that's  
really probably the only thing worth talking  about this week as far as next plates no cool  
names they didn't give it a cool name like freak  out it's just the widget connector macro ssti  
just to clarify is that freak out with a with  an f or a ph it's an f okay i thought i think  
the ph would have been more just even a step  above but maybe that's good that's version two  
you could be yeah yeah if we could make a request  out there put some cooler names you know some  
that throw back to you know computer hacking bold  hence the ph exactly the the um the blue boxings  
and the green and all the all the color boxes  tones um well it sounds like with the news and  
the exploits that we're still going to have a job  so that's good news despite all the bad news out  
there sounds like cyber security uh unfortunately  is still an issue so speaking of which let's talk  
about a topic today that is so prevalent that it  needs to be discussed and this is just coming from  
our experience and companies reaching out not  quite understanding the difference between  
two critical aspects or two critical pieces  in cyber security so today we are going to  
discuss the difference between a cyber security  framework and cyber security compliance what's  
the difference because here's what happens  a lot of companies and no fault of their  
own right this is just for for people that you  know they don't have a background in this stuff  
they'll they'll reach out and say hey i gotta get  aligned with this framework right away you know  
whatever it is pci cmmc nist 800-171 hipaa you  know you na you name it the gdpr ccpa it's the  
the flavor of the week and so they reach out and  say you know we're really really worried we got  
we got an audit or we have a customer requiring a  third party assessment or whatever the case may be  
and we're worried about being able to align this  and we say okay well well great what framework  
what cyber security framework are you lying to and  they say well what do you mean so that warrants  
a conversation of the fact around the fact that  being compliant is not the same as being secure  
and we always recommend following an  industry standard framework first before  
worrying so much about covering down on compliance  so if we could start with that mindset we can  
we can really i think help people change their  outlook on how they run their security programs  
and the importance of a security program in  the first place so that's the goal of the topic  
today kind of what we want to get across what are  you guys seeing right now as far as struggles in  
um this this area i got a good one can i go could  i go can i go mr lauro chavez go ahead thank you  
for raising your hand yes thanks zach's great to  be here today so nervous long time listener first  
time caller all right i'm gonna rant for a moment  because this really bugs me actually uh i made a  
meme about it today for my linkedin for those out  there that didn't see the cat versus the screaming  
lady you know recently a compliance assessment  came back that was showing the client failing  
due to allowing um still allowing older versions  of ssl okay so you know for those who don't know  
the web browser you know the pcat connections  and all the modern stuff should be on tls 1.2  
that's sort of the mark anything older than  that is considered deprecated therefore  
considered high risk by by the authorities at  b in any case so when you run a vulnerability  
scan like a pci scan or something like that when  you're template and it finds these weak ciphers  
still available um it's going to flag that and and  so i i've i've kind of gotten wind of this sort  
of a failing circumstance because of this and it  bothers me as as a you know as a practitioner of  
of penetration testing and some modeling and  all of this i i'm bothered no modern browser  
is going to negotiate a session with a certificate  especially a modern certificate using 2048 bit  
with 256 sha uh on an old ssl connection right for  that for that connection the browser just based  
on native just native configurations that have  been modernized over the last 10 years are going  
to say you know this certificate's bad or this  connection's bad you don't want to do this you  
it's extremely difficult to go into your browser  and try to manually make it connect on older ssl  
almost done almost off the pr forgive me here  and let's not mention the attack surface okay so  
take sweet 32 the attack against the 64 and 32-bit  blick ciphers oh it sounds sounds tragic well the  
only way to do that is if an old if a computer  using an old browser that's using an old ssl  
is connecting over an open internet like a wi-fi  at a public café and a hacker is sitting there and  
he can capture that cookie or that session token  and then he can crack it um wild you know what i  
mean like it's not 2006 anymore so i think that's  a great way to explain like no modern uh no modern  
red team or uh purple team exercises or even the  active persistent threats that are out there today  
are using this attack to gain hold of i mean this  is not how they got into uh the solarwinds orion  
that's i think the difference a great example  to talk about the difference between compliance  
and security is that compliance says oh you have  a weak cipher you're failed you know what i mean  
versus cyber security is going to say okay we  have weak ciphers what is the attack threat model  
around this particular usage of the exploit and  how does that relate to our deployed architecture  
today and and it begs the question from a logical  i believe perspective versus a black and white  
lined perspective all right i'm not i'm making  a note here to upgrade um my internet explorer 4  
to a newer version 4.1 you know there used  to be that easter egg and internet explorer  
