Episode #96 - SOC 2 Readiness Part 4

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zach fuller
and laura chavez
hello and welcome to the cyber ants podcast
this is your co host
zack fuller
joined by mike rtondo and laro chavez
we are diving back into sock two audits today
so we are starting with cc five
and going through that section
going as far as we can
we took a break for a few different episodes
and different topics
and we are back in so that we can get through
the security trust services criteria with you
so that if you're going through an audit
or getting prepared to go through an audit
you know what needs to be done
so with that mike
you want to kick us off of the news
i'm sure everybody's heard
those about ready
when experts call for a pause
on ai training
citing risk of humanity
over a thousand people
including professors and ai developers
have co signed an open letter
to an artificial intelligence lab
or ai intelligence lab
calling them to pit positive development
training of ai systems more powerful and gpt for
for at least six months
the letter signed by those in the field
of ai development technology
including elon musk
co founder of open ai
yashua bin geo
forgive me yasswell
or misspelled your name
mispronounced your name
yeah professional
founder of mila
he was in the acting
we've all heard of that guy
a mad mastrok
and ceo of stability
for russell
pioneer and ai research
and gary marcus
founder of geometric intelligence
the coetaine experts believe we have reached a point
where we should only train more advancing assets
of that including strict oversight
after building competents
the risk that arise from the appointments is manageable
therefore we call an ai
labs to immediately pause
for at least six months
carrying the ai system is more powerful than chat
then gdp four advises the open letter
the pause should be public and verifiable
include all key factors
in such a park
not being acting quickly
government to step into institute of moratorium
that makes me wonder
what do these guys know
that we are here
the other thing i read today
was that they're expected to eliminate cat edp or gpd
ai is close to eliminate
up to seven percent of job in the united states
and over three hundred million job worldwide
i want the upside
that would include lawyers
you know the bad thing
yeah you take good with the bad
i like to think
we're all gonna have our personal jarvis
like tony stark
and iron man
you know the marvel universe
yeah but that's what the world
thought when the cotton gin was invented too right
it was going to be the end of jobs and
and it was the end of the world
but turns out
i think it wasn't
zach i think you said it best a little while ago
where you said that it's
it's still very important for
for humans because you you it
what's important is what they do with the information
that they have access to
because just having access to information
or limitless information
doesn't mean anything if you don't really know how to
aggregated in a
in a purposeful way
yeah but then there's skynet
well there's that too
we don't talk about sprite net
we doubt you think the first t
one thousand will high five me for it
kills me yeah
maybe let's hope
a wi fi protocol flaw
allows attackers to hijack network traffic
security researchers have discovered
a fundamental security flaw
on those vine of the ide
eight o two dot eleven wifi protocol standard
allowing attackers to trick access points
into leaking network frames
and latex form
wi fi frame
containing a header
data payload and trailer
which include information
such as the source and destination
mac address
control management data
these frames are ordered in cues
and transmit in controlled matter
the white collisions
then to maximize data exchange performance
by monitoring the busy
idle states of retrieving the points
the researchers found that cute
buffered frames
are not adequately protected from adversaries
who can manipulate data transmission
client swooping
frame redirection
and capturing
the attacks have a widespread impact
as they affect various devices and operating systems
linux ios android
and because they can use hijack pcp connection
or intercept client and webs
read that article
so it's pretty interesting
um this is pretty
critical packs now
cybercriminal set sites
and critical ibm file transfer bug
the ibm espera fastpack is a cloud based file exchange
application that utilizes the fast
adaptive and secure protocol
to allow organizations to transfer files
at higher speeds than would be achieved over
ordinary tcp base connections
critical bug
and ibm's popular asperia back
file cancer staff that allows arbitrary code execution
is catching the eye
of increasing number of fiber criminals
including ransom
again as the organization spell the path
even months after ibm released the patch
for the critical vulnerability
it is still being exploited in the wild
researchers with rapid strep seven stress this week
noting that one of the customers
was very recently compromised by the bug
track as tte twenty twenty two
dash four seven
nine eight six
