February 15, 2021

The Cyber Rants Podcast

Episode 16 - Everybody Loves Cybersecurity Compliance!

Compliance. Internet security in business. These topics aren’t the most attractive topic to discuss but for most organizations, it's a necessity. This week, the guys discuss compliance obstacles and pitfalls, how to overcome them, plus the investment that provide the biggest returns when it comes to cybersecurity compliance. They also help you with understanding cybersecurity laws. Whether you're faced with PCI, CMMC, SOC 2 audits, GDPR, CCPA, or any other set of requirements, the fundamentals are the same and this episode is for you.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber rants podcast this is your co-host zach

fuller joined by mike rotondo and lauro chavez and today we have a fascinating topic compliance um it

is uh something that's just critical not always the most fun thing to talk about or dive into but

i think we're going to share some insight that will help you along the way because reality is

this is a problem for everybody but before we do mike why don't you kick us off with the news

actually zach we're not doing this this week remember um i was i just came back from vacation

and frankly people apologize but i did not have time to uh to look up some news stories for you

um but there's a ton out there and guarantee that i am but yeah no i'm drinking out of a fire hose

after vacation shattering the mold here i don't even know what to do can we yeah we're

freelancing today quick quick switch to lauro with uh exploits all right take over please save them

reject the button pardon that anyways we've always got exploits to talk about so um

this week i think it's kind of an interesting week because

there were nine wordpress plug-in exploits drops all by the same researcher all for php all for um

subsistic apps and plugins okay so if you if you got wordpress out there and you're using

any of the uh the subsistic plug-ins there's just some righteous just some righteous exploits for

uh for metasploit framework available out there right now for almost every version

of uh that's out there yeah it's kind of it's kind of he took he took version 1.1 and wrote a sql

injection for it and then he took 1.4 wrote a sql injection for it and then he took 2.3 and wrote a

local file inclusion for that so it's just like he's he's like oh these guys are just you know

completely beside themselves so i'll take an opportunity to do a bunch of bug bounties here

um anyways so uh make sure you're you're checking your wordpress for using you know

that that subsistic uh plug-in stuff um get get on version uh i guess four or five or something

that's right don't use wordpress at all yeah or that yeah there's always that that'd be too easy

it's no fun if uh you know i don't have anything risque on the public internet of things you know

true we wouldn't have much to talk about i guess that's true wouldn't it so here's

here's a quiz can anybody uh can you name all the compliance frameworks in alphabetical order

that's right nobody can never been done because there are a lot of them and regardless of it's the

it's it's almost like the flavor of the week right popping up different uh state level frameworks

national level frameworks and then all for all different industries you have this constant kind

of webbed web of things to navigate through and so we always advise you of course which we've talked

about in earlier episodes focus on a primary industry recognized cyber security framework

not a compliance requirement but a cyber security framework that's holistic for the industry work on

aligning to that and then all these different compliance requirements will start to fall into

place much easier over time but it's just amazing how many requirements some companies are faced

with these days and the list seems to be growing my question is and maybe you guys have an answer

but why why can't we all just get along here why can't we come up with some more standardized you

know multi-industries type requirements that everybody just abides by at least in the us

rather than all these little nuanced things and then people uh popping up with new frameworks

and then charging you to be certified in them and and on and on and on when they're really saying

the same thing as the others anyway i'm ranting i get i guess that's the point of the podcast but

why do they do that this is the way yeah you can make money somehow man you know like an industry

in itself isn't it it is it's the same reason that payment terminals aren't the same across the

boards like why do i have to go to three different retailers and deal with three different payment

terminals so i you know look ridiculous standing there trying to figure out what green button i hit

and when and do i swipe or dip with the chip in or you know you know so it it's frustrating but

it does seem to be a constant theme across the board with other things besides compliance i'm

not surprised you know texas will be the next one right um you got california got new york there'll

be something from texas probably something from florida something from georgia coming out

with certain like ccpa for california something stipulating certain requirements for their data

right or their citizens data yeah it comes back to new york shield law too which is you know around

basically it's a enhancement to hipaa or replacement to hipaa if you're not hippa compliant

and you know the the every state has their own i know many minnesota has one too and uh i think

the last time i checked because i was working for another client that has hipaa compliance issues

or is required to be hipaa compliant there was 32 different 32 different states that had their own

reporting requirements yeah really the way the way around it is you've got to be a data scientist

you've got to you've got to look at the frameworks because you know here's the thing is that you know

all of its derivative of well i mean the rainbow series right but a derivative of a nest right

