Episode #97 - How to Prepare for Your SOC 2 Audit - Part 5

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zach fuller
and laura chavez
hello and welcome to the cyber ants podcast
this is your co host
zach fuller
joined by mycrtando and laro chavez
today we have another episode
that may very well wrap up our sock to readiness series
or sock to preparation series
i should say
and we are going to dive into control categories
seven and eight
maybe even nine as well
and finish it off
so we're looking forward to that
and before we do
mike why don't you kick us off at the news
we all know it's tax season
of course coming with tax season is tax preparation
e file service
e file com compromised to serve malware
e file com the personal online tax preparation
e file service authorized by the irs
was spotted serving malware to visitors
the service helps taxpayers to file returns
e file was first compromised in mid march
and was sanitized only this week
according to researchers
in the attempt to load the website ephile com
appears to redirect to a fake network error page
claiming that a browser update is required
to access the site
providing a link to download an application
called installer
installer exe
or update exe
depending on which browser is used
the attack involves two main executables
the update exe
which acts as a downloader for a php script
communicate with a c two server
php script downloads and executes additional code
during the installation of an update exe
basic system information is sent to the attacker
and the back door is made persistent
via scheduled on boot registry entries
update exe is actually digitally signed
with a valid certificate from
a chinese science and technology company
i'm gonna try and pronounce the name sorry
doj news genesis market sees an operation
cookie monster
doj confirms
a coordinated effort has brought down
the largest criminal marketplace for stolen credentials
genesis market launched in march
twenty eighteen
advertised and sold packages of account
access credentials
which the threat actors stole from global victims
after infecting devices with malware
including usernames
and power passwords for bank accounts
social media
and email accounts
credentials included those for critical infrastructure
industries as well as federal
state and local government agencies
user friendly
cybercriminal users could leverage the market
to search for stone credentials based on location
or account type
it was also
seen as one of the most prolific initial
access brokers in the cyber crime world
at the time of seizure
the market was offering
access to data stolen from more than one point
five million compromised devices
and over eighty million account access credentials
doj notice on april fifth
follow several reports that spotted
an fbi sees you notice on the dark website earlier
that morning
the log for ja vulnerability is being targeted
new malicious campaigns
dub proxy jacking
where adversaries attempt to install the legitimate
network segment
segmentation tool
called proxyware
on unsuspecting victims
in order to resell the target's bandwidth
the research team
which identified the technique said
adversaries are targeting millions of systems
still vulnerable to log four j vulnerabilities
twenty three thousand
unpacked systems
are vulnerable to log four j still
and reachable via the public internet
researcher tricks
chat ept into building undetectable steganography
malware security
researcher tricked chat
ept into building a sophisticated data ceiling mall
where that signature and behavior based detection tools
won't be able to spot
alluding the chat bots
and anti malicious user protections
without writing a single line of code
the researcher
with no experience developing malware
walk chad gpt
through multiple
simple prompts
that ultimately yield
a malware tool
capable of soundly searching a system
for specific documents
breaking up and inserting those documents
image files
and shipping them out to a google drive
in the end all of it
all it took
was about four hours
from the initial prompting to chat gbt
to having a working piece of malware
with zero detections
to test if the malware tool
detection tool
with malware detection tools
would flag the chat ept
generated code
as malicious
researchers
uploaded the code to virus
total you found that
five vendors
out of sixty mark file
as suspicious
after figuring
out the issue
might have to do with how
the chat gbt
code called the state i
free library
muggrew asked
the chatbot to tweak the code
after which only
two vendor products flagged
that suspicious
after some further tweaking
he finally ended up a code that
no products
on virus total detected
pretty scary
sound familiar oh yeah
rising industrial tax
requires supplier
with ot smarts
more threat actors
are dedicated to attacking industrial organizations
and that increasing volume
and sophistication of attacks
the number of us based
threat actors
dedicated to attacking industrial
organization
has grown by thirty
five percent
over the past year
driving an eighty
seven percent increase
in breaches
over the same period
to make matters worse
attacks often launch
automatically
without the user
having to click a link
or open an attachment
the age of critical assets
such as power plants
and pipeline
makes protection