immediate action is needed
researchers recommend strongly pat
strongly patching an emergency base
is not waiting for typical patch cycle to occur
this is the big deal
so if you got it do it
a couple stories on this
google finds more
android ios zero days
used to install spyware
google is spreading out is a group called tag
discovered several exploit cans
using android
ios and chrome zero bay
and end day vulnerables to install commercial spyware
and watch this app on target devices
the attackers target ios and android
use with separate exploit chains
as part of this first campaign
spotted november twenty twenty two
they use the text message to push in a bit
dot ly torrent links
could redirect the victims to legitimate shipment
websites from italy
malaysia kazakhstan
after first counting them to pages
trigger exploits
abusing an iowa webkit
remote code day
code execution
zero day pve
twenty twenty two
four two eight
five six and cve
twenty twenty one three
zero nine zero zero
um even more reason not to click on links in action
to do google commercial slider used by governments
laden was zero data exploits
this is again this is
it's not a good day for google
iowa google android
research from google found two separate
highly targeted campaigns
would be various
unpacked zero
they exploit the infusions of both iphone and android
smartphones to deploy spyware
discovery's wheel and blog post on march twenty ninth
as a result
the package cracking that google tag does
commercial spyware vendors
with more than thirty of them
currently on the radar screen
was researchers
that use of her valence technology is currently legal
under most national or international laws
i find that surprising
and governments have abused these laws and technology
target into it
but don't align their agenda however
since the abuse came under international screening
through the revelation
government's abusing
about those groups
pegasus mobile spyware
target iphone users
regulars and vendors alike
have been cracking down production
of these commercial spyware
some critical headlines
seems had kidnapped
warns about a patch about atlantic
cue dope law
and their narratives
crown resorts confirms ransom command
after go anywhere breach
extend that line
is gonna block email from vulnerable
on prime service
that servers
that's gonna be real interesting
there is a more constant target detail
attack on ot devices
which is the infrastructure
technologies that run factories and so forth
so if you're involved in the manufacturing
and we'll look at that
um and then
i'm good news
open ai quickly
fixed account takeover bugs
and chat et
with that laurel
off your corner
thanks mike
for the news
and welcome to laurels corner today
where we'll talk about
i think probably the most
the most urgent problem in the industry right now
is probably the three cx
trusted software compromise
that if you haven't heard about
where you're certainly sleeping under a rock
this has been taken over the internet by storm
and all of the major
cyber security news outlets are reporting at it
all of our good white hats are out there
are trying to dissect this
and try to understand what it is and what it's doing
what it's capable of
and i won't be the first to tell you
that this has the stink on it
of north korea
or somebody who wants us to look like
north korea did it
and i'll jump into that
so let me tell you what we know and
and a little bit about what you can do if
if you're using the three c x suite of
of software
and what what they are is there
they're like a zoom or a go to assist
they are a phone and video
kind of an all in one service
where you can have
kind of a unification across your employee base
from mobile phones that are byod
to issued software and hardware
to actual physical ip phones that may sit on desks
three cx offers an integration software
that offers this kind of
a complete telecommunications product for your company
so as you can imagine
lots of businesses
like solar winds
lots of businesses are using this software
what's happening is that this is trusted software
this is a trusted software compromise
so the software that's installed from three cx
is legitimate
what's been
compromised is the update services
so the three cx desktop app
exe is going to reach out to the cloud
for its normal updates
to a trusted source
that it believes is calling home and it is
but the library files
that it's going to receive as its up to
have been compromised
that library file now
gets pulled down
on behalf of our three cx application
and executed
and when it's executed
it launches a fake ffl
impact dll and this
ffl impact or mpeg dll is a
is a library file
that includes all kinds of media software activities
for opening photos and videos and audio files
it's basically the media library
that you need to listen to
itunes is an example
right so you can hear music on your headphones
it has all of these things built into this library
so it launches this fake
version of this library
that spawns this service
this ff impact dll
and then calls another function
due to crypt
a secondary dll
