Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #50 - Compliance Vs. Security

Is being compliant the same as being secure? If you're meeting all the requirements, are you adequately protected? This week, the guys discuss the differences, nuances and overlaps between cybersecurity and compliance, plus how you can simplify alignment to multiple compliance requirements.  

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:



Trend Micro: 90% of IT Decision Makers Believe Organizations Compromise on Cybersecurity in Favor of Other Goals


Zero-day Bug in All Windows Versions Gets Free Unofficial Patch


How We Broke the Cloud With Two Lines of Code: The Full Story of Chaosdb

Murder-for-Hire, Money Laundering, and More: How Organized Criminals Work Online

Threat Spotlight: Bait attacks

MacOS Zero-Day Used in Watering-Hole Attacks

Organizations More Susceptible to Ransomware Attacks During Weekends and Holidays

elcome to the cyber rants podcast where
we're all about sharing the forbidden
secrets and slightly embellished truths
about corporate cyber security programs
we're ranting we're raving and we're
telling you the stuff that nobody talks
about on their fancy website and trade
show giveaways all to protect you from
cyber criminals and now here's your
hosts mike rotondo zack fuller and lauro
chavez hello and welcome to the cyber
ants podcast this is your co-host zach
fuller joined by mike rotondo and lauro
chavez and today
we are talking about
versus security are they the same are
they different
we'll unwrap that deep topic here
shortly but before we do mike why don't
you kick us off with the news
good morning and uh welcome to the news
uh fbi email server hacked i'm sure
we've all heard about this and sent spam
sent from fbi email account on 13
november the fbi's unclassified email
server was hacked and roughly a hundred
thousand spam emails were sent from a
compromised account apparently the email
was grammatically challenged claimed a
threat actor who is in reality a highly
respected usper cyber security expert
affiliated with a criminal gang named
the dark overlord was attempting to
attack the emails recipients networks
either way wait wait wait wait the fbi
got attacked by the dark overlord
apparently apparently i thought it
happened yeah it was a dark overlord but
apparently yeah and even
that's not going to make our
list of top hacker names even that
probably won't even be in the top 50 i
don't think no
it's not as you know
not as
as uh
as interesting as uh you know the dark
kitty and the rest of them that are out
yeah there's a lot a lot better ones but
i'm sure somebody that uh has some
self-esteem issues and wants to make him
sound like make himself like sound like
he's a badass so anyway sophos releases
his annual threat report and it isn't
pretty uh sophos released its 2022
threat report via their website the
annual report documents the past year
cyber disasters
in addition to forecasting threat trends
for the upcoming year the report states
ransomware as a service entities will
multiply in the coming year you can't
expect that cyber extortion tactics they
identified 10 different will increase in
severity intensity to force customers to
pay extortion fees crypto mining
targeting will increase which we
expected so for suspect suspects that
attempts to mass exploit it admin tools
and exploitable internet facing services
will continue to rise threat actors are
likely to increase the abusing cobalt
strike power split and mimikats the
growing interest in linux systems is
expected to surge uh they're starting to
attack those botnets such as mirai we'll
take advantage of software
vulnerabilities and default passwords
and iot devices and then there's going
to be some mobile malware and social
engineering going off so
interesting stuff
kind of talking about our subject today
trend micro 90 of i.t decision makers
believe organizations compromise on
cyber security in favor of other goals
trend micro announced new research
revealing that 90 percent of i.t
decision makers claim their business
would be willing to compromise on cyber
security in favor of digital
transformation productivity or other
goals additionally 82 percent have felt
pressure to downplay the severity of
cyber risk to their board
the research reveals that just fifty
percent of it leaders and thirty eight
percent of business decision makers
believe the c-suite completely
understands cyber risk many believe the
c-suite either doesn't try hard enough
26 or doesn't want to 20
to understand uh 49 of respondents
clinton cyberists are still being
treated as an i.t problem rather than a
business risk
and that is one of the dangers that we
education cyber security is costing some
companies over 100 million