you could drag you could go into help i don't know  if you knew this you could drag there was an e you  
could drag it over the globe and release it and it  would open up into this video um that would show  
all the developers that participated in the making  of internet explorer 4 which is a really big deal  
with some of the very first activex content which  we know it's a really bad idea um but for active  
content back at that time of the web i think it  was it was foundational right but yeah anyways but  
yeah internet explorer four i don't even think  it would show anything today we try to use it
so you know to recap that i think  the big the big issue there is
compliance is not the the people that the the  the lens of compliance is certainly not um  
always a realistic view of security and  while i think these frameworks and all  
the or the the compliance requirements  that are popping up all the time are  
you know it's in the uh people are trying right  but it's it's certainly not a view and just  
to kind of give a high level overview for those  people that don't have a background in this stuff  
a cyber security framework is a holistic list  of all the things that a organization as a whole  
should have in place in order to  be considered proactive in their  
security program and most organizations you  know they're not going to be aligned 100  
but the the idea is to continue to work on  improving your security program in your technology  
and your governance and staff awareness everything  across the organization to create a true defense  
and depth model following these prescribed  frameworks so that would be like center for  
internet security cis controls version 7.1 is out  right now um uh the uh nist 800 171 alpha or c or  
nist csf um great frameworks right so or nist 853  have uh take a holistic look whereas compliance  
uh of course is focused generally on on a more  narrow aspect so pci compliance for example  
is focused on credit card data right  not so much the rest of the organization  
but but it's really focused on credit card data  uh hipaa uh focused on on phi or protected health  
information right that's that's the the area  of interest um uh things like you know gdpr  
and ccpa right your your personally identifiable  information consumer data that sort of thing so  
they're looking at at segments of a security  program and a lot of times around privacy and  
such but not not as a whole so i'll shut up there  but that's that's just for those people that  
that a lot of times compliance and and frameworks  are used interchangeably i consider them two  
different things although there is there is  certainly some overlap there there are yeah  
most definitely um yeah we see it all the time and  you know especially with things like hipaa and pci  
they're they're missing the point and they're  not securing data that is really critical data  
oftentimes and that's what i've seen is like  well we're taking care of our hipaa piece  
yeah what about the rest of it right  i mean there's definitely a difference  
and there's definitely a gap and if you can be  compliant and not secure but if you're secure  
you're focused on security you're generally  really close to being compliant for pretty much  
everything and that's really uh what it comes down  to absolutely no that's you couldn't have said it  
better than that um pci is a great example  too where just like hipaa they try to limit  
the scope so they can focus on implementing  all this control framework stuff right these  
configurations that they haven't really ever  done or mastered and so when you try to con  
you know the rule i guess is that if you try  to if you try to boil the ocean it's gonna  
take a long time so they try to take a cup at  a time and when you do this assessment you find  
out that a company that's pci compliant  as the whole is less than twenty percent  
because they've really only focused on  that like you said the hipaa or the pci  
scope of work of systems technology people  in process and kind of ignore everything else  
because they're focused on compliance right  like what do we have to do as a bare minimum  
and they'll take that out of that framework and  categorize those systems in their organization  
just to the ones that apply and that's  where they'll apply the controls and  
leave everything else well flapping in the  wind yeah and in their defense you know  
i think that the root cause of this is when they  don't have guidance on the security side their  
uh face their the compliance requirements are  basically dictated to them whether it's the  
nature of their industry or whether it's a client  of theirs saying hey we need you to be compliant  
to whatever it is then they're that's all they're  looking at they're people aren't telling them  
unless they have good advisors that hey you really  need to align with an industry standard framework  
you don't just make up your security program as  you go because if you do and something happens  
when you're in court in a lawsuit you the opposing  counsel is going to basically be tearing you apart  
saying what was your security program based  on if you say oh well you know we got some  
smart people that are doing our putting up our you  know or managing our firewalls they're focusing  
focusing on uh keeping our our you know endpoint  antivirus up to date that sort of stuff they're  
gonna say well that's not enough you know if  you're not aligning with an industry standard  
framework you're you're essentially negligent uh  in the event of a breach so plus it's some heavy  
lifting up front but once you're there it's going  to make your life a lot better over the long run  
it's really a foundation of this cyber security  of your your organization creates a lot of clarity  
know i also find that a lot of companies  will look at this and go oh my god you know  
