Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 16 - Everybody Loves Cybersecurity Compliance!

Compliance. Internet security in business. These topics aren’t the most attractive topic to discuss but for most organizations, it's a necessity. This week, the guys discuss compliance obstacles and pitfalls, how to overcome them, plus the investment that provide the biggest returns when it comes to cybersecurity compliance. They also help you with understanding cybersecurity laws. Whether you're faced with PCI, CMMC, SOC 2 audits, GDPR, CCPA, or any other set of requirements, the fundamentals are the same and this episode is for you.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome to  the cyber rants podcast this is your co-host zach  
fuller joined by mike rotondo and lauro chavez and  today we have a fascinating topic compliance um it  
is uh something that's just critical not always  the most fun thing to talk about or dive into but  
i think we're going to share some insight that  will help you along the way because reality is  
this is a problem for everybody but before we  do mike why don't you kick us off with the news  
actually zach we're not doing this this week  remember um i was i just came back from vacation  
and frankly people apologize but i did not have  time to uh to look up some news stories for you  
um but there's a ton out there and guarantee that  i am but yeah no i'm drinking out of a fire hose  
after vacation shattering the mold here i  don't even know what to do can we yeah we're  
freelancing today quick quick switch to lauro with  uh exploits all right take over please save them
reject the button pardon that anyways we've  always got exploits to talk about so um  
this week i think it's kind  of an interesting week because  
there were nine wordpress plug-in exploits drops  all by the same researcher all for php all for um  
subsistic apps and plugins okay so if you if  you got wordpress out there and you're using  
any of the uh the subsistic plug-ins there's just  some righteous just some righteous exploits for  
uh for metasploit framework available out  there right now for almost every version  
of uh that's out there yeah it's kind of it's kind  of he took he took version 1.1 and wrote a sql  
injection for it and then he took 1.4 wrote a sql  injection for it and then he took 2.3 and wrote a  
local file inclusion for that so it's just like  he's he's like oh these guys are just you know  
completely beside themselves so i'll take an  opportunity to do a bunch of bug bounties here  
um anyways so uh make sure you're you're  checking your wordpress for using you know  
that that subsistic uh plug-in stuff um get get  on version uh i guess four or five or something  
that's right don't use wordpress at all yeah or  that yeah there's always that that'd be too easy  
it's no fun if uh you know i don't have anything  risque on the public internet of things you know  
true we wouldn't have much to talk about  i guess that's true wouldn't it so here's  
here's a quiz can anybody uh can you name all  the compliance frameworks in alphabetical order  
that's right nobody can never been done because  there are a lot of them and regardless of it's the  
it's it's almost like the flavor of the week right  popping up different uh state level frameworks  
national level frameworks and then all for all  different industries you have this constant kind  
of webbed web of things to navigate through and so  we always advise you of course which we've talked  
about in earlier episodes focus on a primary  industry recognized cyber security framework  
not a compliance requirement but a cyber security  framework that's holistic for the industry work on  
aligning to that and then all these different  compliance requirements will start to fall into  
place much easier over time but it's just amazing  how many requirements some companies are faced  
with these days and the list seems to be growing  my question is and maybe you guys have an answer  
but why why can't we all just get along here why  can't we come up with some more standardized you  
know multi-industries type requirements that  everybody just abides by at least in the us  
rather than all these little nuanced things and  then people uh popping up with new frameworks  
and then charging you to be certified in them and  and on and on and on when they're really saying  
the same thing as the others anyway i'm ranting  i get i guess that's the point of the podcast but  
why do they do that this is the way yeah you can  make money somehow man you know like an industry  
in itself isn't it it is it's the same reason  that payment terminals aren't the same across the  
boards like why do i have to go to three different  retailers and deal with three different payment  
terminals so i you know look ridiculous standing  there trying to figure out what green button i hit  
and when and do i swipe or dip with the chip in  or you know you know so it it's frustrating but  
it does seem to be a constant theme across the  board with other things besides compliance i'm  
not surprised you know texas will be the next one  right um you got california got new york there'll  
be something from texas probably something  from florida something from georgia coming out  
with certain like ccpa for california something  stipulating certain requirements for their data  
right or their citizens data yeah it comes back to  new york shield law too which is you know around  
basically it's a enhancement to hipaa or  replacement to hipaa if you're not hippa compliant  
and you know the the every state has their own  i know many minnesota has one too and uh i think  
the last time i checked because i was working for  another client that has hipaa compliance issues  
or is required to be hipaa compliant there was 32  different 32 different states that had their own  
reporting requirements yeah really the way the  way around it is you've got to be a data scientist  
you've got to you've got to look at the frameworks  because you know here's the thing is that you know  
all of its derivative of well i mean the rainbow  series right but a derivative of a nest right  
and it's spun off it's articulated in a different  manner it's presented in a different manner  