and it's spun off it's articulated in a different manner it's presented in a different manner

however there are a lot of commonalities and so picking something i always say if you secure your

infrastructure and your enterprise you know above and beyond then most of the you'll be

able to meet what's compliant right we always talk about that mike right security isn't compliance

sort of thing um our compliance isn't security security is typically we'll help you be compliant

um right but they treat the compliance pieces as as a security framework and then

negate to realize they're scoping things so narrowly that they're really only securing a less

than 10 percent of their infrastructure well yeah and when you've got someone that's gotten multiple

compliance so then you've got the people focusing on pci then you have people focusing on hipaa and

you have people focusing on you know high trust or whatever else is out there when reality if

you had a unified security framework and you based everything off nist or cis or whatever

you would nail most of those things just hitting cis and then there's the additional little tweaks

and like the shield law you know that the difference between you know it states towards

the bottom that if you're hypocomplying you're pretty much covered i mean forgive me don't no

no letters and just speaking of generalities here but one of the big things that they they have is

that the notification process of a breach is not 30 days it's 10 days and so you have to say that

in your documentation and that's the big you know the big glaring difference between those kind of

things i mean so it's the little pieces but yeah i mean you focus on the framework and then you

can go from there so somebody got paid to change that number from 30 to 10 yeah wow i want that job

yeah that's pretty good go ahead oh no go ahead zach i'm sorry i know i was just gonna

say it's pretty amazing you know i think that you're absolutely right you know i think a good

framework well nist of course you know whether you're looking at nist csf or 800 171 or 853

they're all there's so many commonalities across the board i don't know that i've ever

looked at a compliance framework that i was just you know that was new to me

or something that i was looking into and had like a a wow or an aha moment saying

that's something new for cyber security yeah i don't know maybe maybe you guys have seen

something something out of the ordinary or that you hadn't seen elsewhere but i

i just haven't haven't seen that yet in the world of compliance no pci tries to be that i think um

you know with four coming out we'll see what i haven't been really um paying a lot of attention

to some of the the changes that they've you know gone through as you know not part of that process

anymore but um it'll be curious to see how they've they've evolved the framework to to meet you know

the modern threats that are that are out now um and and that's that's the other problem right is

that some of these frameworks are trying to get you to protect things that are no longer really

um a threat um you know logging is one of those weird things right where you know

that centralized logging is this big requirement you got centralized all your logs all your logs

well yeah sure you're i mean your laws are going to tell you that you have a breach but

you're not going to go find the criminal you know it was it's not this isn't 1997 where

you know the hackers have to learn that when they break into a system they have to go and delete

the log files now they're just coming through 43 vpns and through tor so it doesn't matter

what ip you see it's not the right one but thus negating the need for the log file

uh delete right so there's a lot of old controls that are like not applicable to kind of modern

threat modeling exercises i guess that could be done and so it'll be interesting to see what pci

um kicks out and if they've you know assisted in in the in the structuring of things around like

network segmentation and how to define scope and those sorts of things and we both worked

for a company that decided the entire company was in scope but couldn't happen

it's not a bad thing but they couldn't put their hands around basic compliance structures

let alone you know everything was a business exception and everything was uh we can't do that

because i was like well okay scope creep right is and and it's funny because you know and as much as

i you know i mean i've i've been you know we've been with with pci since it was visa cisp right

so we've kind of seen the whole evolution of this framework from about through the payment payment

card industry and the variants and so i'm i love it right i like teaching it i like talking about

like helping companies go through assessments with it but you certainly you certainly see the

how companies react when they when they ask like oh how do i limit scope to just the systems that

matter and i ask like why would you only want to secure these systems and be the organization

organization that says oh hey look at us we've got 4 000 systems but only 200 of them are secured

right you know i mean like why would you buy a you know an enterprise cyber security tool for

endpoint security and only deploy it to the people that work in the call center um it just doesn't

make sense right why you wouldn't do something from a holistic perspective and so when i when

people ask about that scope it you know i always say that you don't want everything to be in scope

because you don't know what's going on and thus everything has to be you should certainly know

where your your cde is and and you know your data flows in and out of what systems would you know

you know be involved in that that story processing and transmitting function but um you need to look

at it from a reasonable defensive perspective and say okay well if we're going to defend this

i don't want somebody to break into a call center computer or you know a non-call center computer

and then use that as a pivot point let's make a holistic decision to deploy the tool

realistically and secure the whole organization under the guise of doing the right thing for pci