mississippian-based cybersecurity firm
has dug into several experiences
incidents that involve industrial
control systems typically for
and the news isn't good basically
they're finding that just the cost is
getting ridiculous you know 100 million
is a lot to fix something especially if
you're a small company because you can't
afford that and guess what there's a
zero debug in all windows version and
gets a free unofficial patch that's nice
of them a free unofficial patch is now
available for a zero day local privilege
escalation vulnerability in the windows
user profile service that lets attackers
gain system privileges under certain
conditions apply the free patch it's a
couple interesting headlines cis
announced the new cyber security
playbook go ahead and check that out
hacker company broke the cloud using
it's an interesting story and then
there's also murder for higher money
laundering and more how organized
criminals work online so with that
laurel any thing you want to talk about
yeah sure i mean
i got some exploits i got i've got some
explain news i've actually got well
there's a lot of exploiting news i'm not
talking about because i've already made
that both that we don't we don't talk
about that anyways but i do have one to
bring to everyone's attention this week
that i think is important because if you
are on the get lab community you should
be aware that there is some pretty
awesome remote code execution
unauthenticated too that is out there
nice little payload let's get sent in uh
using curl
or curl i like to say curl just sounds
like i'm working out you know what i
curling it
yeah that way when i tell everybody that
i'm working curl they're like oh he's
out of physical exercise no it's not but
they don't know that but you know make
sure that if you're using that get off
that version i think it's uh
13.8.8 is if you've got any packages
that are still in that versioning make
sure up off of that because very nice
proof of concept out there and uh hats
off to the author jacob baines very well
done sir very well done and um everybody
should be aware that get lab community
edition enterprise before 1310 and after
13 8 does have remote code execution so
took my time on that one very specific
since we only have one that's all i have
for exploits this week
and aside from the free patch from
big surprise i'm sure that somebody's
oil filter is leaking too from the
factory i'm just wondering you know
they're talking about how it's a free
are they gonna start charging for
patches going forward i don't know it
just seems like an interesting it says
it just seems like an interesting cost
idea but i can't say something i'm
throwing that on the table
you know what i mean let's start
charging for patches like you just use
it it works
it works fine
it just it works we didn't know who's
local privilege escalation what's that
yeah it's probably not important it's
probably nothing probably no
it's a cigarette burn in the seat you
can drive the car it's fine that sounds
like too techy i think you know my
computer works if the printer works
we're good
we're good don't need to worry about
that you see a blue screen of death it's
the only time you need panic because it
let's talk about compliance shall we but
after we take a quick commercial break
want even more cyber rants be sure to
subscribe to the cyber rants podcast get
your copy of our best-selling book cyber
rants on amazon today
this podcast is brought to you by silent
sector the firm dedicated to building
world-class cyber security programs for
mid-market and emerging companies across
the us silent sector also provides
industry-leading penetration tests and
cyber risk assessments visit and contact us today
and we're back
we're going to talk about compliance
versus security or compliance and
security i don't know let's see where
the conversation goes
security and compliance i want to start
it off with a hypothetical question not
saying i've ever heard this before but
hypothetical question
we are
pick a framework pci compliant so we're
what do you say to prove it no one's
secure first off ridiculous but
compliant you may be compliant you may
you may you may have a you may have a
letter that says your compliance
something you may have
an assessor tell you your complaint or
something doesn't mean you're secure
in this case pci dictated that i do
all these things
that would that would make me secure
that's not that's not the case
what you're telling me so if i'm
complying i'm not necessarily secure is
what you're what you're hedging at so
you're compliant in that you are
protecting card data doesn't necessarily
mean that your enterprise as a whole is
secure so the systems that you put in
scope for your pci
are compliant with pci security and