however there are a lot of commonalities and so  picking something i always say if you secure your  
infrastructure and your enterprise you know  above and beyond then most of the you'll be  
able to meet what's compliant right we always talk  about that mike right security isn't compliance  
sort of thing um our compliance isn't security  security is typically we'll help you be compliant  
um right but they treat the compliance  pieces as as a security framework and then  
negate to realize they're scoping things so  narrowly that they're really only securing a less  
than 10 percent of their infrastructure well yeah  and when you've got someone that's gotten multiple  
compliance so then you've got the people focusing  on pci then you have people focusing on hipaa and  
you have people focusing on you know high trust  or whatever else is out there when reality if  
you had a unified security framework and you  based everything off nist or cis or whatever  
you would nail most of those things just hitting  cis and then there's the additional little tweaks  
and like the shield law you know that the  difference between you know it states towards  
the bottom that if you're hypocomplying you're  pretty much covered i mean forgive me don't no  
no letters and just speaking of generalities here  but one of the big things that they they have is  
that the notification process of a breach is not  30 days it's 10 days and so you have to say that  
in your documentation and that's the big you know  the big glaring difference between those kind of  
things i mean so it's the little pieces but yeah  i mean you focus on the framework and then you  
can go from there so somebody got paid to change  that number from 30 to 10 yeah wow i want that job
yeah that's pretty good go ahead oh no go  ahead zach i'm sorry i know i was just gonna  
say it's pretty amazing you know i think that  you're absolutely right you know i think a good  
framework well nist of course you know whether  you're looking at nist csf or 800 171 or 853  
they're all there's so many commonalities  across the board i don't know that i've ever  
looked at a compliance framework that  i was just you know that was new to me  
or something that i was looking into and  had like a a wow or an aha moment saying  
that's something new for cyber security yeah  i don't know maybe maybe you guys have seen  
something something out of the ordinary  or that you hadn't seen elsewhere but i  
i just haven't haven't seen that yet in the world  of compliance no pci tries to be that i think um  
you know with four coming out we'll see what i  haven't been really um paying a lot of attention  
to some of the the changes that they've you know  gone through as you know not part of that process  
anymore but um it'll be curious to see how they've  they've evolved the framework to to meet you know  
the modern threats that are that are out now um  and and that's that's the other problem right is  
that some of these frameworks are trying to get  you to protect things that are no longer really  
um a threat um you know logging is one of  those weird things right where you know  
that centralized logging is this big requirement  you got centralized all your logs all your logs  
well yeah sure you're i mean your laws are  going to tell you that you have a breach but  
you're not going to go find the criminal you  know it was it's not this isn't 1997 where  
you know the hackers have to learn that when they  break into a system they have to go and delete  
the log files now they're just coming through  43 vpns and through tor so it doesn't matter  
what ip you see it's not the right one but  thus negating the need for the log file  
uh delete right so there's a lot of old controls  that are like not applicable to kind of modern  
threat modeling exercises i guess that could be  done and so it'll be interesting to see what pci  
um kicks out and if they've you know assisted in  in the in the structuring of things around like  
network segmentation and how to define scope  and those sorts of things and we both worked  
for a company that decided the entire  company was in scope but couldn't happen  
it's not a bad thing but they couldn't put  their hands around basic compliance structures  
let alone you know everything was a business  exception and everything was uh we can't do that  
because i was like well okay scope creep right is  and and it's funny because you know and as much as  
i you know i mean i've i've been you know we've  been with with pci since it was visa cisp right  
so we've kind of seen the whole evolution of this  framework from about through the payment payment  
card industry and the variants and so i'm i love  it right i like teaching it i like talking about  
like helping companies go through assessments  with it but you certainly you certainly see the  
how companies react when they when they ask like  oh how do i limit scope to just the systems that  
matter and i ask like why would you only want  to secure these systems and be the organization  
organization that says oh hey look at us we've  got 4 000 systems but only 200 of them are secured  
right you know i mean like why would you buy a  you know an enterprise cyber security tool for  
endpoint security and only deploy it to the people  that work in the call center um it just doesn't  
make sense right why you wouldn't do something  from a holistic perspective and so when i when  
people ask about that scope it you know i always  say that you don't want everything to be in scope  
because you don't know what's going on and thus  everything has to be you should certainly know  
where your your cde is and and you know your data  flows in and out of what systems would you know  
you know be involved in that that story processing  and transmitting function but um you need to look  
at it from a reasonable defensive perspective  and say okay well if we're going to defend this  
i don't want somebody to break into a call center  computer or you know a non-call center computer  
and then use that as a pivot point let's  make a holistic decision to deploy the tool  
realistically and secure the whole organization  under the guise of doing the right thing for pci  
right yeah possible deniability is no longer an  option yeah and it was like oh totally and it's  