and that d three d compiler
and i'm sorry that this if
if we're getting
getting lost here
so i do apologize
i'll try to keep this as high level as i can
so this to circle back your
your valid three
cx software updates
pulls down a bogus download
that downloads
spawns a fake service called
ffl impact dll
which opens another service
the decomiles
and extracts
a whole series of libraries
that include
c two servers
that call out to the internet
for more instructions
these were originally found to be on a get library
and after a report from our mr
hammond out there
i'll give him a tag for being the awesome white hat has
hopefully because of you
this has been taken down
and so these c two libraries are being four o four now
when you try to go visit these locations
but that doesn't mean that the threat is over
this just simply means
that one of the libraries that's been identified
has been taken off of the get community
for its ability to be used against
hosting this attack
the other thing is that
once this happens and this is executed again
everybody who has the software installed
should be concerned
and you should look for these ff impact dlls in this d
three d compiler
forty seven dll that are going to be running
president is services um
that are gonna give you some idea that
that you may be infected
and there may be other things going on
um the other interesting part of this payload is that
it sleeps for seven days
before it calls home to those c
two urls to try to evade some of the more um
clever antivirus
and i will state that
all of the major import protection companies right now
have been able to identify this
sentinel one
i believe was one of the very first that started having
issues with this three cx product software
saying that this legitimate software is acting crazy
and we need to sandbox it
so once that kind of spawn this investigation into
into what we know now
is this compromise software breach
there is a hard coded decrypt key
that's inside the secondary payload
that forty seven dot dll
that's going to include this
this hard coded decrypt key
and that's really kind of the calling card that
the block is saying
the there's the word on the block
the word on the streets
in the hush corners of the dark internet
it is said that this is indicative of
we don't know that for sure
i'm just speculating
based on what i'm hearing out there
this could be thread actors that are trying to
act as if they are coming from that instance
the other last interesting thing i'll say about this
is that this ff impact dll is calling down icon files
and this is the most interesting part of this
is that these are image files that are being used
hold secret code that is then being put together for
we're not sure what on the other end
but it's just
it's a very interesting method
because even
even here at silent sector we've we've
are indeed some of this
to help our clients in the fast with the imagery
embedded malware
and we're seeing this here
with this trusted software attack
they're using icon files
and that mm
that ffl impact dll
which is a library of media file functions
to interact with the code that's encoded
inside of these image files
it's very interesting
and there's a lot of stuff that's still unfolding
so please be vigilant out there
and take a look for the services
and by all means
make sure you check the major vendors
threat activity logs
are going to have a lot more health information
if you happen to be one of the compromised
so stay vigilant out there
and i think zach
we can take it a step down now and talk about sop
i love sop too
well stay vigilant and stay classy
we will dive into sock to um
back into our series here
shortly after a quick commercial break
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling book
cyber rants
on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs
for bedmarket and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
visit silent sector com and contact us today
and we're back with the cyber rants podcast
talking about suck to audits
and we are going to kick off on
cc five dot one
so we've covered all the way through four already
and remember
this series
we're only covering the security
trust services criteria
because that would be a whole podcast series in itself
of many many
many episodes if we tried to cover all of them
but we'll kick it off with cc five one and koso
principal ten
who wants to go first
cc five dot one
dot one in coastal
principal ten is specifically around risk
so it's about your annual risk assessment
your management review of the risk assessment
pen test tickets related to providing to provision
relating to provisioning of user access
it's basically
we comes down to
you're evaluating the risk in the company
and how you do that is an annual risk assessment
is a third party risk assessment
is it a quarterly risk assessment
do you have a risk register
and that's the essence of cosa principal ten
yeah very well
that might yeah
and and make
just making sure that you've got the
the you know
whatever because
because sock to
just to just as a reminders