hardening that does not necessarily mean
the rest of your enterprise
is is compliant or secure bingo now i'm
not name calling but there was some um
there was some research done
and it it looked at pci compliant
companies and
as a pci compliant organization they
found that the actual security
cyber security implementation as an
overall architecture
that only made up about four to 12
percent of the entire enterprise and it
was focused simply in the pci
in scope area right which is i think
where organizations kind of get in
trouble with that i think it's a
a problem one of the things we see is
that especially mid-market and emerging
size companies
they may have one or multiple compliance
that they have to follow
and it seems like sometimes that is the
bigger looming threat the potential
maybe an upcoming audit or a potential
requirement from a client or whatever
the case may be is driving their need
for compliance and nobody's really
saying wait a minute maybe you should
have a holistic
cyber risk management program
first and then cover down on compliance
and i think it's a matter
of timing and
uh limited resources budget right
what do we do what would you advise a
company to do if they're faced with well
we need to focus on compliance so that's
what we're going to do
as opposed to
our oh you know our recommendation which
of course is build a holistic cyber risk
management program first
breaking book called cyber rants that
talks about operationalizing
uh compliance making this available on
amazon shameless questions that's always
an ace in your sleep
that's great yeah i know it's certainly
covered in the book it is yeah certainly
but for for
i guess a quick because this this can be
complicated right and um i think
i think the easiest thing to do is to
separate the idea
a compliant
a compliance framework of any type or
security framework of any type applies
only a subset of your business that is
dealing with that data or a piece of
code that you write that's dealing with
that data
you have to understand that it's an it's
an adoption of
i don't want to call it a belief or
religion or but i mean it's a it's a
adoption of
that are required to
you know try and build this this sort of
holistic view right so you have to you
have to get out of the headspace where
oh you know my this i've got 14 apps and
you know nist you know csf only applies
to the one over here that's doing you
know the sensitive data all the rest of
them don't matter i can do whatever i
want with them so all i can tighten all
my development process around this one
app and do vulnerability scanning and
we'll only get a pen test on this one
app that will limit the scope just to
this one app meanwhile there's dev going
on there's a whole you know 24 block
with the dev team using it and they're
putting all kinds of things on amazon
and elastic bean stock and
and everybody else out there um that's
that's offering that cloud platform and
you look
and uh auditors going to come in and
they're going to get paid to do the
scope of the audit
you know what i mean regardless of what
you've chosen the business the assessor
typically will attempt to stick to the
scope they may have some opinions along
the way but they'll try to follow the
scope of the assessment that they have
that list of systems that's doing this
and and then you you essentially end up
with that that research model where you
you're this like little slice of the pie
of your whole enterprise that's secured
and it's barely right and and if you if
you haven't air gapped or you know
completely segmented that
physically away from everything else it
could still be
at risk just based on the rest of the
enterprise being
not doing anything at all
that separate your belief system
right no that makes perfect sense i
don't have anything to add to that
that was very well said what about
there and i think there's a blend right
so if we talk about something like pci
for credit card data where we talk about
hipaa for protected health information
phi we have scope based on the
specific data set right
so those those are those are obviously
kind of niche
foot areas of focus right obviously not
holistic the organization what if we
look at something
iso 27001 or sock 2 would you say
that there's a
essentially a sliding scale within the
compliance requirements out there where
some are much more holistic than others
i i kind of have an issue even though
even though we do do social audits and
socrates prep i do kind of have an issue
with stock too in that it is
it is really an accounting certification
its enterprise certification is not
necessarily a security certification it
does not have the depth
technical requirements that a pci would
have or an iso would have so you know
sock 2 is nice to have but i would say
you know of the two iso obviously has
more depth
uh but being stock to be compliant does
not mean in any way shape or form that
you're secure
that's my yeah such a
yeah that's great it has such a limited
subset for a you know it lim it just
very in the whole the whole of it has
such a small place for technology
and and the way that it hinge pins on
iso or anything else and then it
requires you to have a
you know some form of security policy or
or data you know privacy policy or risk
you know some framework and so you know
that's kind of how you you can then fall
into the iso 27000 or the nist or you
know cis controls
um but yeah you know they're um i think
cis probably offers a more holistic
because it doesn't tell you to talk it
doesn't even talk about you know
specific areas that are you know
certainly you know story processing and
transmitting like what what pci would
call out language for for an end scope
right they're they're telling you that
you need to have asset management
they're telling you need to have you
know an idea of how your software
is updated and secured before it goes
into production they're telling you that
you need to do continual penetration
testing right it's it's a more of a um
you know again adopted kind of a
operations model to to kind of do these
these perimeter checks right and and
these sort of configuration validations
and step validations and it doesn't have
to slow down the organization right i
mean they can be
streamlined of course right to however
you you operate but that there is that
that first push
that it takes to kind of figure out
how to you know how to kind of
intertwine these things right because
how you know how much pen testing is too
much well
that's a great example of you know
compliance with security right might
they're uh they're saying get
penetration testing at least annually
and we have organizations that do it
daily it's like
it's like who's the more secure the
organization that pen tests only once
annually and they pick one app
or you know the organization that does a
more frequent cadence then they're
looking at different attack surfaces
include the whole enterprise yeah i just
i think that you know you have to
include the at least
annually because otherwise some
corporate companies to be honest we'll
just not even do that one of the
problems i see also is with a lot of
these compliance frameworks
is that you determine what's in scope
and you know i remember working for a
company that decided to take some uh
deprecated systems off out of scope for
pci even though they had card data in
them i of course
pitched a fit and uh don't work there
anymore but that's another story that's
a good story though that's an epic tale
that's not just a story mike that's like
you know that's that's something that
would that would make the ancients proud
i'm telling you it's the lord of the
rings extended version how dare you do
the right thing mike i know man
try to voice what you're what you're
getting paid to do you know yeah try to
give us a good scenario
how dare you might try to do your job
gosh i have to take the company of the
whole well the company as a whole if it
gets hacked is you know
that's something
are you saying that cyber criminals
aren't just going to ignore those
deprecated systems are not in scope yeah
yeah they just don't scope
they don't check and see nobody
they sent out a memo to all the cyber
crime rings hey guys yeah we got these
systems we're they're out of scope
but you can hit these other areas over
yeah you're good over here well it's
just like the president handing uh putin
the uh 16 things that he considered
critical infrastructure that you
couldn't hack oh yeah
everything else free game yeah have fun
yeah stay away from critical
infrastructure yeah we don't care about
small business but don't touch our
critical infrastructure
it's weak and deprecated and not real
good practices around how we manage it
but we yeah we keep some keys locked up
don't touch it yeah no i mean everybody
needs to yeah everybody needs to apply
these these things holistically um you
know you don't you don't take your card
and say to the mechanic and say just you
know just look at this run right tire
it's all that's all you need to do like
yes sir but it's a it's a service
checkup we do a 350 point inspection and
it's got 20 000 miles no i don't want
that i just want you to look at my one
rear tire and let me go
clean out the extras excellent excellent
well our our focus is always like i
mentioned before and like we've talked
about on other episodes but i will say
it again because we we tell people this
a lot
pick a holistic framework something like
cis controls laura mentioned earlier you
know you have things like nist csf 853.
what about maybe we should talk a little
bit about
how to cover down from one to the other
so in other words if you have certain
compliance requirements how do you maybe
how would you pick the best framework
for your organization crosswalks and
such maybe like miss to hipaa those
types of examples you have any good
advice for people that have a compliance
requirement but really want to do the
right thing and
build a holistic
cyber risk management program i don't
know that it matters as long as you have
a framework i mean hipaa has a
derivative of nist
so it's a good starting point however if
you look at the frameworks long enough
they all start to blend at a certain
point where there's overlapping
requirements they just call them
different things
you know taking case and point iso and
they have the same requirements for
documentation but the document's called
something else an iso and this calls it
something else in reality who cares what
the name of the document is as long as
it's descriptive and has the controls in
place that are being enforced it's all
good practices and i think what you
developed over time is
a hybrid idea of blending security
frameworks together and then finding the
best ones at least that's what that's
what i do with most of the clients that
i work with for silent sector but we do
you know go through a checklist for a
specific framework at some point yeah
yeah absolutely i think that um i think
the core the core activities are going
to be you know fairly
similar as you as you start to look at
these these frameworks but you know i'll
use another analogy your your enterprise
is a big onion and and you may have
specific controls today for hipaa or pcr
anything else it's specific layers of
your onion slice
and the first thing you want to do is if
you've got a framework today like mike
said it's just it's a great just to have
something that's good right that's
better than being there like what to do
but now you can kind of expand that that
configuration and those good practices
with that framework and try to catch all
those layers of that onion but you'll
notice there's some similarities between
what i'll what i'll call proactive
activities right and and that's really
the intent is that cyber security in
general has always been a reactive thing
right and nobody cared about you until
something was going down and they either
were blaming you or begging you for help
right that's a big cheer out to all my
cyber security fellows out there youtube
mike you know what i mean like that's
that's really like what happened right
is like we either got blamed for stuff
or they were begging for help so the
intent is to be proactive with these um
with these activities and and in the
same sense that you take care of you
know you your lawn and your home and
your laundry and the whole bit you know
that the technical the technical assets
you have both software and hardware are
going to be a liability to you if you do
and so the vulnerability scanning and
the penetration testing and you know
ensuring you've got you know those type
of kind of cyclical processes
specifically where they make sense um
for moving code if you're in software
and for most certainly updating
everybody's hardware um and you know
giving you know not taking not taking
care of those technical assets because
you you feel again like we were joking
before it's like it works right like
it's fine it's fine it works like it
doesn't matter it's like a little oil
but i can drive it that's the whole
point right you need to make sure that
there's technical maintenance that's
being done very continuously because as
as you hear these podcasts every week we
don't make this stuff up this is you
know this is known stuff right we've
always known this stuff is happening
there's a lot more
um headlights on it these days this is
going to be a continual thing and so the
maintenance is super even more important
now than it was and so if if that's the
the two activities that continual risk
assessment that you're you're doing for
your technical assets it needs to be
done and
they all need to be patched and updated
and you'll see that's pretty much the
same across all of these frameworks they
want you to
to categorize your assets and your data
and make sure you keep them
very very postured and in shape and make
sure your users can't modify that
to you know cause risk and and the other
thing is training i think right mike i
mean that would be one of the other
places that they're all going to talk
about security awareness training yeah i
mean good point and going back to that
one headline about the i.t decision
makers that don't understand you know
that most people believe that the
c-level suite doesn't understand or
doesn't see it and is willing to
sacrifice cyber security for business
goals and i understand i mean in the
positions that we've been in you
understand that at a certain point you
do have to you know have usability and
you can't be 100 secure we can't air gap
everything and you know that sort of
thing but you can't accept a risk level
that is
going to put yourself in a really bad
situation and then there's a two pro two
prong issue with that one you're going
to demoralize your troops right if
you're if you're denying the viability
of everything they say
and saying you know that we see the
security issue now don't worry about it
we need to do this for the business
after a while you're going to burn the
security professional out he's just
gonna he's gonna quit caring he's gonna
put you know stop
beating his head against the wall and
start a company like silence the other
side is that you're gonna
start accepting risk and because you
don't understand the framework or the
world that we're in from a cyber
security perspective you're going to put
the company at greater risk by not
listening to these people and not taking
it as a priority so yeah at least put it
on the risk register and talk about it
once a quarter i mean you may not be
able to move on it money wise but at
least can keep it in the considerations
um because you're foolish if you don't
well yeah and money is one thing i mean
money is certainly the great limiter
right if you can't afford to do it you
can't afford to do it it doesn't mean
you don't develop compensating controls
or say you know we've been doing this
all along we've never been hacked so
we'll just keep doing it this way you
can't do that we've dealt with customers
that are like i want plausible
deniability at the sea level because i
just i don't want to know if i don't
know about it i don't have to protect it
and i don't have to testify about it you
know it's that kind of thing
and that is the wrong way to run a cyber
security shot absolutely and and just i
guess as a final thought for me you know
there's i don't know if you see the
cyber professionals know this but you
know the executives and leaders may not
know but there's a big cyber security i
don't want to call it that it's actually
it's a
it's a bullying attack you know we're
being bullied with a big stick going
around right the fbi just got whacked
unfortunately right um there's a big
stick going around okay that stick's
going around what's going to happen when
the stick comes to you
yeah right because stick's going around
you can see it and these organizations
have money and time and dedication and
they they all make mistakes too
right because there's a lot of data
there's a lot of systems there's a lot
of movement
what's going to happen when when it gets
to you and you've got limited resources
so you don't need a lot of money to do
good cyber security configurations you
can just talk to smart people about it
right i mean the configurations are free
right i mean research is free like do
that you know trust the people that you
have but yeah the stick is getting swung
right it's being swung and if it's not
ransomware it's extortion if it's not
that it's defamation right through the
abuse of a domain name right i mean so
i think of it more of like a mace with
nails sticking out of it pretty gnarly
and it hurts really bad
yeah i don't like it it needs to stop if
it doesn't kill you i think i touch my
i think the moral of the story here is
it's about
progress not perfection right and a lot
of people get caught up also and they
they may know their compliance
requirements but they may say okay well
which framework and spend lots and lots
of time trying to pick the perfect
approach meanwhile there's all the
aren't being covered right it's like
just just if you if you don't have a
model that you have to follow just pick
something and run with it and cis
controls is outstanding you know or look
at this csf you know to get started one
of those and just just run with it if
you don't have any specific
requirement otherwise and
get started get the ball moving get your
documentation like mike said if you need
to switch to iso and it wants you to
label the document something else well
at least you have the document just do a
find and replace
easy enough so
i think that's true for
the vast majority of organizations out
they can really cover down on the
fundamentals and there's a really good
book about building cyber risk
management programs i don't remember the
name cyber yeah cyber rants
cyber rants i think it's on amazon so
yeah anyway any final
words of wisdom before we jump off i i
would say you know if you don't know
what to do talk to a cyber security
professional by you know five hours from
consulting time
and talk to a cybersecurity professional
i would also add this caveat if the
first thing they dna do is try and sell
you a tool cancel the sal and find
another cyber security professional so
that that's what i would recommend if
you don't know talk to someone
yeah absolutely my my final thought is
is if there you are you're sitting there
i see you you're you're driving to work
right you're listening to this podcast
and you're about to pull into the
parking lot you're probably still got a
stoplight or something
and you're figuring out you know you're
like what am i going to do when i get to
work today i'm going to sit down i've
got my tool sets and you know what i'm
going to do
what what i would suggest is i would
take the biggest risk that you believe
you have today
and just document it
if you don't have a risk register make
one you're sitting there i see you
looking at the radio don't look back at
me like that look listen to me when you
get to work get
get open up excel i don't care if it's
bored it doesn't matter right um it
could be a notepad um
just call it risk register and say the
number one risk we have today is and put
that down
okay that's that's that's the simplest
thing you need to do and then from there
i think the story pretty much builds
itself you know what i mean so anyways
pay attention the light screen
i like it i like it excellent excellent
thoughts well thank you everybody for
listening to the cyber rants podcast
reach out at let us know
your topics questions ideas for future
episodes that you want to hear about and
check out the book online i think we i
think we kind of are beating a dead
horse there but we've got lots of great
feedback uh cios that have bought it for
their entire it departments uh really
cool stuff in that book that's really
helped people a lot really move the
needle in cyber risk so
check that out reach out connect with us
and be sure to subscribe to the podcast
if you haven't already and have a great
take care everybody peace out
pick up your copy of the cyber ants book
on amazon today and if you're looking to
take your cyber security program to the
next level visit us online at
join us next time for another edition of
the cyber rants podcast