like i want to limit scope um so on the rock  i don't have to fill in you know the 8 500  
machines that i have they're in scope yeah it  was a beta exercise i remember a company that  
i worked with you know we were going through  the audit and i was new there and they're like  
well we're going to take these machines out of uh  scope because they're a deprecated and b you know  
has older data on it and it's all pci data and  it's like no you can't take that out of scope  
yeah it's a fail it's an automatic field how about  we fix it instead how about we not have deprecated  
machines there's a lot of what i'd say um auditor  lore yeah okay there's a lot of assessors that  
come in that have no technical experience no  real previous experience under pci and how to  
implement it in a in a technical manner right  and i think that's that's a big part of being  
good at this is being able to understand what  the requirement says and then how to actually go  
and configure it in a technology or deploy it to  meet the control otherwise you're just reading it  
off you know what i mean and so there's a there's  sometimes a huge knowledge gap from the assessor  
coming in you know seeing certain things and  claiming things aren't in place when they  
really don't understand um you know what  the framework is asking for and then how to  
demonstrate that how to better demonstrate that in  the in the technology itself i i got one worse for  
you i remember i was doing with the sock too and  they wanted to explain how software was installed  
and i asked the auditor have you ever installed  a piece of software and he said no so it's like  
at that point okay turn off your computer send  it back to the manufacturer and uh go live in a  
cave somewhere no no i wouldn't do that i would  say just page me we'll page you if we need you  
right is a turnkey system well another great  example is that is so you know again i had a pci  
assessor come in and start again the organization  you know applied a limited scope to try to  
you know get their arms around the brunt of the  problem right where they really needed security  
mode so i agree i certainly agree in a phased  approach right you're starting to start with your  
your in-scope systems and then kind of  you know broaden that out to the rest of  
the universe right but um they they were in  for an assessment and started complaining about  
the network segmentation and how we hadn't  hadn't implemented it properly and then  
they couldn't really articulate what network  segmentation was but what they did well here's  
the thing and and this is something that it's  so if you're if you're in pci listen to this  
so the assessor basically told me that because  pci dss doesn't define network segmentation  
that i didn't have a place to go back to to prove  him wrong in the instance of him questioning the  
scope now he's right pci dss says that you can  use segmentation like in the in the very front  
of the document it's like on page 11. all right  like right when you get into the because that's  
the beauty thing about pcr it tells you how to do  everything it's like a ikea instruction box right  
so in network segmentation it tells you that  you can use it to limit the scope it doesn't  
tell you how to implement it okay and so he's  partially right there so this is what we did  
absolutely you're right so now while other  networking professionals out there right and  
and are gonna you know kind of laugh at this this  this sort of scenario what we did is we built an  
information technology standard that defined what  network segmentation was and how it was deployed  
in this particular organization and so once  we defined what network segmentation was using  
basic you know um internet public accessible  knowledge on on how uh fundamental networking  
works when you segment compartments  and vlans and acls and stuff like that  
we articulated this in the document and then  when we were then asked again about how why  
we chose the scope and how we limited the scope  we could stand on the segmentation methodology  
in that network segmentation standard to say  this is what we've determined as an organization  
what network segmentation means to us and  how we apply it with our technologies and  
this is how we used it to limit the scope that  you see here and problem was over but i mean  
you know it it didn't it didn't need to  come to that but it's it's interesting that  
pci in the instance of you know kind of you know  wanting to you know they can't they can't build  
this they can't write every organization into  a corner so they they structure the language  
specifically for a reason so they can apply  to any organization at any time right but they  
lack some of the i guess strategy language  and in this case it not only doesn't allow  
an organization to kind of fully understand what  they can do with network segmentation to like you  
know build a phased approach for pci it also gives  an assessor a place to come in and blow scope out  
of the water and say you didn't put network  segmentation in place properly everything's in  
scope because what does that do to their service  fee now that instead of looking at 50 systems for  
pci they're having to look at 50 000. so yeah they  probably want it right they want that convolution  
on their on their benefit yeah the the uh it's i  don't know kind of like a lot of the legal system  
right there's there's certain people that always  win i won't name who that is but right there's uh  
certain parties um that uh that always come out  ahead and so usually it's not the people caught  
up in these things but um as far as speaking to  those people that are let's say they've listened  
to the message they understand uh aligning to  an industry standard framework and now they're  
tackling compliance requirements what would be  your guidance for them as far as systemizing it  
so that it works year in and year out like  clockwork within their organization so it's  
not just a big heavy lift for 30 60 90 days every  time the auditor is about to come through how how  
should they go about thinking about that and  executing that so it's more streamlined when we  
say it together mike operation yeah say it again  operationalization it's really the only smart way  
to go forward with any of this stuff because it's  cyclical right exactly yeah it's otherwise it's  
a fire it's a fire drill every year right and if  you don't if you don't operate operationalize it  
then uh you know you're just killing yourself and  then we work for companies that refuse to do that  
right how many conversations and meetings are we  in that that where someone's asking a question  
well what exactly evidence do you  need or how exactly do i do that and  
you know it's just it's it gets to the point  where you're just spinning wheels and wasting time  
sure and and you know i think while some  organizations don't want to do the work  
right they have they have other things going  on and they're happy to pay an order a third  
party to come in and and deliver evidence  and refresh evidence and all that thing but  
like one of our methodologies is we build  technology profiles so for every technology  
you have in your organization that falls  into the scope of pci we have a profile  
for that particular technology that says these  are the pieces of evidence you need to deliver  
maybe that's four things maybe that's 14 things  right that may include screenshots or documents  
that sort of stuff right and you simply  add it to a calendar invite and every year  
months before the assessment you deliver a refresh  of your evidence into a sharepoint or onedrive or  
whatever drop it doesn't matter but you can really  make it easy for everybody to do their parts  
every year if you can just say if you can just  pull all the convolution out and say these are  
the three p articles of data evidence i need from  you it's two screenshots and this document right  
no i 100 agree with that and the problem too is  the documentation i i can't tell you how many  
times i've looked at documentation that's five  years old and hasn't been reviewed and updated  
and it's not taking into account you know staffing  and changes in the environment and that sort of  
thing so um yeah the operation i'm giving up on  that word making it part of your ktlo activities  
is the best way to ensure compliance it is  the most efficient way of ensuring compliance  
and it becomes part of your mission and it becomes  part of what you do and and just you know document  
as you go update diagrams as you go but you know  have the quarterly checks have an internal pci  
uh audit have pcips on staff invest in your people  get to send them to pci classes so that they can  
help ensure that you are compliant um before the  auditor shows up and everybody goes oh crap we're  
not compliant so yeah and i hate to burst the  bubble of all the big grc guys out there um well  
grc entities out there let me say it that way yeah  but you can do everything that they're claiming  
their products do with calendar a spreadsheet  and a drive location a share drive you can do  
absolutely everything that those technologies  claim to be able to do if you're just smart about  
it and you go forth and lay the the pre-configured  calendar invites for all the stuff and how to  
deliver everything um you don't have to babysit  yet another technology you can use what you have  
yeah exactly there's no reason to spend you know  a hundred thousand dollars on on a jrc deployment  
because what is it doing it's got calendar invites  and fields to hold data yeah and you know i can  
be with companies right now that are you know  the the pci company then also sold them the grc  
you know people doing the audit or the qsa doing  the doing the audit also sold on the grc tool so
yeah it just feeds on itself now that being said i  mean the computer industry is a computer industry  
and people are going to buy what they're going  to buy and they still have this misnomer out  
there there's misunderstanding out there that  tools are going to save the world the tvs have  
their tools have their validity and they have  their usages but they are not the savior of the  
iit industry what people are you have to invest  in your people and uh that's really one of my  
one of my true you know guiding principles we have  to invest in our people because that will minimize  
the tools unfortunately for the larger companies  that means you're not buying as many tools yeah  
well excellent point and i think that's a good  a good note to wrap it up on as well and just  
you know couple key takeaways i mean for  for compliance it's always going to be  
about building it into your your operations and  and not just waiting until the last minute um  
as a lot of organizations do it takes a little  bit of upfront planning and support but again  
to the people aspect i mean that's that's going  to be critical you get that good expertise in  
there to help you build um that program out and  your life will be much much easier and it'll be  
a lot more cost effective to align these  compliance requirements and then another  
thing lauro you mentioned on getting everybody  involved you know get don't just don't just have  
one person trying to do the lift big basically  involve different people in the organization  
make it clear what they're responsible for  right and um once you have those goods go good  
systems in place i think your life will go uh will  be a lot easier this won't be such a headache and  
it'll be easier to report to to the rest of the  executive team the board um that hey here's where  
we are compliance wise even before the audit  right you should already have an idea of where  
the uh the any shortcomings might be so you  can be shoring those up throughout the year  
not uh not after they've been pointed out by the  auditor so hope this helps i know compliance is  
a thorn in the side for a lot of people reach out  to us if you have any questions need any support  
and uh thank you for listening to cyber the  cyber ants podcast please rate us on your  
favorite podcast platform and let us know other  topics you'd like us to talk about happy to chat  
thanks a lot have a great day see you next time  take care pick up your copy of the cyber ants book  
on amazon today and if you're looking to take your  cyber security program to the next level visit us  
online at join us next time  for another edition of the cyber rants podcast