protection challenges
since much of the supporting infrastructure was built
put in place
more than two decades ago
so because the older
critical infrastructure technology
tends to run on traditional communication protocols
that aren't
ethernet based
and were designed
with security in mind
legacy plc and
ics equipment
was designed
with a singular purpose in mind
the digital
transformations
requirement
to open up those
legacy systems
provide data
due and from
the erp layer
has introduced
an additional element of cyrus
to industrial customers
and lastly fake
ransomware gangs
target us orgs
with empty data
leak threats
i knew this was coming
eventually fake
extortionists
are piggybacking
on data breaches and ransom
more incense
threatening
us companies
with publishing
or selling allegedly
stolen data
unless they get paid
sometimes the actors
even add the threat
of a ddos attack
if the message recipient
does not comply
with the instructions
of the message
the attackers
behind this activities
then named midnight
and started
targeting companies
in us around
march sixteenth
they also have
impersonated
some ransomware
and data extortion
gangs and emails
and claimed
to be authors
of the intrusion
stealing hundreds
of gigabytes
of important data
in one email
to the employees
of a holding company
in the history
of petroleum additives
the threat actor
claimed to be
the silent ransomware group
a splinter of a
conti syndicate
focused on stealing data
extorting the victim
also known as
luna moth to
long story short
now we have
not only real
cyber attacks
we got fake cyber
attacks real quick
there's a couple
good headlines
fed sees a hundred
twelve million
from accounts
used in crypto scams
there is an hp
critical bug fix
on their printers
there is a new ransom out there called warshack
if you're familiar with the inkblot test
that's what it's based on
and then hackers can open next garage doors remotely
and there's no fix
so there you go with that
let's head over to laurel's corner
awesome mike
thank you for the news
and welcome to laros corner
where we're gonna talk today about an
a phone call that i got in panic from a friend of mine
so let's all sit criss cross applesauce
as we cruise on autopilot through today's topic
so where does this come from
well i'm glad you asked
like i said
i had a close friend of mine
who works as an executive at a really large company
that everybody knows
but we're not in privileged to name at this moment
that called me up earlier this week
he was on the toilet
point in fact
with soiled pants around his ankles
no kidding asking me about a text he got to his phone
and the fact that he had clicked on the link
and he's frantically asked me
what happens if i clicked on the link
what happens if i clicked on the link
and he kept repeating this over and over
like some entranced lunatic
so after i was able to get him to calm down
by talking him into wiping
thoroughly ditching those soiled pants in place
and make way for the shower directly
finally i could have a conversation that was meaningful
and actually get to the bottom of what happened
while i do admit
all this was really awkward
over facetime video
now my friend told me about the message you got
stating something about
youtube's monetary policy change
and from the fact that it was from a valid
youtube email address
interesting
he told me that
i checked the header
he said look
i checked the header
it was a youtube email address
and i asked what happened after he clicked on the link
and so he told me
he goes well
i clicked on the link and asked me to download
this password protected zip file
and i said yes
and that the
zip file was supposed to include the terms of service
for the monetary policy change
from youtube
and he said so why
i allowed the download
and he goes
and once i downloaded i panicked
stopped everything that i was doing
and i called you
and i said well
technically you you
you shot yourself
and then you called me
but who's counting here
so let's talk about this for a minute
now there are enough videos out there
this is a legitimate attack
this youtube terms of service
bounce from a share link
is something that is happening out there
so if you are receiving these emails or texts
there's a lot of youtube channels out there
that can talk you through what this actually is
and how to detect it
but really i want to talk about
situational awareness
is your best defense
and if something feels strange
it may be certainly worth a few more moments
of analyzation
before any decisions are made
all you can do
is really just take a breath right
all the cool tools
in the world will not substitute for you
and your keen sense of
something is weird
that's okay
right so i want to shift gears here
let's talk about
how do cybercriminals get in
what makes them successful
and i want you to know that they actually
need your help
they need you to click on something right the
the successful attacks that require no user interaction
or zero click attacks
right those are few
they do exist but
but there's not much we can do about
about those types of things
except wait for the vendors and wait for patches
they're not as common
so let's focus on what is the most common
so there's usually two pitfalls to getting owned
okay again cybercriminals need your help
so there's the first