not gonna tell you to do pci or to tell you to do
say i asked her to tell you to do iso
it's gonna make sure that you've
you've conducted a risk assessment
in accords with whatever um
compliance practices
you've chosen to implement in your organization
so keep keep that in mind
yeah um we're gonna jump down to cc five
that two which is
go to a principle eleven
then they also selects and develops
general control activities over technology
to support the achievement of objectives
you're going to look at the dependency
between the use of technology and business process
and technology
general controls
that's generally going to be found through a pen test
since the monitoring your kpis for your systems
those sort of things
again we're going to want an annual risk assessment
but you also want to have
relevant security controls around your asset
so you're going to want to manage an inventory
now lot of people put in
you know get kind of scared by this
do i need to have you know
twenty thousand or a hundred thousand
dollar implementation of service now to do this
no excel spreadsheet is just fine
it's whatever that works for you
and just a reminder
in sock to audit
you define the risk
they're just evaluating your ability
to maintain that risk and control that risk
so you know
unless you're doing something dumb
like any on a firewall
firewall so
it's hard to do that anymore
they're all out of the box
like zero access until you enable it thank god
we worked with a guy that thought any
any was the default
should be the default
and i don't remember
you remember him or not
but all i remember
yeah it's hard to forget those who are so brilliant
you know yeah yeah
all about that time i think
oh another time
another time
we should have fireside chats of history as corporate
corporate crap past
one more point
on principle
eleven here
is that it's gonna talk about your acquisitions too
so having having control processes in place for
if you're doing acquisition
so if you're buying companies
and you're acquiring businesses
and you're on that kind of mode
trying to accelerate your revenue
or whatever your purpose is
but if you're trying to achieve sock to
and that's a major part of your organization
is to acquire the businesses
you better make sure you have a really good acquisition
process that includes those
security principles that are lined out here
and in principle
eleven and ten
by the way if you need mma assistance i can
zach can you think of a company
that might be able to help out with that
yeah you know
it's this is a plug
and it's not even
i'm not ashamed at all but yeah
sounds sector
we actually do a lot of that work
we're seeing
and it's interesting
not to off topic
but we do see a lot more companies that are doing
all kinds of roll ups and acquisitions right now
very big in the healthcare space especially
but you know
also financial services and others and that's
that opens up a whole can of worms
so if you need help
if you're representing an organization
that's buying up companies and wrapping them in
you just let us know
we'll be there for you
am i want to add
that's that was
that was a beautiful plug
i think you did that really good
i want i do want to add to that though that
just remember
acquiring a company is
you know you've got this nice clean house
it's a lot like going and
buying a storage shed at an auction and
just kind of holding your breath for opening the door
so keep that in mind
is that you've got to have a good
good cleaning policy
to make sure that whatever
whatever order you're keeping your house
that all of those
those additional businesses fall into that same order
and they don't in
introduce risk into your organization
because that's um
i think that's the
the key point is that anything that happens under
a company that's wholly owned or part
even partially owned
your business
defamation is going to get wrecked
if a company that belongs to you gets
gets breached
so just remember
your name belongs on there too
and the other key thing is that security
infrastructure teams need to be upfront on that
and the lawyers cannot dictate the schedule
for migrations
yeah absolutely yeah
you know mike
that was probably
one of the most
like kingly things i've heard you say but yeah
thank you so much
but he's absolutely right
if you're an it
and you're having to take on these
these acquisitions
put your foot down and slow the pedals
put the brakes on
put your feet out
i don't care if it's barney rubble style but yeah
put the brakes on somehow
and make sure that the pace
is consistent with your ability to not only
adopt and assimilate these technology
but secure them in
in flight and at rest
is where they sit today
so keep that in mind
that wisdom comes with a lot of pain
i could see the scars through your shirt sir
yeah pain is the best teacher
it is exactly
all right on to coastal principal twelve
the entity deploys control activities
your policies that establish what is expected
and procedures that put policies and actions
again documentation
documentation
documentation
this is going to be your security policies
this is going to be policy acknowledgement
from your staff that they've actually read
the security policies
it's going to be hr policies
this is include things like job descriptions
this is security teams assessment
of you know
how you do things
this is going to be review
of the security team's assessment by management and so
those are the key pieces of principle twelve
you need to make sure the policies are in place right
people signed off on them
and they are being followed
so you want to develop some kps out of there as well
yeah those are
those are key performance indicators
for those of you that might not be in the know
just so you know
and don't be embarrassed
of any documentation or policies you have
i know we sometimes
we have clients that are kind of ashamed
of some of the policies that they've
created out of templates they've got on the internet
i that think that's a wonderful step so any
any consulting company that comes on and they shame you
for the work that you've tried to put forth
and laying a risk mitigation program
they should
they should just be fired
so any work that you've done
is better than doing nothing
so we're always going to applaud you
and you should always be applauded
for any type of forward progress
right and that's what's important
is that progress is progress
it doesn't matter how small it is
so even if you just start with a whatever
acceptable use policy
and it's not
you don't think it's good
you know we're our own worst critics
and an assessor
just so you know
they can't really
really kill your policy
as long as it meets some basic guidelines
about what you're supposed to do
and that you can take what the policy says and try to
validate that it's truly happening in operations
and that's really it
so as long as you're not writing it in crayons
on a sheet you're probably gonna be fine
and just remember
no eye contact
yeah yeah true
yeah you know
if you feel like you have to upload it
and it's wrapped in a brown paper bag
and you don't really want anybody to see it
and you're obscating the names of the writers
don't worry about it
you know everybody's got to learn this from somewhere
that's right definitely
it's one of the things that's hugely missing
in our education systems is the technical writing
yeah yeah and that is actually key part of it
and i think we've talked about that before we have
not to kick the sock to can down the street
but here yeah
cc six dot one
we're talking about
logical and physical access controls
and the entity implements logical access
security software
infrastructure and architectures
over protected information assets
to protect them from security events
to meet the entities objectives so
here we're gonna talk about the asset management plan
we're gonna talk about your mfa settings of the orders
can probably want to see a screenshot
or at least see you demonstrate that mfa is in place
or they may ask for multiple screenshots
some of these audits
take up to four hundred pieces of evidence to complete
depending on the auditor
so keep that in mind
now we got system access procedures
networked apology
access review policies
this is gonna be your entitlement reviews
where you're making sure annually
that people have the right access
that you don't have legacy access somewhere
giving somebody access they don't need
you also don't have dead accounts out there
like colonial pipeline
found out about
data classification yeah yeah
yeah i mean
i bring that up quite regularly actually but that's
that's a major fail in your entitlement review
access review policy
data classification policy
and then really key and a lot of people miss this
is the change management policy and procedures
and i can't hammer the home enough
how critical those are
so if you're not managing changes
the auditor like mike is gonna
it's gonna have you for lunch
yeah but if you're not
you're just put
you're just putting stuff in production willy nilly
oh that's nice
if you're not managing changes
the changes are managing you
that's right
that's right they are
it's not a good management
that you thought the kind of management you want either
no so what what what
what do you say mike
to the clients that say i want
i don't have an office
we closed our office after covid
so what's that
what's that mean to somebody who doesn't have physical
a physical location to go to
well then you need a home office policy
to remote access policy
or are you dictate
you know that basically
you know it's the same thing as being in your cube
right we have the same thing going on
you're not you know
farming on facebook and writing report at the same time
on the same computer
you're not you know
it's just how you function from a remote perspective
so that you know
we add that to our acceptable use policies
now for companies that are primarily you know
primarily distributed employees
you know working remotely
so you have to have those controls in place
you have to have them sign off
you obviously can't control it right
you obviously are not going to do visits
to people's houses to make sure that they're doing
what they're supposed to but
you know the intent is that you have that written down
and it's some
it's somewhat of a cya
but it is and i know
one of our millions of listeners
is in his home right now
or her home right now
with company equipment like servers
and maybe a san
or you know
maybe a couple of firewalls
and they're protecting equipment
because the office shut down
and they volunteered to keep it their house
and so you know
make sure you got locks on the doors and you know
simple things like that
maybe some motion cameras up in case you're gone
and someone decides to come in and take it
not that there's
you know gray
or you can't walk for a limited amount of time while
you know things are relocated
or you're finding data center space or
you know um
but anyways sorry mike
oh no worries
i know that's happening
yeah no no worries
um you know
one of the things that c
c six that one nine
is you know
encryption settings and key management systems
they're gonna wanna see your encryption policy
you wanna see your key management policy
they're gonna see how you
if you have a web facing web app that's customer facing
your internet facing
you're gonna wanna show them
they're gonna see screenshots of
you know your keys
or at least the configuration of the web
web server so
for your encryption
so you know stuff
got access to the
you know you're securely storing your
your ssl certs and things like that
and that you've got a couple party control over
who has access to those and
and the encryption
if you want to know where that's relevant
for any of the data that's critical to the organization
and especially in a distributed model
where you have people working from home
there's a lot of theft that's happening right now
especially in a
you know in an economy that's
you know kind of
you know aching
if you will
right people
people feel that burn
and there might be opportunities
for some of the company
assets to be stolen
and you may have this
you know lost profile
and an insurance policy
that may be fine
but you don't want the data to be obtained
if at all possible
so you know
encryption and managing
encryption keys to your ssl
and then also to where you're having
you know hopefully
laptops and
mobile phones
to employees
you're protecting the data from
from thievery
and thieves who may
may take it
and be able to access it later
that's why i keep my ssl certs
and a lucky charms box above the fridge
no you nobody keep mine
look there i keep mine in the in the
in the broccoli bag
the frozen broccoli bag no one's going in there
bold strategy there you go
you're going to want to end six tattoo
you're going to do
prior to issuing system credentials
and granting system access
the entity registers and authorizes
new internal and external users
who access is administered by the entity
those users who access
whose access is administered by the anti user system
potentials are removed when user access
is no longer authorized
long story short
you create a unique id for a new user
you make sure that users deleted
when they're gone
you're gonna have some sort of documented
asset management
access management procedure
you have a password policy
that sort of thing
but you're also going to want to have
an onboarding and off boarding policy
so this is the process
when you know
user a gets onboarded into the company
after hr has done their due diligence
what are the next steps
is it security training
then provisioning
then you know
how all that works
and how they get access to their systems
and what they need to be working on
likewise there needs to be a checklist for termination
to ensure we don't have any
straggler accounts out there
of users that aren't supposed to be there so
six on three yeah
the few of these are all physical access controls
i think the next several yeah mike
so i guess just for that
just you know
making sure that you're restricting access if you are
if you do have a facility
that you're restricting access from
authorized personnel
there's a lot of homeless now
we have actually recent client that's had some problems
with the homeless around their location
which is interesting
so now that gives an example of putting up a fence
but if you're itar or you're doing dod work
and you've got a physical building
obviously then you're probably
you know doing
already doing some things
but um the the important part here is
even if you have just a hardware closet um
so if you've got a satellite location
where you've got a little closet
and there's maybe like
a couple switches and a firewall there
you still want to make sure that
that telecom closets locked
and that only certain people have the key
so even if you can prove there's not a lot of data
or there's nothing significant
of risk happening to the business
and an auditor is going to frown upon the fact
that you have unchecked and unchallenged
physical access
to any type of devices that belong to your organization
as part of the whole architecture
even if it's just a stupid little for
that's got access to a firewall
they're gonna lose their minds
if they see that that cabinet's unlocked
so make sure you find some way to deal with those those
those devices that you might not think are of concern
they will be of concern when
when mike shows up
i think there's
they've kind of stopped doing the on sites for stock to
maybe they'll start them on
but during twenty twenty one
twenty through twenty twenty two
there were no on site audits
true but when
when you're in the inquisition you're
you're compelled to tell the truth right
and so i mean
that's kind of where we get that from
people are like yeah
we don't lock them
you can just walk up and open the door there
yeah and then a lot of concerns around
you know the production of
protection of production data
so that's we're gonna have things like your
asset management policies and
and you know
asset owners and your rback schemes
which is going to protect your data as well
so those are going to be important
for the soc two auditor to see
six dot four is the big one
where we deal with data centers
so if you've got everything in aws or azure or google
or wherever that are soc two data centers
what you're gonna do in this case is simply say
you know physical access controlled by the data center
aws or whatever um
and that you're able to offload
all physical access to production data to them because
no one's getting to your servers
because it's on an aws data center or what have you
yeah they'll probably want your roster
of authorized personnel to the data center
but i think that's probably about it yeah
so that's really the way you offload that control
i think the same thing with six five dot one
you have your data security policy but again
that's gonna offload part of it into the data center
so that's six dot four
and six dot five are pretty much the actually
and six dot six is the same you know
entertainment's logical access security measures
protect against threats from sources
outside its system boundaries
so that's going to be your network security policy
that's going to be your firewall configurations
that's going to be your tls
encryptions can be eminem evidence of mfa
implemented
so that's all about your network security policy
your authentication policy that sort of thing
so keep those in place and updated
six dot seven talks about the nca
restricts the transmission
movement and removal of information
to authorize internal and external users and processes
and protects it
during transmission and movement or removal
to meet the entities objectives
that's where your acceptable use policy is
your employee acknowledgement of policy
you know screenshots showing sftp
evidence of control in place
to restrict usbs
mobile device assets
you know your mobile device policy your byod policy
all those things
will augment how data is used and protected
but specifically six dot seven three speaks to
protects removable medialet
that's basically usb drive backup tapes
if you still have backup tapes as appropriate
so six dot seven four deals with your smartphones
tablets that sort of thing
got a tape silo with a robot arm
only it's microwave pizzas put some in the oven
just remember sitting in server rooms
changing tapes geez
it's just like flashbacks yeah
our grandparents had to roll the tapes on a big cart
like two of them
you know what i mean
yeah oh yeah
yeah yeah
so so question here i just
i'm gonna ask it because i'm sure probably
some people are thinking that usb drive security
do we really need a usb
do we really need to be concerned about usb drives with
with sock to and
and data loss
how do we well
it's a primary deal
data loss policy
and so if you're dealing with regulated data
pci hippo what have you
you want to be able to show that you can prevent
a user from just plugging in a device and
downloading a bunch of data and walking away
so you can possibly allow usb
if you have controls around it
you provide the usb
you activate the usb port as needed
or you have some kind of dlp control on there
which prevent
the regulated data from getting to the usb drive
so um so again it's up to you
you define your risk
and then you put the controls around it
and the osaq
two auditors
is going to go ahead and look at what those risks are
yeah and in the meantime
if you're wondering if the usb is a threat of that
then somebody plugging in a thumb drive
and pulling your data over to it
check out the bash bunny from act five
mmm hmm oh yeah yeah
and you know
i think that's part of our physical pen test
we try and get usb drives where usb drive shouldn't be
so and the bash point equipment along
if i'm wrong
or can it works
the os level correct
that's correct
it interfaces right with the hardware
and it'll set up a
like a ssh server
which is cool
so you can log into the back of the computer and
walk away and come home later
and remote into the machine
it's really beautiful
yeah so keep that in mind
and the rubber ducky too does that
as well as the bash bunny
and then there's land turtle
there's all sorts of tools out there that
we'll circumvent the controls that you have in place
that's why physical access controls is so critical
yeah especially to the usb drive
so don't forget about it
usb c is even
you know gonna be another one right
so luckily for us
right now most of the tools that deploy these
you know that
the sophistication is limited to usb right now so man
you have to use a dongle if you want to deploy to usb c
it hasn't doesn't really work like it should but
but that may be the next evolutionary step right
as apple and other organizations
tend to try to move the architecture towards usb c
and this kind of bastard
yeah then what am i gonna do with all of my usb cables
if they do that
i was gonna make a friendship bracelet out of mine
yeah i guess i don't do that
it'll probably be like a survival rope or something
maybe like a new winch line
instead of paracord you're using usb cords yeah
yeah exactly like
six nine eight one
the entity implements controls to prevent or detect
act upon detect and act upon
the introduction of unauthorized or malicious software
to meet the entities objective
just a fancy way of saying you need your av controls
and your anti malware controls
you're gonna want to show them that they're there
you can probably screenshot a couple employees and say
you know here it is
and yes they can't turn it off
because they don't have local admin
you need a policy around that
most auditors work on a twenty percent rule
so if you have a hundred employees
they're gonna want to see twenty of those twenty
pieces of evidence
they want me to look at ten or five
but they're gonna want to see evidence so
and they may randomly choose
or they immediately let you choose so
every auditor is gonna be different
definitely and i will say that
if you say that everybody has administrative access
that's pretty much an automatic fail
doesn't matter what
what it is you can't
you can't give everybody admin access
they'll circumvent all the good controls
that you spent your hard earned money in
processes to implement
yep that would be a finding
or as jeff foxworthy would say
or which one of them would say here's your sign
well
that is a wrap
will pick up on the next episode on cc seven dot one
and dive into some systems operations talk
a little bit about that more
but any final words of wisdom before we jump off
yeah lgbt is not gonna replace humans stop being scared
yeah yeah just thinking back to wayne's world
we fear change
um a bunch of sheldon's running around like no no
i can't get over the fact that series not gonna be the
the ultimate
de facto of artificial intelligence in our world
exactly yeah
so it's been around for a while
it's not going anywhere
but i do agree that i need to be some controls in place
i mean especially since
the political views of some of the
the developers has been
have been leaking in there
and you know
and all the sensationalized story about how i want to
you know chat beat gbt
coming out and say i want to kill all humans
you know that
you know been to
the robot said that
but i'm not sure that chat gpt really did so
yeah i don't think so either
i think that you can
you can manipulate the arguments to
kind of get the data that you want
so what's important is that you're
you're using it for
you know just like anything else right
it's a tool
and you know you
you can have a
you can have a really cool
fancy tool kit in the covered
but if you're still
you know banging a nail in the wall with a hammer
you know there's
you know what's it
what's it gonna do you so
right use it to be constructive
and i think that's where the benefit really is
is that to help us achieve kind of next stage
next step items that we weren't able to do before
so the bigger concern i see with it though
is the people that feed regulated data into chat gpt
to circumvent them doing their own work
right i need a report
here's all the data
go ahead and chat gpd do it
because that data stays in there forever
that's true
so that's that's very true
and then and then
now you can actually
ask for someone's social security number
within the chat gpt text base
and probably get it if it
yeah access to it
right so right
i think yeah
limiting living
what people are uploading to it would be helpful
but but at the end i mean in the end i guess that
i don't know we'll be able to stop that from
from happening
it may eventually crawl a public you know
database of pii well yeah
that was a big final thought
well i say it's a beautiful business model
you know its users are feeding it
making it more and more smart more and more valuable
right and people running that
i mean you know why didn't we launch that
i don't know
but anyway well yeah
it'll be interesting
interesting to see how the world adapts
and we got a interesting
few years ahead
so with that being said
thank you for joining us on cyber ants podcast
be sure to rate the episode
share with your friends
go to cyber ants podcast com
you'll get the
links to the news articles that mike shared
and we'll see on the next episode
pick up your copy of the cyber ants book on amazon
today and if you're looking to take your cyber security
programs to the next level
visit us online at silentsector com
join us next time
for another edition of the cyber rants podcast