right yeah possible deniability is no longer an option yeah and it was like oh totally and it's

like i want to limit scope um so on the rock i don't have to fill in you know the 8 500

machines that i have they're in scope yeah it was a beta exercise i remember a company that

i worked with you know we were going through the audit and i was new there and they're like

well we're going to take these machines out of uh scope because they're a deprecated and b you know

has older data on it and it's all pci data and it's like no you can't take that out of scope

yeah it's a fail it's an automatic field how about we fix it instead how about we not have deprecated

machines there's a lot of what i'd say um auditor lore yeah okay there's a lot of assessors that

come in that have no technical experience no real previous experience under pci and how to

implement it in a in a technical manner right and i think that's that's a big part of being

good at this is being able to understand what the requirement says and then how to actually go

and configure it in a technology or deploy it to meet the control otherwise you're just reading it

off you know what i mean and so there's a there's sometimes a huge knowledge gap from the assessor

coming in you know seeing certain things and claiming things aren't in place when they

really don't understand um you know what the framework is asking for and then how to

demonstrate that how to better demonstrate that in the in the technology itself i i got one worse for

you i remember i was doing with the sock too and they wanted to explain how software was installed

and i asked the auditor have you ever installed a piece of software and he said no so it's like

at that point okay turn off your computer send it back to the manufacturer and uh go live in a

cave somewhere no no i wouldn't do that i would say just page me we'll page you if we need you

right is a turnkey system well another great example is that is so you know again i had a pci

assessor come in and start again the organization you know applied a limited scope to try to

you know get their arms around the brunt of the problem right where they really needed security

mode so i agree i certainly agree in a phased approach right you're starting to start with your

your in-scope systems and then kind of you know broaden that out to the rest of

the universe right but um they they were in for an assessment and started complaining about

the network segmentation and how we hadn't hadn't implemented it properly and then

they couldn't really articulate what network segmentation was but what they did well here's

the thing and and this is something that it's so if you're if you're in pci listen to this

so the assessor basically told me that because pci dss doesn't define network segmentation

that i didn't have a place to go back to to prove him wrong in the instance of him questioning the

scope now he's right pci dss says that you can use segmentation like in the in the very front

of the document it's like on page 11. all right like right when you get into the because that's

the beauty thing about pcr it tells you how to do everything it's like a ikea instruction box right

so in network segmentation it tells you that you can use it to limit the scope it doesn't

tell you how to implement it okay and so he's partially right there so this is what we did

absolutely you're right so now while other networking professionals out there right and

and are gonna you know kind of laugh at this this this sort of scenario what we did is we built an

information technology standard that defined what network segmentation was and how it was deployed

in this particular organization and so once we defined what network segmentation was using

basic you know um internet public accessible knowledge on on how uh fundamental networking

works when you segment compartments and vlans and acls and stuff like that

we articulated this in the document and then when we were then asked again about how why

we chose the scope and how we limited the scope we could stand on the segmentation methodology

in that network segmentation standard to say this is what we've determined as an organization

what network segmentation means to us and how we apply it with our technologies and

this is how we used it to limit the scope that you see here and problem was over but i mean

you know it it didn't it didn't need to come to that but it's it's interesting that

pci in the instance of you know kind of you know wanting to you know they can't they can't build

this they can't write every organization into a corner so they they structure the language

specifically for a reason so they can apply to any organization at any time right but they

lack some of the i guess strategy language and in this case it not only doesn't allow

an organization to kind of fully understand what they can do with network segmentation to like you

know build a phased approach for pci it also gives an assessor a place to come in and blow scope out

of the water and say you didn't put network segmentation in place properly everything's in

scope because what does that do to their service fee now that instead of looking at 50 systems for

pci they're having to look at 50 000. so yeah they probably want it right they want that convolution

on their on their benefit yeah the the uh it's i don't know kind of like a lot of the legal system

right there's there's certain people that always win i won't name who that is but right there's uh

certain parties um that uh that always come out ahead and so usually it's not the people caught

up in these things but um as far as speaking to those people that are let's say they've listened

to the message they understand uh aligning to an industry standard framework and now they're

tackling compliance requirements what would be your guidance for them as far as systemizing it

so that it works year in and year out like clockwork within their organization so it's

not just a big heavy lift for 30 60 90 days every time the auditor is about to come through how how

should they go about thinking about that and executing that so it's more streamlined when we

say it together mike operation yeah say it again operationalization it's really the only smart way

to go forward with any of this stuff because it's cyclical right exactly yeah it's otherwise it's

a fire it's a fire drill every year right and if you don't if you don't operate operationalize it

then uh you know you're just killing yourself and then we work for companies that refuse to do that

right how many conversations and meetings are we in that that where someone's asking a question

well what exactly evidence do you need or how exactly do i do that and

you know it's just it's it gets to the point where you're just spinning wheels and wasting time

sure and and you know i think while some organizations don't want to do the work

right they have they have other things going on and they're happy to pay an order a third

party to come in and and deliver evidence and refresh evidence and all that thing but

like one of our methodologies is we build technology profiles so for every technology

you have in your organization that falls into the scope of pci we have a profile

for that particular technology that says these are the pieces of evidence you need to deliver

maybe that's four things maybe that's 14 things right that may include screenshots or documents

that sort of stuff right and you simply add it to a calendar invite and every year

months before the assessment you deliver a refresh of your evidence into a sharepoint or onedrive or

whatever drop it doesn't matter but you can really make it easy for everybody to do their parts

every year if you can just say if you can just pull all the convolution out and say these are

the three p articles of data evidence i need from you it's two screenshots and this document right

no i 100 agree with that and the problem too is the documentation i i can't tell you how many

times i've looked at documentation that's five years old and hasn't been reviewed and updated

and it's not taking into account you know staffing and changes in the environment and that sort of

thing so um yeah the operation i'm giving up on that word making it part of your ktlo activities

is the best way to ensure compliance it is the most efficient way of ensuring compliance

and it becomes part of your mission and it becomes part of what you do and and just you know document

as you go update diagrams as you go but you know have the quarterly checks have an internal pci

uh audit have pcips on staff invest in your people get to send them to pci classes so that they can

help ensure that you are compliant um before the auditor shows up and everybody goes oh crap we're

not compliant so yeah and i hate to burst the bubble of all the big grc guys out there um well

grc entities out there let me say it that way yeah but you can do everything that they're claiming

their products do with calendar a spreadsheet and a drive location a share drive you can do

absolutely everything that those technologies claim to be able to do if you're just smart about

it and you go forth and lay the the pre-configured calendar invites for all the stuff and how to

deliver everything um you don't have to babysit yet another technology you can use what you have

yeah exactly there's no reason to spend you know a hundred thousand dollars on on a jrc deployment

because what is it doing it's got calendar invites and fields to hold data yeah and you know i can

be with companies right now that are you know the the pci company then also sold them the grc

you know people doing the audit or the qsa doing the doing the audit also sold on the grc tool so

yeah it just feeds on itself now that being said i mean the computer industry is a computer industry

and people are going to buy what they're going to buy and they still have this misnomer out

there there's misunderstanding out there that tools are going to save the world the tvs have

their tools have their validity and they have their usages but they are not the savior of the

iit industry what people are you have to invest in your people and uh that's really one of my

one of my true you know guiding principles we have to invest in our people because that will minimize

the tools unfortunately for the larger companies that means you're not buying as many tools yeah

well excellent point and i think that's a good a good note to wrap it up on as well and just

you know couple key takeaways i mean for for compliance it's always going to be

about building it into your your operations and and not just waiting until the last minute um

as a lot of organizations do it takes a little bit of upfront planning and support but again

to the people aspect i mean that's that's going to be critical you get that good expertise in

there to help you build um that program out and your life will be much much easier and it'll be

a lot more cost effective to align these compliance requirements and then another

thing lauro you mentioned on getting everybody involved you know get don't just don't just have

one person trying to do the lift big basically involve different people in the organization

make it clear what they're responsible for right and um once you have those goods go good

systems in place i think your life will go uh will be a lot easier this won't be such a headache and

it'll be easier to report to to the rest of the executive team the board um that hey here's where

we are compliance wise even before the audit right you should already have an idea of where

the uh the any shortcomings might be so you can be shoring those up throughout the year

not uh not after they've been pointed out by the auditor so hope this helps i know compliance is

a thorn in the side for a lot of people reach out to us if you have any questions need any support

and uh thank you for listening to cyber the cyber ants podcast please rate us on your

favorite podcast platform and let us know other topics you'd like us to talk about happy to chat

thanks a lot have a great day see you next time take care pick up your copy of the cyber ants book

on amazon today and if you're looking to take your cyber security program to the next level visit us

online at www.silentsector.com join us next time for another edition of the cyber rants podcast

Episode 16 - Everybody Loves Cybersecurity Compliance!

Send Us Your Questions & Rants!