this spreadsheet's huge i'm never going to be  that and i'm actually working with one right now  
and they were like oh i'm about 75 percent of cis  just going through the spreadsheet on their own  
you know if you're applying industry best  practices overall you're generally pretty  
close to complying it's just getting the rest  of it implemented and getting it formalized  
getting it documented that you're adhering to  the framework that sort of thing it's it's really  
it's not as much i mean it is heavy lifting it  can take 18 to 24 months but it's not as bad as  
you when you first open especially like 853 with  the what 4 000 controls or whatever it is uh well  
be yeah it's a little a little intimidating the  well you you mentioned documenting and i think  
that's a big pain for a lot of pain point for a  lot of people right because they may even be doing  
some pretty good practices already but having  them in writing is a whole whole other thing  
and uh if you're it's one thing to to do cyber  security effectively but if you don't have it  
in writing again breach occurs they want to see  record of of best practices being followed and all  
that if it's it they're baked into your policies  if you have procedure documents and standards  
to present it's going to make your case much much  stronger plus it's just a good practice for the  
organization right you have turnover you need  to you need to really document and have kind of  
set in stone the the company's way of doing things  granted those documents will change over time but  
uh that's what they're meant to be right a living  breathing document set is critical and that's one  
of the foundation element foundational elements of  a good security program yeah and i think you make  
a good point zach that not everybody i don't think  especially some of the cios and you know ctos out  
there that are that are kind of managing these  organizations i don't know if they're looking  
at it from that perspective like you may have to  sit in court one day and defend the logic you used  
for the controls that you've implemented and as  you know and and have really good excuses for  
only being able to get so far as you've gotten  right i mean that's like a a really good friend of  
mine who um back when i was just an architect that  was a cso told me he said i have the he goes my  
my job is always on the chopping block he's like  i have all the all the risk i own it he goes into  
the moment something goes wrong he goes it's my my  job's first is on the line and you know that that  
was the first time that i really thought i was  like wow he he really kind of makes a point there  
um because you know he's in charge of making sure  and going to the business you know saying all this  
cyber security type activities need to happen and  if he's not documented and he's getting met with  
the resistance and something happens and there's  you know some form of there's some form of lawsuit  
that occurs and you know the investigation you  know deems some form of interrogation of some  
form right where they're doing interviews with  people you want to have a good story to tell that  
you know like even if you know hey i requested  this budget and i got turned down you're gonna  
because they're gonna be pointing fingers and  i don't think anybody ever thinks of it at that  
extreme level at the end of all this is it great  to prevent all this absolutely but if you don't  
that's sort of what where you'll end up is in that  and that stand answering questions to an attorney  
yeah and you think about it a lot of people don't  even think about the security department until a  
we block something that you're using on a  regular basis because of the security issue  
or b when when stuff blows up and hits the fan and  all of a sudden they're like well where's security  
and it's like you know being after an afterthought  you have to document that so you it is natural  
to get swept aside like you were saying lauro  it it happens a lot it does and you know even  
some of the security engineers and you know  they know for a fact that if something goes  
wrong in the business they always come to  security first you guys running scans today  
is there something going on that you know  that's intrusive that would take the service  
down it's like we're always the first to blame  for everything always the security guy's fault
well you know as a wrap up i i think the the moral  story here the message is it it may seem like more  
work it may seem like a lot of heavy lifting  to follow an industry standard cyber security  
framework and and and it is it's certainly worked  at least for the first 18 to 24 months like mike  
said but the reality of it is it's going to  be a lot less work in the long run for the  
organization and it's going to increase security  much much more than than just following us a  
a framework or i'm sorry a compliance requirement  and and trying to play that whack-a-mole approach  
where you're you're chasing down the the  requirement of the month that pops up so  
follow an industry standard framework if  there there's more about that the book but  
we'll of course talk about it on future podcasts  because it is such an integral part i mean really  
that's the foundation of everything cyber security  when you're building a program for an organization  
so thank you for joining us this week hope you  had uh i hope you have a great week and then  
uh hope you really take this to heart because  this is something that we are very adamant about  
with all of our clients and i think it will  make a lot of difference if you're not already  
following a framework do some research  find the ones that are out there  
and pick one that's best for your organization  just run with it thanks a lot and have a great day