is that you need to click on a link
okay they need you to click on something
they need you to interact with um
some logic that's going to send you someplace
okay or or send you someplace
that's going to give you something
or send you someplace
that you're going to give something
the next step is really
what that is
is you're going to either enter
your username or password into a fake portal
that might ask for your multi factor code afterwards
or you're going to be asked for a download
much like what mike said here
there's an update right
in order to view this page
drive by malware
you're going to be asked to download a file
and that's exactly what happened here with my buddy
so remember
there's this user interaction step
that's required from you
you have to be tricked into clicking a link
and then interacting with something
again giving information about yourself
or accepting the download of a file
okay so now let's get back to this
so this file
that was downloaded needed to be opened with a password
my friend did not do that
so right here
we've engaged in step one
we have the file on our computer
but we haven't opened it and executed it yet
so that's a good thing
okay we haven't done the secondary step here
necessary for us to be owned
and implode in our own computing resources here
so i think this may be helpful
you know for you to understand
to be better prepared
and better protect yourself
your friends
and your family
remember cybercriminals need you to act on their behalf
they can't do all this all the time on their own
there are seldom opportunities for cybercriminals to
not need your help in order to compromise a system
tips don't click if you download
if you do click and you download
don't open okay
if you do click
and you're sent to a portal
and you feel like you've been compromised
because you did enter using your password
make sure you go to the services and try and attempt to
contact support
and change those passwords immediately
as you can use services online
if you get download files that are suspicious
use services that are
like unpack me
it's a forensic service online
you can give it any kind of executable
it'll tell if it matches malware signatures or not
virus total
might mention that in the news article today
another good place to look
for these types of files
that might match a malicious signature
or you can just do what i do
to stay protected
and just never open your email ever
which is probably why
i have no idea what we're talking about today zach
i think we're discussing the plans
around guiding feral cats
up a narrow cliff
in the andes mountains
attempt to achieve access
to the sacred cat baths
that live atop the mountain
i think some call this sock too
yes you're close
i don't know about the whole cat thing
but maybe we'll see where it goes
i mean you know anything could happen
on the cyber rants podcast
so appreciate your wisdom
and i'm sorry for your friend and his soiled pants
hopefully he was able to get those in the wash
and taken care of
or just toss them foxy clean
you know when that happens to me i just throw them away
that's like once a week
that's got to get expensive by now
yeah it does
it gets very expensive man
well that being said
let's take a quick break
you can run to the restroom or whatever you need to do
and then we will be right back
with the cyber rants podcast
talking about sock too
want even more cyber rants
be sure to subscribe to the cyber rants podcast
get your copy of our best selling book
cyber rants on amazon today
this podcast is brought to you by silent sector
the firm dedicated to building world class
cyber security programs for bidmarket
and immersion companies across the us
silent sector also provides industry
leading penetration tests and cyber risk assessments
visit silent sector com and contact us today
and we're back with the cyber rants podcast
be sure to check us out at cyberrants podcast com
and give us your thoughts and questions and ideas for
future topics
all that good stuff
with that hey
we're back to sock two again
let's see if we can make this our final week
and if not hey no rush
we got lots of time here
so let's start out with cc seven dot one
and dive right into systems operations
what do you say
sounds like a plan
here we go with seven dot one dot one
basically we're going to talk about detection
and monitoring procedures
to identify changes to configurations
that result in the introduction of new vulnerabilities
and susceptible
susceptibilities to newly discovered vulnerabilities
basically you're looking for a security baseline
you're looking for your monitoring tools
you're gonna look for
those sorts of things
it change detection mechanisms like fem
now i know a lot of people want fem
it can be a pain
but it's gotten better from the old tripwire days
where you would just simply be bombarded with data
and to the point of being unusable but what
basically what you're looking for is change detection
so something to do
some sort of baseline that you have created
be it a scan be it a
risk assessment
some sort of baseline that you need to have in place
yeah definitely
vulnerability scans
i think is the other major component of seven dot one
and for those that get involved in sock two
this is one of the operational
proactive activities that we do approve of in sock two
because you do need to conduct vulnerability scans
as part of this
to make sure that
you know again having an agent on the on the
on the machine that tells you that hey
this is the status
this is the patch status
that's not necessarily vulnerability scanning
and it doesn't necessarily look for
new threats that might arise after changes go through
for some of these hosts
like updates and patches
um one of the reasons that the three cx um
trusted software breach was detected
as it was an update package that acted strange
right and the heuristics picked that up
so thank goodness for that
so again change detection is
is important
and vulnerability scans will help
help get you there
yep and then we jump to seven dot two which is
again we're talking about monitoring system components
and the operation those components for anomalies again
it's just basically the same thing that we're doing
again we want the baseline
we want an example of a
they're going to want an example of a ticket
where you've seen an anomaly
and what you've done to address an anomaly
you know was it an incident
was it investigated
they want to see your triage process
so so tie back to instant response
but really right now we're just focusing on monitoring
and logging and detecting so
and so for seven dot two
seven dot three
that's where they want your ir doc right
so the ncaa evaluates security events to determine
whether they could or have resulted in a failure
of the entity to meet its objectives
basically security incidents and if so
takes actions to prevent or address such failures
that's gonna be your instant response document
that's gonna be a riskless response
one of the key things is they want to make sure that
security instances are communicated up
chain of command to the board
or whatever your responsible management
team is that would need to review those things
so they can be addressed
from a strategic and corporate level
yeah and you know
just to add on to that
mike there you know
the really seven
you know seven four
seven three
seven four is
is all about that
that incident response process
and and making sure that you're practicing that
and that it enables you to understand
contain and remediate
and then communicate those incidents back
and do that cyclical activity
and and really
not to digresp it
but to back up to seven two about the sim
that's you know
the correlation of event logs
is something that you're going to have to do sometimes
your tools may
if you got sas tools
they may have alerts built in
and you can get an email alert if
like an agent doesn't call home for two days
or doesn't get an update for a week
or it gets uninstalled
something like that
right because you've got administrator
privileges on their user machine
still you're going to get some alerting
but that's not necessarily
the same as watching all the system logs
and those activities
that are on the base operating system
as well as the applications that you're installing
for epp so unfortunately
you may need to consider a sim
or a sock or both
for seven dot two
if you don't have it already
and then jumping forward to seven dot four
the entity responds to identify security instances
by executing a defined instant response program
to understand
contain remediate
and communicate security instances as appropriate
there's a lot of evidence they can ask for here
in this one
first of all
we want to make sure that you have assigned roles
and responsibilities to address these issues
recommend you do it
by group name
not by name
it's not jim or jane
who are going to respond to this
it's going to be
the helpless team
is gonna do triage
and then we're gonna go to level two for this
we're gonna get the security engineers for that
they want to see that you've mitigated
ongoing security instances
and that you've end threats posed by security
and says they're also going to monitor your controls
that are in place
so there's a myriad of sets of evidence
that can ask you for this one
things are also going to ask you for
is your backup schedule and job log
to make sure that you have
backups in place of some kind
in case your evidence get or your
your data gets ransome
your data gets corrupted
you know whatever
what have you
so those are all important things
as far as seven dot four is concerned
some evidence that they
that we've seen them ask for
and you might
you know add some here to mike
was tickets
that showed that incidents in logs were identified
and then like
the outcome of that or
you know meeting notes or recorded files
that demonstrate that you
you had these incident response tabletop exercises
if there were no incidents in the time that
they're asking for field work
have you seen any
anything other else might
for something that for
no i mean like i said
there's a myriad of
said a myriads
have evidence i can ask you for
so you got to have this instant response process
nailed down pretty hard
and ir tabletops are a great way of doing that
to ensure that you actually
you know i have walk through these
because everything looks great on paper
but when you actually hit
you know an actual incident
then you're gonna see something different definitely
as laurel evidenced earlier in laurel's corner
that incident response plan was
not very well thought out
so yeah the nci identifies
ask questions later
you know what i mean yeah
seven o five about one
the mc identifies the bobs and implements activities
recover from identified security incidents
this is gonna be your sdlc policy
your sdlc procedures
evidence the
supporting the fact that you follow those
it's gonna be change management tickets
it's gonna be your annual instant response test
and results
example process being filed
example root cause analysis
example of roll black rollback
plans for changes
so basically
it's how do you
how do you handle it when something goes south
this is really what they're looking for in seven dot
five yep which
which brings us into eight
change management
yeah super important
ensuring you making consistent cookies
you know what i mean
so this one
eight one just simply states
the entity authorizes designs
very important here
designs develops
or acquires
configures documents
tests approves
and implements changes to infrastructure
i'm almost done
data software
and procedures
to meet its objectives so
all of those items
have to be considered in change management
and it doesn't exempt none of these
you know basically doesn't leave you a place to exempt
activities that might be going on in your environment
to get around the change management process
they're trying to be very thorough with the language
to make sure that everything you're doing
is following some form of change management
right and don't worry about the request
that we see for the stlc policy
because if you're not developing software
then it's pretty much irrelevant
but change management is critical
and document and change management
a lot of the smaller companies we
we go into where there's a lot of tribal knowledge
right and there's no checking
it's like we've been doing it for twenty years this way
or ten years this way
so yeah we know it works
and it's like
is it written down no
so make sure it's all written down
yeah if you're making changes to your firewall
and you're not recording the changes you make
or asking for approval to the changes
that's a great example of something that is probably
going to come up in evidence
that's not going to favor you
so so bear in mind that you know
change management applies to
everything that you're doing
so a new user coming to the network
but that's a change
changing the software on users desktops
that's a change
changing a firewall rule to allow science sector
to come in and do the internal pen test
that's also a change
and while i do appreciate
the speed and haste of some of our clients
in allowing this
and i would also appreciate
the fact that there's a ticket someplace
even after the fact
that was an emergency change
that allowed the firewall hall
for us to come in to do our services
however all these things need to be accounted for
it's very important
because the assessor is gonna ask you specifically
how your handling changes
and to demonstrate some of the last changes
for various humans and technologies
and even network changes
so make sure that you've got change management
hammered down
even if you're a small shop
and you're just using checklists
that's okay
have something
yeah and keep in mind it's
anything you do during that audit period is fair game
so fair game
all right so we're on the cc nine
which is risk mitigation
the entity identifies
selects and develops risk mitigation activities
for risk arising from potential business disruptions
disruptions
you're looking at the back recovery document
your business impact analysis
all these critical things that you should be doing
you need to know
what the impact is going to be if there's a disaster
both from a financial
you know productivity
user perspective
so those things are critical to know
one of the things that you really need to know
and identify
is what systems are most important to come back up
and in what order
in case of a disaster
now some of this has changed because
you know distributed workforces
infrastructure on the cloud
as opposed to a legacy infrastructure in data center
or non prime data center even
but it's still critical to know what to do right
you don't want to make sure that your
your facebook connection is the first thing comes up
that's not it
you know you need to make sure
maybe your accounting system maybe your
you know the application
or whatever you do that makes your company go
so that's what bias are for
yep and nine twos gonna add on to that
essentially
and say that you need to manage
risk associated with your
your vendors and business partners
and that that's the whole vendor management piece
of making sure that your
vendors that you're doing business with
and new vendors
go through some form of vetting process that
to help the business understand what risk is involved
with the nature
of the connections that you're going to have
or just the nature of the data transfer
that might occur between the organizations
um keep in mind that you know
you have to address risk mitigation for your business
and then also for
any third parties or business partners that
that may be interacting with your business
it in a current state or future state
and and you'll be asked to demonstrate those right
they'll ask you
for the ancestors gonna ask for how your
how you're addressing vendor management
and how you're on boarding vendors
or acquiring services
if there is a security or risk review that happens
prior to that
that engagement
so make sure that you have that don't let
don't let various business compartments you have
essentially
go out and acquire services
that you might not know about
this is kind of a typical thing that happens
where the bues have their own budgets
and they can kind of go out and get
whatever software that they want to use
and start using it
that's highly frowned upon
for a couple reasons
is that it's real important for
not only risk management but um
for proactive cyber security in general
to know where all your data lives
and what all service hooks
that you have to your technical infrastructure
so you have a procurement process
you know don't stop people from doing
from being able to do their work but have
have an agile
efficient procurement process
that vets a vendor
have some security requirements involved
and depending on the type of interaction
that's going to happen between the companies
maybe a third party questionnaire
or security questionnaire
that maybe goes out
or some additional analysis
that maybe looks for um
governance framework
compliance initiatives
that are signed by the business like
like sock to
or iso twenty seven thousand
or a myriad of the other things that might be out there
that they attest to being compliant with
so that that may help
but you're gonna have to demonstrate this
to the assessor for
for field work
so um risk mitigation
and again you know
there's a lot
you know mike would
michael conclude
there's a lot of
you know there's nine dot
one dot two
nine dot three
there's you know
all of these subsidiary
controls underneath the
risk mitigation
nine dot two
but really that all
bundles up into
vendor management
vendor risk management
having a risk management
business continuity plan for yourself
making sure that you're doing those tabletop exercises
and make sure that you're creating tickets
or recording
when you do investigate an incident
and because
if you can't prove that you've done it
you're probably
gonna have a difficult time
succeeding with sock to
and the assessor
when they're doing a field work
one of the big things too
is that you see that a lot of people are reticent
to reach out to the awss and azures of the world
and ask for security questionnaires
you're not gonna get them back from them
you need to show that you've made the effort
that you've gone to their website
you've looked at their credentials
and validated that they're in fact
you know stock to compliant or what have you
um but um keep in mind those guys get bridge too
so you are responsible for
you're responsible for security
inside the systems as well so
yeah definitely
i think one of the
one of the major
things that we identify when we look at vendors
or do pin tests with cloud vendors is they
they have that
that assumption mike
that you know
amazon ewx or microsoft
azure is gonna take care of the security on my
my server and make the updates for me and all that
it's completely wrong right
they put it up there and it works
and then they completely forget about it
they're like a
amazon's taking care of it
it's just yeah
they're taking care of it
in the deprecated state you set it up in four years ago
which it still exists in
you know yeah
you need to
and then you know
i'm amazed at so many people that
don't know the bolt on security stuff that
that's available to them like cyber
cyber guard or cyber watch or whatever
you know their ids
ips iteration and things like that
i mean there's
there's tools out there that they
that both azure and naws and google to some extent
have to protect your systems
and you need to bolt those on
because anything in those containers
anything in those cloud environments is a target
so yeah that
they have it
but that just doesn't come with your
your cheap subscription that you're getting
just to get by with
so you know
you got right that
unfortunately
but right and
and regardless of who you are
cyber criminals are scanning those environments
and so if they find a vulnerability in
xyz widget company
and in matter that you sell widgets to two people
if you're exploitable
they're gonna try and exploit you
be it for bandwidth or what have you
crypto mining
the bot army
the ever growing bot army yeah bots
well and don't forget about your application pen test
too right i mean
this is not this control
but that's just piggybacking on that misconception
people forget about everything
they just put on top of that aws environment
at the application layer
so you know
make sure that you're testing
from a security standpoint and doing the right thing
so with that
do we have that's
i mean that's a wrap
unless you have anything else to say about nine dot two
i mean we are done with the security
trust services criteria
at least for purposes of this series
yeah it was a lot
you know and i think that
you know if you're
if if this is something that
you know you're having to
to be a part of it's
it's important that you
you get a hold of this and read it for yourselves
and reach out to us with any questions you know
or just somebody that's
you know knowledgeable on the questions about
how to achieve compliance in some of the areas here
because it's
it's difficult
and then you know
remember that it's
it's an annual
it's going to be an annual
reoccurrence
i know mike
some companies do it every other year
but that's frowned upon
if a new business asked you right for your sock to
and it's like over
it's like eighteen months old
yeah it's only good for twelve months
yeah you gotta give it up
you know you're just like
it's like having a pen test over
when you get asked for your
your last pen test and it's like three years old
right right
yeah no it's an annual thing
just like your hip assessment
just like your nest assessment
just like your pci assessment
once you start down this road
you know there's no turning back
it's like going down the road to the dark side
it doesn't but you know it's just
keep in mind
you know we've talked about this
this you know sock to audit all
you know for the last couple weeks
but keep in mind auditors can ask whatever they want
you know we're giving you an idea of what we would ask
and what we've seen ask before
but you know
some order may come out of left field and say
i want this
and you know
if it's your main to what they're doing
then what you're doing
then that's what it is
they may want to look over your shoulder and you know
look at the credentials live
so and then
but way back before covid
i don't know if anybody remembers that in twenty
twenty they used to do on site visits
i don't know if it's gonna start up again
but it might
so well keep in mind
tell me about the old times poppy
yeah they they
what if you get three onions for a nickel
mcdonald's had a dollar menu
you know what i mean like
they're there
one of the i think the cool tactics
i don't want to call it cool
it's probably wrong term to use in an audit
but one of the tactics that i saw an auditor
using recently
in a sock to audit that we were sitting on
is after they asked all these questions
through the framework
they went back and said
i'm just gonna ask you a series of question
i just need you to tell me yes or no okay
everybody has administrative access
to all their workstations right
and if i was like yeah
wait wait wait hold on
that's a question
no no no they don't
so they went back and asked about
thirty five or forty questions
that go over the controls
to see if they could get a different response
out of the team being assessed
so they are
you know because you know
you know we'll tell you like anybody else tell you
you know you only tell nader
the bare minimum of what they're asking for
and you don't try to divulge
a bunch of random stuff that's going on
unless you're somebody whose name starts with the knee
that we used to work with
mike then just tell the auditors anything they wanted
he was an open book
head on his chest
he just rip his shirt open and be like here
you can read every dirty thing we have about us
right now it's on my chest
um so but the auditors have clever tactics now
to go back and
determine if you were giving a scripted answer or
you actually know
so again this was kind of an interesting tactic
i witnessed occur
i was like oh
it's like the cops asking you like
so what time are you here
tell me again
what were you doing yesterday
you're eating a sandwich
what kind of sandwich was it
was it crust on
or did you cut it off
because before you
didn't you cut it
yeah so don't answer questions you're not asked
really don't volunteer anything
but you know i was be honest
but you know
and there's also
there are those auditors that you know
had a degree of in depth and you know integrity
and they were literally looking for
you know compliance
there are other auditors out there
and i do not recommend them
but they're fly by night they'll
they'll write the documents for you
sign it off for it
you know you got companies out there that
just prepping this stuff and and
and have it all canned and
and their advertising on facebook or craigslist
for this type of stuff you probably shouldn't
probably shouldn't yeah
so they're getting right
you know random cpas that sign off on things for a fee
that's all there is to it
i mean it's not like there's other real firms
you have to be careful out there
as well i mean if you're looking for
just check the box and that's
that's the guy for you
he's looking for a check in box
i don't know that we'd want to work with you
so yeah well
you're gonna be liable in a court for negligence anyway
so right that's
certainly don't want to work with you
but yeah if you're
if your sock to auditor got
you know had his resume on
on craigslist and you picked him up off
looking for jobs to
right you know what i mean right
you probably
probably think this like
you know again
you get what you pay for
and you know
unfortunately the cost of sock to
to play that game is gonna
you're gonna have to just
add it to your operational budgets
and get with the firm that you are comfortable with
that is not trying to be combative
or you know
is answering you
and make sure they're answering your questions
they're educational
that you have a good relationship
it's a relationship
so it's like dating somebody
so make sure that they meet the parts of your business
and the culture
because you're gonna have to pay them year after
year after year
so make sure that you like them
and they're good
so and and and
and again you know pick your
pick your assessor
not based on what they're gonna charge you
but what that relationship is gonna look like and
and that should tell you what the future
in the next ten or fifteen years
of soft to compliance
for you and your company's gonna look like
yeah you're better off getting a strict auditor
for your first audit
and taking that first year of pain
or eighteen months of pain
and getting it done
and being right
and that'll make your life much easier for years to
through whenever
so till they come out with some other
latest and greatest audit that needs to be done
in steps out
instead of sock to
yeah take your lashes
and just do the work
take the blisters
dig the hole
and once it's done
then you know
it's easy to fill it with concrete water
and enjoy a swimming pool
yeah so and then
you know don't let
don't let your sales guys drive your
that drive hours
drive your timelines
because you know
they're promising a customer oh yeah
well we suck
to comply in six months
when you have an absolute mess with no documentation
yeah that's not doing anybody any favors
you just gonna look bad
so you're one of those technology leaders
you have to be able to see and put your foot in
the ground so
you don't know
ain't possible
so yeah sales guys need calm down
you need to take it back
you take it down a couple notches
quit promising things that i am calm
pushing numbers over here
i know you're
i know you care what you eat and everything
but you know we still got up
we got to make good on the promises
that you're promising
and some of those things are taking longer than you
you're you're telling people they might
so just get back seat for a second
just as you read about it in flight magazine
coming back from cabo doesn't mean it's that easy
that's probably
zach's probably like okay
well that's not what i really meant when i asked you
i mean i stayed at a holiday inn express last night so
exactly well yeah
i mean on that
brand reputation is everything right
and we talk about this a lot right
the first layer
when a company is evaluating your organization
especially large enterprise
or looking at all the marketing stuff
all the sales stuff
does your solution meet their needs
and if so the very next step is
well what risk do we bring on by working with you
so they're looking at this stuff
so if you have
you could have all your marketing
sales stuff wired tight
and putting hundreds of thousands or millions into that
and then you go by jim bob's
you know ten thousand dollar
sock to audit
and then they see that that their
your credibility just went in the toilet
i mean that's
that's just how it goes
versus you spend a little bit more
and they say
wow these guys
it actually builds more trust right
rather than reducing it
and and sophisticated companies with
security professionals internally
are going to look at those audits
and so if they see something and say well
what is this that's
that's gonna put you at more risk
and it's gonna make your life harder
because they're gonna probe more
so there you have it
chat gt chat gpt
or any of the gpts can um
they can create your marketing paperwork for use
to make your company look awesome
but they cannot make you stop to type two compliant
they can't make you do risk management
so they can create a bunch of cool pictures
and marketing materials for you to sell your product
but if it's not secure
and you're not doing the right things on the back end
it doesn't matter how cool it looks
but next week they'll be able to do that though right
they'll be able to secure the organization
so we're starting to develop chat gpt policies
that we're gonna be providing to our customers
based on some
conversations i've had with clients this week
it's like we need to lock this thing down
because there's some
i think it's an education piece around chat gbt
that people
don't quite understand that
once it goes in
it's not coming out it's not
you have no control over the data
that's stored in there
once i'm giving it stuff yeah
yes it can help you
but make sure that the data you're giving it
is a test data and not anything real
for writing sakes
yeah feed it with some junk too
and just see what happens
so that yeah
so lots of that going on
well great hey
you know this has been good
i think this
this podcast series has been tremendously valuable
for those of you listening
we hope it helps you in your sock to journey again
if you have questions
if you need support in any of these areas reach out
we've got a great team
and this is the stuff that we do every single day
day in and day out
to help our clients really succeed and thrive
and soc too
can certainly be an asset to help
win those larger contracts
go after more business
establish more credibility
when it's done the right way
so thank you for listening
be sure to share the podcast rate it
let us know at cyberranz podcast
what you want to hear about on future episodes
or any questions you have
cyberands podcast com
also you'll see in the show notes
mike's art news articles that he shared with you
and maybe some
even some additional links and such
you'll see those in the show
notes for all the episodes
so with that said
thanks a lot
have a great rest your day
and we will see you on the next episode
which we'll be on a topic other than sock to woohoo
mystery episode
i don't know
well we'll find out on the next episode
so thanks for listening
we'll see you soon
pick up your copy of the cyber ants
book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast