Episode #93 - SOC 2 Readiness - Part 3

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller
and loro chavez
hello and welcome to the cyber ants podcast
it's the usual three suspects here
and we are stepping into part three
of our sock to readiness
sock to preparation series
just so you know
we are taking next week off
there's some travel and such
and then the following week
we will be doing a little bit different topic
we're going to talk about penetration testing
and mix it up a little bit for you
so after that
we will then continue on with another sock
two episode or two
and go from there
so with that
we are going to start today with controls
category four
and go as far as we can
but before we do that mike
why don't you kick us off with the news
good morning
and welcome to the news
um at least listen to the news
before you start snoozing about sock
too so anyway
artificial intelligence offers
swindler is a new tool for romance scams
scammers have a powerful new weapon to wield
this valentine's day when drafting love letters
artificial intelligence
such as chat gpt
to conduct the research
to conduct the research
the team presented a chat gpt
love letter to more than five thousand people worldwide
seven and ten failed to distinguish it if ai
wrote the love letter
or if it was written by a human
romance scamps have caused
one of the highest amounts of financial losses
compared with other other online crimes
according to the ftc's latest data
consumer reported losses hit a record
high of one point three million in twenty twenty two
increased by nearly a hundred and thirty eight percent
from twenty twenty one
over the past three years
there are also
there has also been an eightfold surge in sextortion
a practice of convincing victims to share
explicit photos
and then threatening to reveal them with a victim
social media contacts
according to the ftc
so you know
if that beautiful woman's write you a letter
maybe it's not really a beautiful woman or man
or whatever
novel fishing campaign
takes screenshots ahead of payload delivery
a novel fishing attack deploys a first stage
malware payload that allows attackers
to take screenshots of victims to determine the value
and whether to deploy additional malware
researchers said
over a thousand organizations in the us
and germany have been targeted in the attacks
they add the campaign as unique
because of the malware tools used in the attacks
proofpoint said it considers the attack chain novel
because it uses malware tools
previously not observed in the threat landscape
and that adversaries
are conducting
reconnaissance on a host machine
via what is called screenshotter malware
before delivering a follow on payload
the attackers
researchers said
use both commodity
and custom tools to leverage screenshots
before installing additional bot and steel or malware
the attack chain
starts with an email
containing a motionless attachment or url
and gets followed by malware
proofpoint calls
wasabi seed
and screenshotter
beep a new highly evasive malware
appeared in the start landscape
researchers from anurbit
recently discovered a new evasive malware dub beep
which implements many anti debugging
and anti sandbox techniques
the researchers noticed several new samples
that were uploaded to
virus total
as a deal as a dll
dot gif or dot jpg
the samples
are labeled as spreader
and detect debug environment by vt
and were used to drop additional payloads
once we debug
once we dug into the sample
we observe the use of significant
amount of evasion techniques
it seems as if the authors of the smallware
we're trying to implement
as many anti debugging and anti vm
techniques as they could find
regionals published by the experts
one such technique involved delaying execution
through the use of the beep
api function
hence the malware's name
after performing anti debugging and anti vm checks
the malware dropper creates a new windows registry key
and executes a base sixty
four encoded powershell script
stored in the value of the key
in turn the powershell script retrieves an injector
from the remote server
which extracts and launches the payload
using the process halloween injecting technique
tax chain ends
by dropping an information stealer on the victim system
really very
very intricate
oakland city
services struggle to recover from ransom attack
a cyber attack
hit oakland's government offices last week
preventing residents
from filing police reports and paying taxes
city officials
meeting tightly up to about the cause monday
the city had shut down parts of its network
while its information technology department
work to investigate the scope and severity
of the digital attack that began wednesday evening
according to the statement posted
friday on the city website
the city said ransom
where was the blame for the digital breach
lastly chs which is a
community health systems
hospital system
million patients affected by go anywhere mft attack
attack excuse me
this chs off
operates nearly eighty hospitals and sixteen states of
close the federal regulators
and cyber security
incident involving secure
secure file transfer software
that compromise the data of about a million patients
according to a following
the incent stems from its use of fortas
go anywhere software
maternity base
chain says forta
recently notified the company of an incident
that resulted in the
unauthorized exposure of patient data
their statement says
as a result of the security breach
experience by forta
protected health information
and personal information
of certain patients of the company's affiliates
were exposed by forza's attacker
orders go anywhere
managed to file
transfer software
was a subject of a security alert
issued by the company
on february first
the cybersecurity and infrastructure security agency
nine days later
included the vulnerability ins
catalog of known
exploited vulnerabilities
sissa describes the going to wear flaws
involving pre authentication
command injection
vulnerability
in the license
response tablet
due to the deteriorizing
and arbitrary attacker
controlled object
porter issued a patch
for the issue
on january sixth
with its new version of seven
dot one dot two
a little too late
couple headlines
attackers increasingly using microsoft's onenote
to deliver quack bot
or cake bot
malware q a k bot
so whatever
however you say that
system releases
some more esi
yes xi are just
recovery tool for vmware
ransomwork victims
systems citrix
release some security updates
and the tour head network
is hit by a wave of
ddls attacks
with that let's go over to loro's corner
loro mike thanks
and welcome the listeners
to laura's corner
as we all sit
criss cross
applesauce and
autopilot our ways
down the five
on our new tesla
that hopefully
isn't part of the recall
that's just been given
i thought i'd give
everybody some
i guess assistance
with vulnerability management
i think it's something that we
see a lot of
and if you listen to the show regularly
you notice that a lot of
vulnerabilities
are part of mike's news spec
and a lot of these vulnerabilities
cause significant risk
like remote code execution or rce
something that
none of us ever want to
have to deal with
as security
team members
but how do we determine
does a vulnerability
really mean
that we've got to stop
everything we're doing right now
and start patching
versus we can probably
downgrade that vulnerability
based on our system
architecture
and how that vulnerability impacts us
and that's exactly what i want to talk about today
is the temperament behind
understanding
if a vulnerability
really means
the critical rating
to you and your
architecture
so when you
see one of these new vulnerabilities come in
the very first thing you should do
is not only understand
how the vulnerability works
and what thread it poses
like remote codec execution
is an example
um but how how do you
as an attacker
or how would
an attacker
need to position themselves
in order to
accomplish this
vulnerability
and the exploit of it
inside your
architecture
so if we take something
like blue keep
that was focused on
a microsoft
love microsoft
we love microsoft here
we were just talking about that
and i'm being
facetacious
but let's talk about the remote
desktop protocol
that microsoft offers
for remote management
we all remember blue keep
from a few years ago
well this was a pretty
serious situation
especially if you were exposing
remote desktop
protocol to
the outside world
if you were doing that
patching was a priority
not only a priority
it was critical
to stop your infrastructure
from being compromised
at any given
moment so that
is a great example
because there were a lot of organizations
that were still using rdp
but they weren't
exposing it
to the internet
and for them
the priority
seemed to be the same
and i don't think
it was fair
in some of those organizations
and you as a
as a security
team member
or an executive
may remember
pivoting your folks
or even being pivoted
to patch this
vulnerability
and it really
wasn't that
big of a deal
because you weren't exposing
the service
to begin with
so like that
this process
or a process
should be built
by your team
to help you
downgrade and
re establish
the critical rating
for vulnerabilities
that come in
with a high
impact rating
and how they relate
to your architecture
because remember
if you have to patch
everything at one time
you'll never get any
fruitful work done
that you might have to do
just for keeping the lights on
so take a minute to
try to restructure
and re rank
those vulnerabilities
and understand
how they impact you
in your architecture
versus just
what the cbb
score is saying
so keep that in mind
and hopefully
that'll help you
provide some
ways around
having everything
to be an emergency fire
you have to
put out right now
and be able to
temper those
vulnerabilities
from a real
criticality rating
as they pertain
to you and your
architecture
all right with that
i hope everybody can
stay awake for
our sock too
conversation
today i know
i fell asleep last week
what about you
mike i think
you were talking so
you might have been
sleep talking though
yeah i tend to
sleep and talk
at the same time
gifts i don't know what you guys are talking about
i love going control by control through the framework
and and it is kind of fun
just incredible
this is like
like we said
like we promised our listeners
this is binge worthy
you know this is
this is something that we're gonna
really take our time going through
but we do this because
sock two questions come up so much
we want to do a couple things
we want to help educate those people
that are getting ready for their first sock two audit
we also want to create a foundation of material
that you can reference down the road
so maybe you're not looking at a sock two audit now
who knows maybe
maybe two three years from now
you change jobs
and all the sudden you're with the new companies
says hey we need to go through a sock to audit
you say great
i'm gonna listen to the cyber ants podcast and
check out the
all the controls that i need to know and get ready
so that's what we're here to do
educate and inform and empower
right and but my
my goal is to speak truth to power
and the ica needs to
he needs to create a sock to
for small business
that would be my recommendation
after doing this for a long time
but anyway sorry
didn't mean to interrupt but yeah
i think that if anybody from aicp is listening
create a sock to
for small business
it's not nice at all
it's not it's not
you're given a cauldron to
you know for a
like an overnight backpack trip
you know what i mean yeah
yeah i love that
i love that idea
i absolutely think we should do that
is there a is there a petition or something we could do
or write somebody a letter
we'll figure something out
good old fashioned snail mail
gets the point across sometimes
exactly really does
especially she said one a week or two a week
just like andy do friend
you know what i mean
that's how he got his new library funded
shushing there you go
that's all that's what it takes for
should we should we
should we do it like a small recap
i guess just for the listeners to kind of if you
if you haven't
if you've missed this
or you're just jumping on right now
like kind of a
what great idea
let's take a quick commercial break and come right back
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling books
cyber rants on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs
for bedmarket and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
visit silentsector com and contact us today
and we're back with the cyber ants podcast
diving deep into the bowels of sock to
control smelly work requirements
so laura you had a great
you had a great point
do you want to just do a two minute recap
i'll do less than two minutes i hope
let's do it okay
so this is your first time jumping in sock to type two
i guess the number one thing
that is important to remember is
this is not a framework
sock to is not an alignment framework like cis or nist
one seventy one alpha
very special publication
one seventy one
a sock two is a measurement of your bit
your entire business
how you do financially
how you keep financial integrity intact
and then also
how you might follow a industry recognized framework
to ensure integrity of technology control
and i think that's very important to remember
also it's a forever machine
you can't do sock two once
and get a little letter of a testation
statement from the auditor
and you're done forever
this is something
unfortunately
you'll have to repeat every year
and there are cyclical activities
that are gonna occur throughout the year
that you're going to need to keep up with
so that when auto time comes around
they call it fieldwork
i guess that's what they're calling it now
i guess because they're out there
farming for data
get it farming for data
anyways so i think that's why they call it field work
but but a good theory
i think that's why they call it field work
i mean they're not in the field
they're sitting in their computers
they're farming
and those of us gamers
know all about farming for materials right
and that's what they're doing
they're farming for evidence
their field work
call it what you want
that's my conspiracy theorah
is that still playing that facebook farm game
is that what it is
i played farmers only for a while
that was a weird game
then what he told me about that one
the kind of game i thought it was
you know what i mean
i got into that game
it was shocked
well okay we'll do another episode on that
on that all for you laro
you can you can run with it
we might not post it but we can
we can do that another time
that's laura's corner
you don't want to be a part of you know
that's right
that's lara's
that's the that's the other corner
that's its closet
basement corner
we don't want to go there
go to the corner of the field
you know i mean on that note i think the
the benefit of sock chief
and the reason why it does hold some weight
for organizations
vetting their vendors
is because there is an intelligent component of it
in that the aicpa has built this
in a way that looks at the business as a whole
contrary to popular belief
of it being a technology audit
it looks at other aspects of the business
because guess what
if you're a sas company
and your business fundamentals go
you get a lawsuit or something like that
it shuts down your business
your technology is also not going to be supported
and we'll go with it
right so they kind of need to measure both versus
if you're just looking at technology
there are other business factors that could hinder
your ability as a company to serve your customers
so from that perspective
i think there's some
some good sense behind it
definitely but yes
you're right
it's not just all about technology in your environment
so yeah i mean
it's really more risk focused than anything else
there's really the best way to put it
in you know
and you define your risk
they do not define the risk
they're just
the old goal of sock to auditor is simply to identify
what you've identified as your risk
and then determine that your controls are in place
to mitigate your risk
therefore ensuring your stability
remember always
the icpa is an accounting organization
it's not a security organization
so they're looking at the business as all
that's right yeah
and i guess
just one note that came out of
actually a call the other day which was
i thought was interesting
but um there's
you know for
like for us
we do sock to readiness
like we don't
we know do the actual audit
we get you ready
we help get you ready for your sock to audit
and the reason that we do that is because
a lot of the work that we do is as a
like a trusted advisor
trusted consultant to our organizations
and it's a violation of ethics for us to
um you know
for us to audit the organization that we're serving
so even if you have
an organization like silent sector um
you're still gonna have to get a third party
auditing firm to come conduct to this audit
because there
there is a bleed of the line of ethics there
and that the
they'll find out
and then whatever report is there
won't hold any weight anymore
it'll be nullified
once they understand
that there is a ethics violation in the
in the company
serving the audit in the
auditing yourself
is very easy
yeah check check the block
yep we got that
we got that
we got that yeah
the aicpa grounds on
crossing the line
when it comes to independence
so shall we dive in with cc
four dot one
in interest of time
four dot one
let's do it
the entity this is
four dot ones
is kosovo principal sixteen
the entity selects
develops and performs
ongoing and or
separate evaluations
to ascertain whether the components
of interternal control are present
and functioning
what the heck does that mean
it means you select
develop and perform
ongoing or separate evaluations
to ascertain whether
the components of your internal control
are present and functioning
all right so let me let me
let me jump down the rabbit well
what it wants is security risk assessments in place
and business risk assessments in place
you know an internal audit of your controls
are you are your controls functioning as they've
they are expected
do we have the security policies in place
to ensure that things are secure
keep in mind again that the icpa is an accounting firm
so if we've got three critical pieces of infrastructure
um we wanna ensure that the front
we have financially allocated the right dollars
towards each piece of those
each piece of infrastructure
if one is seventy percent of your business
one is twenty percent of your business
one is ten percent of your business
and the risk is the almost the highest thing
to the one that's twenty percent of your business
how do you allocate those dollars
so they want to ensure that you're looking at that
and then evaluating controls based on the dollars spent
and you're getting your proper roi
but you're also ensuring the stability
and security of the company
make sense makes sense to me
it's clear as mud
you know now i would highly recommend
and i'm assuming you agree laura
that you would have a third party do your assessments
internal assessments
blinded by the fact that you got
you're the one that designed everything
it's kind of like got it
editing your own code or testing your own code
it did you know
it's supposed to be there
it's like proofreading your own documents
that sort of thing
so yeah definitely
and you know
you know regarding this
you know having that
you know having things like your risk register
and you know we like to call it the security council
you know having those regular meetings
and the notes from those meetings and
and you know
ensuring that those meetings are having converse
especially if you're a sock to type two or type one
the conversations need to include finances
around technologies
just like mike said
if you have critical technologies
and you're not dedicating the money
if your it people are complaining like
we need backup
we need more tapes
or you know
we need another silo with a robotic arm that you know
grabs the hot pocket from the microwave
and then puts it in your hand
and then grabs a tape and puts it in the tape reader
and you really need that for business
and you're not getting that traction from leadership
for finance
to fund that
that needs to be a risk
and you need to be able to
point out why that's a risk
especially if it's a business critical application
so you need to have that process for measuring yourself
and the conversation needs to continue about
do we have enough dollars dedicated to cover
if anything happens to these critical services
like i think it's a great idea mike
like you said
if you know the three
it's typically that right
it's usually at least three
like most organizations have
at least three pieces of critical software
have you dedicated
you know the proper financial
and technological resources to those
and are you continually
measuring and evaluating right
is according to principle sixteen
that these are still sufficient what you're doing today
capisce
that sounds
that sounds amazing lara
was that amazing
it was i i wanted to take a
i want to take a
just a quick
i don't want to take us off track on the controls
but i'm i'm trying to think
so where are we going
well i want to think about what the audiences think
or what some of the audience may be wondering
which we haven't really addressed yet
which is what about d scoping to a specific application
so that's a question we get a lot is
oh well we have three apps
but the customers
only asking for this one to be sock to certified
right but we've talked about this being more holistic
but i could
i could just anticipate that
so again not to take us off track too much
but just really quickly
any thoughts on that
words of wisdom
versus just wrapping everything into the scope
yeah the old d scope is a
you know it's
it's it's quite
it's quite literally a pipe dream
and you shouldn't
i don't i think
we would ever recommend you going down that path ever
not that's pci or sock to
and the reason is
is because you're going to focus
you can't focus policy corporate level legalese
policy on one application as your business wing
because you don't have the rest of your stuff together
it's just you're gonna show that your sock too
but it's a lie
it's in a very narrow
if it's a pie chart right
you got to really
you're skimping me on the slice of pie you're giving me
you know what i mean
like you gave me like a little piece of
a piece of a kids piece
and that's what you're telling me
that you're too compliant so you
i don't think it's a good place
especially to be in a courtroom and have um
opposing council asking you why you didn't
you didn't do the whole thing
now it's okay if you're gonna do the whole thing
and like you have a priority
and you're gonna focus on the technologies that apply
but remember
you can't write policy or even dedicate sometimes
dollars and technology controls to just one app
it doesn't make sense
you're leaving the rest of your organization at risk
yeah i think it add to that too
it's some i think where some people get the idea
they see large enterprises that have whole
separate divisions with their own it departments
their own dev teams
all that for a specific product
so it's almost like a separate company in itself right
they could have their own policies
they could have a lot of their own controls that
don't necessarily apply to the rest of the organization
so that's a different animal
but if you're twenty five person sas company don't take
you know google's model for their audits
and try to apply it to your organization
it's just not gonna work
so thanks i
yeah we let's keep cruising through the controls
but i just somebody
somebody listening was thinking that
and that's been on their mind
and it's been bugging them
so i wanted to address that
if that's you write us a letter
snail mail please
yeah snail mail
okay where are we for that
for that one
that too which is
considers rate of change
management considers the rate of change in business
and business processes when selecting and developing
ongoing and separate evaluation
so basically that's going to be your internal audit
and risk assessment policy
four dot one two three
established baseline understanding
that's the current state of your internal controls
you're gonna get that through you know internal scans
you're gonna get through that
from your initial security on it
here's my favorite one
i like this next one's my favorite
he's knowledgeable personnel
evaluators performing ongoing and separate evaluations
have sufficient knowledge
to understand what is being evaluated
yeah key key term
knowledgeable personnel
yeah that's pretty big
don't have don't have carl the janitor
audit your servers
yeah he could definitely best
he could be the best tech person in the company though
you know that
that that is entirely possible
you you don't
you never know
it's all it's all subjective but yeah
i always think of the greens keeper from caddyshack
being your see seesaw
there you go
knowledgeable personnel
key to this
it's very this
this will all go
this will go really easy if you just
if you just go to for now
one dot three
i'm sorry is it for that one that for
for that one
that three yeah
whichever one it is
knowledgeable personnel
focus on that one and then the rest of it'll be easy
and if you don't have the
knowledgeable personnel internally
then you need to get that from external
and there's no reason to not do it though
you need to invest in that
you know eight ten twelve
fourteen thousand dollars
whatever it is to have someone come in
and actually take a legitimate look
i can tell you from personal experience
i once did that for a large government institution
and got fired for giving them an honest report
so you know
be careful what you say
but keep your integrity intact
yes i too i too have been suppressed for
for the political
achievements
internal policy
internal business
corporate politics
i'll say that achievements to others
so i do share your pain sir
yes integrate with business processes
ongoing violations are built into the business process
and adjusted changing conditions
this comes back to the tightrope that you have to walk
between security and functionality
right so i mean
ideally we'd all live in air gap networks
and never surf the internet
or you would be told exactly where you could go
for how long or something
of that entry
just to mitigate a hundred percent of the risk
or as much of the risk as possible
business still has to function
so you have to walk that line
of being able to function efficiently
and profitable
profitability
and then being secure
but the business has to understand
there are going to be constraints to
limits based on security controls
so you have to define that
just scope and frequency
management varies the scope and frequency
of separate evaluations depending on risk
you don't want to run the fishing emails
on the first tuesday of every month
because people are going to figure that out eventually
it's not good point
yes and you also want to those
those of you doing the fishing emails
increase your difficulties after
you know several attempts
and you don't get any clickers up the auntie
as they say
ford out one seven
objectively evaluate
separate evaluations are performed periodically
provide objective feedback
are you getting a theme
we need separate evaluations
we need multiple evaluations
we need knowledgeable people
so knowledgeable people
key key point yeah
shameless plug
yeah brings us to a shameless plug here you you're
thank you for listening to knowledgeable people
exactly yes and
if you click on the knowledgeable people piece of our
our website you'll see pictures of laurel and zach
so you're on there too
i i if you take one thing out of this
just remember n for knowledge
yes yes click in for knowledge
okay no joke by the way
the terror there
there are several ends in knowledge
or at least one
to get a solid teeth
uh coastal principle seventeen
which run to four
dot two dot one yay
the nca evaluates and communicates
internal control deficiencies in the timely manner
to those parties responsible
for taking corrective action
including senior management and the board of directors
as appropriate
this goes back to the roi piece right
if you need more money to protect a critical system
you need to be able to communicate why
where when how
you know why this is critical
what this means to the business teams
so you can get the money necessary to protect
or the budget necessary
or the resources necessary to protect
the critical systems
you can't convince the sales guys
nothing ever happens
exactly well you know
and i guess just a word of advice to
you know some of this
the security and it personnel might be listening
like how how do we
you know how do we communicate those deficiencies
just you know
if you've got emails or you're not using
you know a workflow system
just write down everything that you see a problem with
and make sure that you're doing your part to
alert your leadership
that way if something does ever happen
you can say
i informed you thusly
or i told you so whichever whichever you feel better
leslie leslie i like that word
if that's a word i would i would use that
that's gonna get the point across
yeah yep and it also wins for snarky condescension
so it does thank you
thank you for that
we're gonna
we're gonna cause some turmoil
here within organizations if we keep going down this
this path he put it in a subject line
i informed youthlessly
and then just a bunch of bullet points
yes management likes that
they do yeah they do
well here's the other piece of that is
i mean you know
i guess you know
the four dot two
dot two is communicate those deficiencies right
the deficiencies
are communicated to parties responsible for taking
corrective action
and their senior management
and to the board of directors
is appropriate
and then the follow on for dot two
dot two has monitors
those corrective actions
management needs
to track whether deficiencies are remediated
on a timely basis
now these are
you know this isn't weak tls that the scanner found
right i mean
these deficiencies
are a risk to either business operations integrity
or business operations financial integrity
but would you agree mike
yeah i wouldn't
it's like when you find out that your msp
isn't forcing password changes
and they've had the same as msp for three years that
that would be something that needs to be
communicated to management
yeah it might be a good idea
these these items
i like to say anything on the risk register is gonna
you should be this monitored
right and that's
that's where we kind of
you know kind of maintain our clients
risk management program
to the risk register
and then every security council meeting that happens
every week or every other week
we're talking about those risks
we're asking if anything's changes
we're monitoring the corrective action if there is one
sometimes it's waiting on a vendor
sometimes it's waiting on
um you know
quotes to come back from an alternative tool
or alternative tool sets as an example
or for spend for drives
right you're waiting quotes to come back
so there's sometimes there's just a waiting period
but it's okay to still talk about those risks
because that's how you're
proving that you're monitoring those corrective actions
you'll have those meeting notes
hopefully you've got a stellar project manager
that's keeping track
you know what i mean
when you also have to make sure
the risk is assigned to the right people right
you don't want
risk doesn't sit with it
security doesn't own anything
security is a audit function right
and identify recommend
communicate
but it also doesn't always have the means to fix a risk
so from that perspective
you have to ensure that you identify who
the proper risk owner
and oftentimes it's the business unit on
who has the control of the budget
that can allocate the funds of
to be able to fix the
whatever is the problem
but if they don't own the rest
then they're not feeling the heat
and everybody's saying
was nit doing it
you know they do
well this is a good point
i think a good segway to bring in
so this is why
and you know
i don't want to talk politics on this show
but senator warren
several years ago
introduced a bill that would hold the ceos
and the leaderships of business accountable
for hacks and ransomware
and operational integrity loss and financial loss
because she understood
and the others that were in on this bill
obviously understood
like we all do
now ultimately
leadership has the final say
and should have the final responsibility
so when it comes to these types of risk
i always like to throw it
i'm just like well
who's the top person
let's give it to them
unfortunately
they own it
and they have to be aware
they own it
but you know
it's not plausible
deniability is not an option anymore i guess
sadly enough
i don't know
sure maybe it's
the guys at the top
shouldn't be you know
skating by and blaming you know
your level one and two security engineers
or helped us people
for problems that they
they themselves could cause
and prevent it from being fixed
absolutely so
yep you own it
and by the way
that bill would put ceos and ceos
and cfos and the likelies of sea hood
into jail for up to twenty years
for making financial and risk based mistakes
that cost your business to go under
and hurt financial investors
so keep that in mind
well keep in mind
a lot of these frameworks is
a business justification trumps the control
right so they can come up with a little bit of
business justification they want
maybe there needs to be a little more teeth
in some of these frameworks
it says no that's not
validates the business justification
so that's not about valid justification
definitely yeah
i agree with you there
i think there's
there's loosey goosey language around how you use
compensation and
risk deference
in some of these frameworks
it's certainly not concise enough
and it leaves clever lazy
second and second rate compliance individuals
a place to kind of loophole the company out
for the sake of a bigger bonus
you know what i mean
but when it comes back to a court of law
or the shareholders
you know i think the
the truths gonna come out in the assessment after the
you know after this
a penis start rolling
so you can't
you can't get out of it
make sure you keep your integrity intact with the stuff
yeah you keep your integrity intact
always always
but hey we are coming up on time here
and just as a reminder to listeners
we will be taking a break next week
taking that off
and then diving into pen testing the following week
and then we will get back into sock too
so if you miss it
if you say hey
i just am craving more sock too
don't worry
there is more to come
and we'll give you sufficient time to go back and re
listen to the first three parts of this series on sock
two audits so with that
do we have any final words of wisdom
smart remarks
knowledge based
anything you want to put out there to the world
five and five and six controlled
are both very long
both of them
so those were probably gonna be a week each so it's
we probably won't be landing this whole thing
for another
i don't know
month or so
so bear with us
but it's important information to have
yeah good stuff mike
again like zach said
always keep your integrity intact
always use knowledgeable personnel
and ensure that you're not descoping
vital parts of your business
to try to get an edge up on the stuff you can't
it's not gonna
it's not gonna turn out well for you
especially if there's a ransomware event
in the middle of your sock to compliance field work
farming for evidence
yeah and make sure you assign the risk to the right
people that can do something about it
you know document every power
fight the good fight
internal you know what i mean
internally yeah
don't be confused by laura's farming comments
or auditors
probably not going to show up
in overalls with a straw hat
it's probably
probably not gonna happen so
but maybe if you do have that person
we want to hear about it
and interview that
that farmer
that farmer slash auditor
so excellent
well hey cecil
cecil bojack's auditing firm
there you go
there you go
and bait store
and bait store bait store
barbecue kit
there we go
that's well excellent
thank you for joining us on the cyber ants podcast
be sure to rate the episode
share with friends
get this information out there
if you know somebody that's
maybe going through a sock to audit
or thinking about that
i know we're taking a deep dive here
but this information is going to be important
to help those organizations
go through this successfully
come out with high marks
and ultimately use sock two
as a tool for revenue generation
landing larger contracts and
and doing great things in their space
so with that
thanks for joining us
we will see you on the next episode
pick up your copy
of the cyber ants book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast