Changes to the CIS Controls Version 8

Unsecurity Podcast

Episode 116 of the UNSECURITY Podcast can really be broken into two parts. First. Evan and Brad discuss the CIS Controls Version 8 Public Call (running through 2/8/2021) and the changes that are expected made. Second, Evan posed a question about the root of all problems in the infosec industry on LinkedIn and has gotten an overwhelming response. Brad and Evan also chat about some of the responses. Finally, the guys provide an update on their free CISSP training course.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning. I’m like red dot, it took secondary for that to pop up. Great start for this morning. uh, welcome. So 116 today is january 27th 2021. And I’m your host right now. Joining me as usual is my good friend and coworker. Evan Francen. Good morning Evan.

[00:00:46] Evan Francen: Good morning Brad. Yeah, it’s one of those mornings, isn’t it?

[00:00:49] Brad Nigh: They have, we were, you know, we’re recording on Wednesday and usually recorded on Tuesdays and I forgot to change the alarm. So kind of flustered a little bit this morning running behind. But you know, we’ll get through it if we get this out.

[00:01:07] Evan Francen: Oh yeah, it is what it is. Yeah, I think both of you, both you and I probably got about 15, 20 minutes ago.

[00:01:14] Brad Nigh: It’s about right. Yeah. Yeah. I’m going off and wait. Oh no.

[00:01:20] Evan Francen: Yeah, same thing happened with me, my my wife and she, she got because normally I’m up a lot earlier but I sleep because sleeping on Wednesdays because you know, Tuesday is The first morning my first meeting of the day is at 4:30 AM.

[00:01:38] Brad Nigh: That’s very early.

[00:01:40] Evan Francen: Yeah, I was sleeping in and my wife reached over because she wasn’t sure I was still there And that’s what woke me up was like, what are you doing? Like I got a thing to do.

[00:01:51] Brad Nigh: Yeah. Well how was how was your week?

[00:01:58] Evan Francen: Good uh dizzy but really good conversations had speaking at a round table or somebody this week? Uh Yeah, you know, there’s a lot of things going on security studio or Sandbrook, new content revision. I started kind of documenting the process of how we’re going to update document, you know, kind of up the game there, you’re going to be taking the S and me piece of cl do C. I. S. Which is a topic for one of the things you want to talk about today. And then uh Yes. Yeah, we’ll get cola to do one or two and then we’ll try to pull in a couple people from the partner community.

[00:02:45] Brad Nigh: Yeah, that’ll be good. I’m looking forward to that. You know, it’s it’s fun that, you know, it is a constantly evolving thing, right? And Mhm. So

[00:02:59] Evan Francen: yeah. Yeah. So that’s gonna be one of the things we’re gonna talk about today, right? We’re gonna talk about the C. I. S. Controls, version eight draft talk about as he asked questions. Yeah. Crazy. Ask question I asked linked in.

[00:03:16] Brad Nigh: Yeah. Yeah, it will be good.

[00:03:18] Evan Francen: What else do I have? What else was? Well, let let’s just recap if you want uh you know where we’re at with the CSP Metro program. I think that’s

[00:03:29] Brad Nigh: come along together. Opened up What, two weeks ago roughly? Already? At 1500 people.

[00:03:38] Evan Francen: Yeah. That’s really cool. It’s nuts. 1500 people and they you know most of them will see are ugly mugs. Well actually you’re not I’ll see my ugly mug and you’re less ugly mug

[00:03:53] Brad Nigh: now. You were at the first time.

[00:03:56] Evan Francen: Yeah. Oh yes it will be good. What about you? What you been up to? You did something with the cmm Secret and the tool for that?

[00:04:06] Brad Nigh: Yeah. Yeah. I did uh built out a spreadsheet for our internal use for doing gap assessments. And that turned out pretty well is pretty happy with it. Auto populates based on the domain level uh the the dashboard and the question. So you only see what is relevant for for that and changes the you know the answer is the status because we talked about level one is no documentation required. So you can’t have the same statuses for that as you would for the other levels where there is documentation. Right?

[00:04:48] Evan Francen: That’s cool. But I mean and then uh were you involved at all in the P. C. I. Work that’s going on with your studio.

[00:04:57] Brad Nigh: I haven’t been but I was involved with kind of revealing the spreadsheet that Charles put together. We did a good job with that. So I’m assuming that that was what that was that is worth based off of.

[00:05:13] Evan Francen: Okay. Very

[00:05:14] Brad Nigh: cool. And then the other thing is doing an updated uh missed majority assessment based on the Blue blue cross blue shield association. Put out new guidance and requirements for all of their member associations. So having to rebuild based on that. But it’s actually I like the the new requirements are the new guidance. I think it’s going to be a little bit better and more actually more consistent because before was pretty big. Yeah but we’ll be able to use that for you know, not just the blues I think. You know, we have been asked for specific miss maturity assessments. Uh huh. Even if we don’t feel like we’ve talked about it is it’s so objective. Uh A lot of times versus objective or I’m sorry. Yes it’s not objective, it’s subjective

[00:06:19] Evan Francen: conductive. But the and I. S. T. C. S. Have you?

[00:06:23] Brad Nigh: Yeah so it’s uh that’s good. It’s uh it’s fun to build those things out.

[00:06:32] Evan Francen: Yeah, for sure. Hey check this out man. So this morning I woke up and I actually just check my I got a text, look at this uh share my screen so you can see what the hell I’m talking about. So see this? Uh It’s like really important people on here. Mhm. Look at uh What?

[00:07:06] Brad Nigh: Right.

[00:07:09] Evan Francen: Yeah.

[00:07:11] Brad Nigh: It’s weird. How did our CPU

[00:07:15] Evan Francen: how did how

[00:07:17] Brad Nigh: did he get everyone ahead of you? Ryan roberts? R Ryan

[00:07:20] Evan Francen: Ryan. Alright well look at him. He’s much better looking than I am.

[00:07:23] Brad Nigh: Yeah

[00:07:24] Evan Francen: but you mentioned so yeah The 100 most influential people in cybersecurity. What the hell I’m doing on that list. There’s some really important, really smart people on this list. Yeah. He’s ulcer man. People that I really look up to. Uh yeah, try to make this so I don’t know what I don’t know. I’ve never heard of this list before, but he also Alperovitch, she’s a hell smart due to of crowdstrike. So yeah, somehow I made it onto listen, well this is the whole shirt short here chris, Ryan and me.

[00:08:07] Brad Nigh: That’s interesting. I wonder if it’s related to uh maybe social media.

[00:08:15] Evan Francen: I don’t know. I don’t even have that many followers. So I don’t know, chris and right now is less than me. Yeah. Very cool. Yeah, chris said that to me this morning Is I go, look, we made a lot of 100 most influential people in cybersecurity. It’s weird. But you know what I like about it is they mentioned, they didn’t mention me as much as they the very first census got the s to score. Yeah. And that’s the important that’s the part that’s really important to the man. It’s not my name. It’s like let’s get people just focusing on a number and then let’s make the number better, right? Because you can know it. There’s no perfect number, get a number and then we can tweak it like that’s what we’re doing with the new revision of the content. We’re going to make that number mean more.

[00:09:10] Brad Nigh: Yeah. No. Yeah, I agree. And and you know, we’ve we’ve been saying it for years. We’re at the point where, you know, the head in the sand, I didn’t know approach just doesn’t it’s not acceptable anymore. Right. There was a time when yeah, that was legitimate. You know, people didn’t know about this stuff or weren’t aware of it, but we’re so far past that at this point. So it starts somewhere. Mhm. Right. That that baseline.

[00:09:43] Evan Francen: Yeah. Well, and I don’t understand how people can operate and say that they’re managing information security. We don’t have any measurement for it or the measurement you’re using is so narrowly focused in myopic. You can’t represent the entire program, you know, so you might use vulnerability scanning or you might use, I don’t know, bit site or security scorecard or something like that too, quantify the entire security program but you’re missing the entire human element. So I mean you have to do that kind of boring stuff. Well, I’m really excited for this next revision to because you can bring that see MMC flavor, which is much more prescriptive. Right? Yeah. Really any other standard kind of out there right now. Yeah, maybe I trust but that doesn’t count.

[00:10:34] Brad Nigh: No. Well the nice thing with with BMC s it is based on 801 71. So it’s a known standard but I think they did a good job in writing the statements and providing clarification and examples and making it in a way that Mhm. Well it’s not going to be just checkbox compliance. Like people are going to actually have to be doing security and managing and maintaining it to get and keep their certification which you know you lose your certification, you can’t bid on bot contracts. That’s kind of a big deal for a lot of these smaller companies or just anybody who’s working on them.

[00:11:22] Evan Francen: Right. Yeah totally man. The yeah. Yeah like you know there’s things are like well there’s things I like about everything, there’s things I don’t like about probably everything. Uh but I like the combination so that was you know when we and I wrote it’s funny how you kind of get these brain spurts. I don’t know if you ever get this like I’ll go a week where I can’t focus I just can’t you know everything seems chaotic. I’ve got too many damn emails, too many meetings. Too many everything. And then there’s weeks where it’s like click and things just click. Like when you were working on your C. M. M. C. You know workbook or when you know like yesterday actually the last couple of weeks been like that for me to people who can’t see inside your brain they think like you’re a D. D. Is like on steroids today because I’m all over the place but like yesterday pumping out that you know the new methodology for updating our content which is the framework. There’s a lot of stuff we’re gonna have to put back and expand upon. But it dawned on me that the best way for us to approach going into the revision of the content for the S. two. scoring is Tuareg is let’s start with the most prescriptive standards that are out there as a reference. Right? So, see MMC is, you know, I think really important to that uh C. I. S. You know, very good script guidance there and it’s not like you you have to follow the guidance but where there are gaps may be in the guidance should be following, then what’s vulnerability in that? And are there any applicable threats? If that’s true, then you have to put a risk or to it?

[00:13:19] Brad Nigh: Yeah. Well, that’s one of the things that I really like about the S. Two assessment is it’s not yeah, it’s based off of, You know, really the CSF in ISO 27,000, but it’s not it’s like buy the book, right? It brings in parts of other standards, so it’s more uh holistic, more encompassing than any one particular standard. So, I know it’s like physical, we’ve talked we bring in parts of was it Homeland Security and and some of the government record their recommendations around physical security and, you know, it Yeah, if it brings in everything, it’s not just well, we’re doing well, we’re talking about, it’s not just a nist maturity assessment, it’s looking at more and it’s not focused on like see MMC or high trust or a sock two or a lot of these were you narrow the scope down pc where you narrow the scope as much as you can. It’s organizational why? Because let’s be honest, do not, if you can’t do that on an organizational wide basis, how are you doing that on a, you know, this is like specific scope like. Right

[00:14:45] Evan Francen: well we had a great conversation yesterday, I think I had a meeting with uh therefore universities in the meeting and we were just talking about you know challenges that university sees his face, you know and it’s not all that unlike you know sort of you know in other places, but he had asked about scope, you know what’s the scope of In like an S. two or assessment? And we built it and I think you’ll be excited about when you see the next revision which is due out in are the next version which is due out in february because it allows us to nest entities.

[00:15:27] Brad Nigh: Yeah. Oh yeah, I was uh talking with Caitlin about that.

[00:15:31] Evan Francen: Yeah and that was that was designed uh you know after a meeting with uh Jim O’Connor at Cargill, you know he was struggling with you know, how do you deal with distributed accountability? How do I hold, you know johnny accountable for physical security at a plant in Mexico and at the same time, you know, told jane accountable for the network in Germany. Mhm. And so being able to nest those entities I think is uh the hardest challenge is going to be in really complex organizations to do the initial setup, like who’s actually responsible for this and that and everything else. But you have to do that anyway. Right. I mean, how the hell are you gonna how the hell are you gonna secure anything if you don’t have anybody responsible for that thing?

[00:16:29] Brad Nigh: Yeah. You know what size is your It’s already sort of their from, you know. But yeah, it’s going to be taking it to the next level.

[00:16:43] Evan Francen: Yeah. Yeah. So this content revision is going to be really important because also we’re going to expand upon some of the things that have changed the world changes, right? You can’t stick with a static set of controls, static set of guidance, right? It’s not this name anymore.

[00:17:00] Brad Nigh: You know, it’s been like About coming up on two years. That’s a I think that’s a fairly good cadence, right? Because you don’t want it to be changing so often that people, you know, you don’t you can’t trust it because it’s like, well, it changes every three months. How what is it valid that three months ago? This was the case and now it’s different. But yeah, the same time, you can’t let it go 10 years because or even, you know, five years because that things are changing so fast. Right?

[00:17:38] Evan Francen: Right. And I think it’s okay to change, you know, back in metrics because those are very fluid like threats.

[00:17:45] Brad Nigh: Yes.

[00:17:46] Evan Francen: Yeah. No, no. Yeah. And I know you’re saying the same thing. I am. Yeah. You know, it’s more listeners like the content, the, you know, this thing you should have in place. Those are fairly, it’s like if one is like one of the other ones like mud, right? In terms of its viscosity, like how much it changes, it changes just not nearly as quickly. Right?

[00:18:13] Brad Nigh: Or is the reason that, you know, all the standards are crosswalk to each other fairly easily, right? Like the basics are there. They’re not going to change. But the risks and the threats. I’m sorry, the threats towards those can change.

[00:18:32] Evan Francen: Yeah, yeah. They’re very fluid. Well, this is our first, this is another effort to push the continent also out of an eagle sort of, you know, authority. It was in a single sort of perspective, you know, now that were formally find what the core, the core elements of an assessment of this assessment must be and then getting different perspectives. And you know, that’s I get really jazzed because for a long time it’s been, You know, one or two people maybe maybe three that in the input into the content. Yeah. Which is why I like the way CS does it, you know, Yeah, they’re good. They said a good president for some of

[00:19:23] Brad Nigh: Yeah. No, it’s funny. This will be, you know, I know with the current are two version, you know there’s a lot of input uh that you got that was put in from you know the physical security and changing some of that and the technical controls and you know updating some of that stuff and updating the algorithm around how we’re doing vulnerability scanning and scoring some of that. So it’s good the more like you said the C. I. S. And maybe a good transition. But the way they’re doing it with having an open community uh session are working group to make comments or recommendations, the more input you can get, the better it will be totally you don’t have to accept all of it but take it into consideration.

[00:20:22] Evan Francen: Right? And the cool thing too about working with C. I. S. Is you know, we’ve had multiple meetings with uh and they are really good people lately, we’ve been working with uh Tony Sager um and Curtis dukes uh who are both, you know in executive leadership just talking about where their hearts at, you know why where is the I. S. C. I. S. Is a non profit? Where are they going? Because you want to associate with like minded people, you know in their industry, they’re in this to truly make the industry better and they’ve made tremendous progress so why not team out a little bit, you know I mean it’s not like we formally do stuff together but we have maybe a meeting every month or so and just talk through things. I think we have a tremendous amount of respect for each other. Tony’s Tony is awesome. If you ever get a chance to talk to Tony Sager he’s there I guess to come Spp and Evangelist if you have a chance to talk to him or listen to them. Yeah we got hi mom. It’s good stuff but you too right. It’s like we think the same way on a lot of security things.

[00:21:38] Brad Nigh: Very cool. You know I haven’t had the opportunity to talk with him.

[00:21:44] Evan Francen: You will eventually at some point. Yeah. Well if you want to I mean you don’t sometimes I don’t want to talk. Yeah

[00:21:54] Brad Nigh: definitely too. Yeah.

[00:21:57] Evan Francen: Yeah. Like I don’t want to talk to you not because I don’t like you. I just don’t like you.

[00:22:04] Brad Nigh: So yeah let’s talk about the C. I. S. V. Eight and what how they’re doing this and maybe I don’t know some your high level thoughts about it. Uh I do like it’s open for you know the V. Eight draft is open for public comment. Um You go to the C. I. S. Workbench and a lot to create an account if you don’t have one free and you can see it and make comments about it. Um Yeah It’s interesting. It’s always been you know the CS20 or the sands 20 before and now it looks like 18. Mhm. Which is not quite as catchy. Uh huh.

[00:22:48] Evan Francen: Yeah so I think they’re just going to refer to it now, you know, they’ve made the transition out and just C. I. S. Controls. There’s no top 20 no top nothing and it’s just uh you know C. I. S. Controls and like that man anybody can go and participate and get a sneak peek, you just go to CIA security dot org and then down on the bottom you’ll see programs and memberships. Uh There’s C. I. S. Communities there. Uh Those are places in the middle, you see the C. I. S. Workbench the bottom and that that’s where you can go ahead and sign up and Get your sneak peek in version eight.

[00:23:28] Brad Nigh: Well it’s cool because you can see like you know the discussions and you know people are yeah you can respond and go through those and it’s really kind of it’s a I like it. I think it’s a good model for uh that’s two agreement forward to die.

[00:23:48] Evan Francen: Yeah. It needs to be, it certainly needs to be one of those years, right? Just like C. M. M. C. Uh Do you remember which are the ones I chose for the core which we can always change too. Uh CIA V eight, C. M. M C. I chose uh cloud security alliance, cloud controls, matrix the

[00:24:09] Brad Nigh: F. F. I. C. C. C. M.

[00:24:12] Evan Francen: Yep. And then health industry cybersecurity practices just and I chose that one because that that sort of takes hip hop and its in its Department of health and human services folks who like here’s hip here’s how you can do it kind of thing. I like their guidance. Yeah.

[00:24:35] Brad Nigh: Yeah. You know I think with that you still obviously would keep you know the foundation being still with that uh CSF and I said 27,000 but really being able to integrate some of these more our industry specific. Yes. Uh huh. Yeah. Uh controls

[00:25:02] Evan Francen: right? Yeah totally. Yeah. It’s funny you mentioned that because you know, I remember the very first version the history behind us to it was actually an assessment that I was using myself, you know as a C. So for the big pharmaceutical company the I had so much struggle trying to communicate to my executive management where we were at with information security. It was difficult to get budget Just under you know, so many misunderstandings about what security was. So this fundamental kind of assessment started with BS 7799 as its base. And then that became is so two senators are juan and then they provide that a couple of times and it’s cool to see kind of how we’ve arrived to where we’re at and how it’s matured. So now it’s it’s really it’s not a single standard. Your spain is a curse set of standards. And then as you develop that course set then you branch out, do some of the ancillary standard E. Things right? Like Sock to for instance guidance in the Sock two will map to the assessment but you can’t make that accord because it’s too, you know nebulous I guess.

[00:26:26] Brad Nigh: Yeah. I mean they have some high level like hey you should be doing this. But then you as the person being assessed to fight how you’re doing it and then you get assessed against. Yeah. Hey we’re doing it this way and and you have accounting firms doing security auditing right? Like we know we work with a bunch of them and they lean on us too. Make sure that you know is this good security? Because they don’t know some of that stuff.

[00:27:01] Evan Francen: I think you do have to boil it down to binary binary things. Right? Because yeah, there’s really no room for interpretation. So it almost seems sort of oddity. Oddity. Not oddity. That’s me. I’m the oddity but that’s oddity. The uh what? Yeah I’ve been true false. Either you’re doing this or you’re not doing this the in between because you get that a lot of people will make excuses why it’s not that. But it’s not that it’s in between. But if you look at the the true, if you look at the question it’s all or nothing on this particular point. And then but then people well but you know if you boil it down into enough minutia. Then you can do truth also this in binary things and then build out the entire bigger thing, right? Where there is a bunch of gray. Yeah, it really all gray is it’s just a bunch of white and black dots.

[00:28:05] Brad Nigh: Right. Well, I’ve absolutely had, you know, done assessments and delivered it and you know, there’s a, you know, control or a subcategory that in the sdu where they’re like, You know, it’s like no, you scored a 400 here And they’re like, what? We’re doing it at 90% of the place. Yeah, You’re doing it. What about the other 10? You can’t say you’re doing it and not have it everywhere. And you know, for the most part they’re like, OK, yeah, fair good point. You know, and they get it once you explain it. But so many people I think I don’t consider that. They’re like, well, yeah, but we’ve got it at all. But one site. Okay. So what happens when that site is compromised? And now they’re inside the network.

[00:28:56] Evan Francen: Great. Oh.

[00:28:57] Brad Nigh: Oh yeah. Okay.

[00:28:59] Evan Francen: Right. Or are you talking about configuration control or something bad? They’ve got some of it, but then you’ve got, you know, five admins who can make changes outside of that that do regularly. It’s like, well, okay, you know, it’s great to have a change control, but maybe you want to bring all that stuff sort of

[00:29:17] Brad Nigh: Yes, yep. You know. Yeah.

[00:29:20] Evan Francen: So yes. Yeah. Yes. I I think that uh these these controls and I caught wind of this, you know, I think most people did that version 71 was going to be replaced with version eight. They’ve been working on it for a while. Uh And it’s truly no coincidence that, you know us with the S two were waiting. I mean we just weren’t in a big rush to get our content updated knowing that C. I. S. Was going to be coming out really soon. We don’t offer any things that have already changed. And also the CMC. Right. See MMC it was nice to have you go through the official training because I don’t know anybody else who knows cmm see better than you do. So it’s like perfect. Let’s build this now.

[00:30:09] Brad Nigh: Yeah, it was interesting as the training was oh my God, it was so dry but it was really really good from a understanding what they’re looking for, what they are expecting. So it changed my understanding of that, which is always good.

[00:30:30] Evan Francen: Right? It is always good. So the C. I. S. You know, if you go and read it if you don’t want to if you’re not into that stuff, that’s fine. But uh it really gives the at the beginning of this public call in the introduction and they give you their logic and reasoning for how they arrive where at No, I never I don’t like to skip those things because it gives me context. So it may you may not you may just want to get right to the meat of you know, the specific controls. But I’d advise against that. I would advise you to read the logic on how they arrived at these controls because it helps you put it makes it makes sense, not just controls for the sense of controls. These are there’s real logic behind it. Mhm. Uh So I like all that stuff. Uh they did a great job of of sort of telling us why they got to where they are. Yeah. Uh They have their implementation groups like they always have that remains, you know uh I G one through I G three uh I did like you said, they went from 20 to 18.

[00:31:44] Brad Nigh: Well and that it’s in there in the beginning that community defense model to I’ll be honest, I hadn’t heard of that, you know, I looked in and saw that so.

[00:31:57] Evan Francen: Mhm. That’s it’s cool. And it also lines for some of the other things that we don’t line with right, it’s like this glue, it’s like a big jigsaw puzzle. Where does the where the pieces go to make your own picture, You can’t just go with anyone standards. Say that’s the standard that I’m gonna use. I’m gonna adopt it verbatim that’s gonna be our security program. So if you if that’s your approach it’s wrong, you’re totally missing the point and what information security is your costing your company organization a lot more money and being probably a lot less effective. So that’s why I caution against any one particular standard because it’s like a square peg sometimes in some people in some places.

[00:32:48] Brad Nigh: So well I mean you’ve got it on the screen there, the controls ecosystem, they thought about the list like there’s so many things in reading through this uh you know, and I have just got access yesterday morning, which is why we didn’t record yesterday and I didn’t have if you can come through in time, but looking through it, there’s so many things in there where I can see the alignment that you were talking about, right? It’s it’s not a check box, it’s a a catalyst, right? Like they said right there, you know, this should be the starting point and you know, even I was looking at clicked on, you know, number one the inventory and control of hardware and the first thing it says is enterprise can’t control what they don’t know,

[00:33:36] Evan Francen: right? How can you?

[00:33:38] Brad Nigh: Yeah, I can’t defend what they don’t know. They have. How many times have we said exactly that.

[00:33:45] Evan Francen: So I’m telling you man, when I, when I first had my discussion, when I had my first discussion with Tony Sager, I was like, okay, I can use so you know, it’s not for selfish reasons, but I always look at like can I use this to further our mission or not, right? There are a lot of relationships that I mean we can all create all sorts of relationships, but some of them are distracting. Some of them are unhealthy, you know? But when I spoke with Tony, I’m like, yes, someone like chris roberts, you know, I I don’t hang out with chris roberts because he’s chris roberts. It’s because the dude speaks the same language as I do. I can use him to get the word out to more people, right? And I don’t need credit. I don’t I could give two about credit. But yeah, Tony was really good when he when he said those things, I was like, yeah, I want to I want to just do stuff with you.

[00:34:42] Brad Nigh: Yeah, I can I can see that with, you know, kind of reading through this stuff, but there’s some good discussion points in their in here as well. So I think, you know, this will be something that it will be good to to follow and participate in.

[00:35:01] Evan Francen: Yeah, I agree. Uh We’re and we’re sort of taking, you know, it dawned on me yesterday that security studios like the swiss of security, like the neutral, like pull this in, pull that in. Because yesterday we also had a really good discussion with security scorecard. I think we’ll be interviewing some things with bed site. Uh Yeah, with just so I guess we should get to keep preaching about stuff we’re doing. But mr

[00:35:32] Brad Nigh: I don’t know, we can do what we want,

[00:35:36] Evan Francen: right? So the controls are Number one Inventory and Control of Hardware. So we spent one before inventory and control of software assets. Really what happened there is that they just sort of updated things rushed something’s added. But you’ll see that there’s really common to what they were. Three is secure configuration of assets that were interfaces and then uh I can’t read it because I can never scroll with this web thing. Maybe if I made it’s more don’t let them help but you can see it on the screen, secure configuration of assets. Network interfaces, account management, access control management, data protection, continuous vulnerability management, audit, log, man, email and web browser protections, malware defenses, data recovery, network infrastructure management that were monitoring and defense, security awareness and skills training, service provider management applications, uh where security, incident response management and penetration testing.

[00:36:44] Brad Nigh: What’s interesting is dessert. Yeah. Well, those are those are the standard I guess uh things you would see, but it’s like ah practical. Yeah. You know it you know, you don’t usually you don’t see them written out like this. And but I like it.

[00:37:08] Evan Francen: Yeah, I did to it. It’s descriptive where because the more they’re being prescriptive, that’s a double edged sword. Right on the one side, it takes away a lot of the gray area. It makes it much more binary do this and you know, because our guidance thing or whatever. That’s the part where it becomes a double edged sword because you don’t do this just for the sense of doing this so you may be doing a bunch of kind of disruptive stuff they you’re not doing for the right reasons or maybe you don’t even need it. Yeah but for for a core of something when you’ve got all these binary things on the outside we can start to interpret, do you actually need this or not? You know those kinds of more ancillary stuff? Yeah but you know anybody’s security and gonna be referencing CS definitely go check this out. Start to get yourself prepared for it and or participate in this development.

[00:38:14] Brad Nigh: Yeah I can totally playing on being and just you know be involved in this.

[00:38:24] Evan Francen: Yeah. That’s cool man, I like that because there’s some good discussions to about. You know if you look at that community activity, you know, why is this so far down on the list? Sub controller safeguard. Just good clarification type things. and by the way Phyllis Lee the one who leads this. She’s freaking awesome too. She was on at NSA preaching uh you know some of the stuff that CS is doing.

[00:38:52] Brad Nigh: Yeah. Yeah it’s very cool till february.

[00:38:55] Evan Francen: Sorry man.

[00:38:56] Brad Nigh: Oh no. Yeah I was gonna say uh the only thing I wish it was open a little bit longer. Just because I’ve already got a bunch of stuff on my calendar, so it’s already it’s gonna be a little difficult but well make it happen.

[00:39:09] Evan Francen: Yeah. Well yeah, and even if you didn’t like I don’t have much time either to put too much input into it, but I can follow along at least and be like, yeah, all right. Because what one that what ends up being in the final standard or the final controls anyway. I would never recommend that everybody adopted these controls anyway. You know what I mean? So even if there’s stuff in there, I don’t agree with. It’s like All right.

[00:39:37] Brad Nigh: Yeah, good point. Well, and that’s what to me, it’s so much fun about what we do is everybody has to, you know, everybody should be doing and customizing it for their organization, right? Like you can’t it’s not one size fits all. And Mhm. Just it is what it is. You got to, you know, make it work and make it fit within your a situation.

[00:40:13] Evan Francen: Yeah. Yeah. 100%. And I’m showing that community defense model to I think you just wrapped up inside, didn’t you? Yeah. Yeah, there’s that piece.

[00:40:23] Brad Nigh: Yeah, Sorry, my dog is parking

[00:40:25] Evan Francen: No, mine to my dog was.

[00:40:28] Brad Nigh: Yeah, your your dog is like a little yippy. Mine is Well, the other

[00:40:35] Evan Francen: the other one Violet, we thought we thought Violet was a a

[00:40:40] Brad Nigh: Turkey

[00:40:43] Evan Francen: and no in hella dogs in Turkey, the dog is And she’s like £20 now, so,

[00:40:48] Brad Nigh: wow. Yeah. We

[00:40:51] Evan Francen: thought we had

[00:40:53] Brad Nigh: one of them doesn’t hardly ever barks and the other one is a shepherd mix and shepherds like to talk and he will absolutely come up to you and and uh kind of vocalize with you not necessarily bark, but kind of come on, shut up.

[00:41:13] Evan Francen: Yeah, when they talk to you. Oh. Oh

[00:41:16] Brad Nigh: he totally does, he comes up and does that all the time, It’s cute, it’s funny. But yeah.

[00:41:26] Evan Francen: Anyway what if there’s what if there’s an E. T. A. For when? So the version eight draft open, it’s open for public content or comments or whatever until February eight. So we’ve only got a couple of weeks and then I don’t the final timeline is it might be in here somewhere when they expect it to be.

[00:41:50] Brad Nigh: Yeah, I looked for that, I didn’t see it and start saying that it’s not in there, I just didn’t see it.

[00:42:02] Evan Francen: Hell, but a good I think it’s a good a good set of controls to align with. Not necessarily to again, I caution anybody against implementing controls for the sense of controls they don’t apply. If there’s no threat associated with that control, then why the hell would you implement it? So it is gonna take a lot of interpretation and guidance potentially to to implement these things in the best way possible, but even there I think c. I. S. Has some good tips and guidance, they’re not they certainly understand, you know, you don’t implement controls for the sense of controls. Mhm,

[00:42:38] Brad Nigh: yep represent,

[00:42:42] Evan Francen: so we’ll keep an eye on it, I think as things progress, you know, we’ll share more here on the show and we’ll share more at both of the companies we represent fr secure and security studio. Sure, I

[00:42:59] Brad Nigh: say. Yeah. The other thing we wanted to talk about was dear linked in question here,

[00:43:04] Evan Francen: right? Yeah,

[00:43:08] Brad Nigh: Yeah, comments. It’s uh not too bad,

[00:43:14] Evan Francen: No, no. What I put, I thought about, you know, you do this to man. I know that many of us are sort of thinkers, you know, sometimes really deep thinkers and sometimes, you know, maybe call it insanity. But I was thinking uh at the core of actually where this all started, was kevin that asked me what’s our unfair advantage. Okay. The whole question is that

[00:43:48] Brad Nigh: just me? That’s that’s deep.

[00:43:51] Evan Francen: Okay. Right. But the answer sort of came fairly quickly and I think I might even be able to find what I wrote, but or what I wrote back to him, but essentially, it was we focus on the core of the root of all information security problems where I think others may not be done. I mean, we’ve been so focused on that for so long. Uh Yeah, it’s a

[00:44:23] Brad Nigh: it’s a fundamental to keep it simple.

[00:44:27] Evan Francen: Yeah, yeah. As we said, uh we’re working on the solution to the root of all information security problems, and instead of like challenging me on that, he just gave me a thumbs up.

[00:44:39] Brad Nigh: Yeah,

[00:44:40] Evan Francen: that’s like that’s like, oh shit, what is the root? So that led to the question, you know, and liked and what is at the root of all information security industry problems?

[00:44:53] Brad Nigh: Yeah, I think uh, that first comment there is probably pretty, I would agree with a lot of what he says, I would have said. It’s a lack of communication or understanding of security professionals of how businesses work and not being able to communicate.

[00:45:13] Evan Francen: Well, that’s what I found out. So in the 109 comments of people that are participating and just kind of given their own two cents, I think just about every comment I read was valid and I think I agree with but didn’t answer the question, You know, what is that at the root? So his as you read through them like, you know, carbon hardy gives, you know, we’ve met the enemy and he is us, You know, Ken Bechtel, who we had on the show one time, you know, uh kind of a pioneer in a lot of different ways. Not really well known necessarily. Well, I mean sort of well known, but uh, he says programmers, developers, they’re the bane of all our existence. And I was like, all right. And she can’t know where his biases coming from because he’s a malware, right? So he’s like, you know, every piece of mauer is the result of a developer and I’m like, well there’s that and then anything beyond hello world has

[00:46:16] Brad Nigh: vulnerabilities,

[00:46:19] Evan Francen: wow, Jack, you have a lack of communication, Ron craig convenience being more important than everything else.

[00:46:30] Brad Nigh: Oh yeah. I mean how many times do you see why is this running as admin? Well, because the vendor couldn’t figure it out and said we had to. Right, right. It works right.

[00:46:46] Evan Francen: And yeah, well that’s that’s what drives so many technology investments, right? Alexa. And it’s convenient, right? All I gotta do is say Alexa turn on whatever. I don’t know. I mean at some point it’s probably better just to get off your butt and do it. You know, I mean it’s just it’s more secure. Probably I like this one, you know, chair which has a trick question since and I don’t think I’ve ever been called since go forward but she makes this good point about race conditions and then mhm. three conditions have a single source though or her. Yeah, I mean the single or same source. So even that, you know, what’s the root? What’s that source? Uh huh chris give history.

[00:47:37] Brad Nigh: Yeah.

[00:47:39] Evan Francen: People people was a very common answer. So what’s at the root of all industry problems? All information security, industry problems.

[00:47:49] Brad Nigh: But I’m gonna go back on that one and say you can’t blame the end user if as a security professional, you’re not communicating and doing a good job of educating them, right? So it’s not just when you say people, it’s not just those end users. It’s you got to look in the mirror.

[00:48:07] Evan Francen: Exactly. Yeah, 100% were were well contribute to where we’re at. And then, you know, as I was thinking through and reading people, I was like, you know, I said, what’s at the root of all information security industry problems assuming then that there are problems. And I mean that so nobody really challenged on that front because that would have been, I think a good philosophical discussion holly hesitant to disclose. And I was like, you know, help us out of fear or intimidation and then she, you know, sort of opened up. Yeah,

[00:48:47] Brad Nigh: that’s that’s a good point. That is valid too.

[00:48:52] Evan Francen: Right? Yeah. Hesitance to disclose for time, electricity, kate suffer tooth electricity, I think, yeah, there’s some validity to that, uh, ambiguous questions. And so I think a lot of times there’s nothing within the biggest question and the biggest question means that there’s multiple interpretations to the question. Yeah, I like ambiguous questions in some cases because it gets you thinking,

[00:49:25] Brad Nigh: yeah, I would say exactly, right. There’s a use case forum, right? In this case, you’re looking for a lot of input and perspective. So yeah, you want to write it ambiguous and see what people say. I wouldn’t use that as an assessment question. Right? So, but like you said it, great words have meaning and you’re doing this in a specific way,

[00:49:52] Evan Francen: right? Yeah. We don’t know. Uh, yeah. So this is kind of a people angle to dan brown, we don’t need security because in certain excuse. Yeah,

[00:50:02] Brad Nigh: a lot of times that one is uh we don’t need it because it won’t happen to us or we don’t have anything they want. And then Exactly, we got hacked.

[00:50:13] Evan Francen: Yeah. And you find yourself sitting across the table from one of our incident handlers

[00:50:20] Brad Nigh: on a friday afternoon because you’ve waited all week trying to fix it yourself.

[00:50:24] Evan Francen: Right, Ron worker love his uh those love is input assumptions, joe Marino. Uh Yeah, getting philosophical, which I agree. Mhm majority of his opinion is the majority of the post can be summed up in one word, ignorance.

[00:50:48] Brad Nigh: Well, I think that goes back to what I was saying, A failure to educate and communicate from us, right? You can’t blame the, the end users for being in here and if we’re not providing them usable guidance.

[00:51:04] Evan Francen: Exactly, matt. Goodacre active management of your information assets and then every one of these comments because I tried to comment back on every one of them just to validate that what they’re saying is true and I think it’s valid what I don’t want, you know, in these ambiguous questions is people feeling judged, People feeling inferior or stupid. Further answer every input is really important to consider. It may not be the input I’m looking for that we end up with but it’s got to be a consideration,

[00:51:40] Brad Nigh: right? Well it’s like we were just talking about the more perspective you can get, the better it’s gonna be right. So, you know, and I think that that’s probably part of the problem we have is people don’t want to get that input or don’t ask the questions and then judge if they do ask them. Mhm. How are you going to understand what people or your end users your are are thinking or concerned about if you judge them for asking a question and, you know, a little them and that absolutely happens. We’ve I think we’ve both seen it where somebody will just, you know, talk down to a user and well, guess what? That user is never going to ask you a question again because you just embarrass them. You can’t do that.

[00:52:32] Evan Francen: We say people we need to have people and that’s our problem and then you exacerbate your problem by being a jerk,

[00:52:41] Brad Nigh: right? You become the combatant, you need to be working for them. They’re they’re gonna they’re also Yeah, they might be the a big part of the problem, but we’re also going to be one of the biggest assets in fixing the problem. If you can communicate and educate them and get them understanding

[00:53:00] Evan Francen: and see, I don’t understand there is there, it’s not just in our industry, it’s a human condition where I uh you know, in our industry we speak our language so we have a tendency to look at people who don’t speak our language as being inferior in some way less uh intelligent les edged ahead because you’ve seen those comments all throughout. And so there’s this kind of undercurrent of that thought when really when you think about it, it’s kind of the other way around how intelligent are we before trying to communicate with people were not speaking their language, or we’re not translating our language into theirs because truly it’s a language problem. It’s like saying do people who speak french, are they more intelligent than people who speak german? Right. Yeah, it’s no correlation on that.

[00:53:55] Brad Nigh: Exactly, I’m with you 100% on that.

[00:54:01] Evan Francen: I got to keep that. I mean, I think I got over that actually, I don’t think I do that as much, and if I do, I certainly want people to call it out on me because I don’t want to be like that. But I think uh some of that kind of roads away with age too for me because I I think there were times and I was like that it was very much stupid users, you know, I mean, even just stop clicking on links, but I don’t do that,

[00:54:29] Brad Nigh: but I think that there is, I mean, I’ll be honest with you, I’ve done that with some of the incidents and but never too late to the user, right? Like you have to vent at some point, right? It’s frustrating at times because you just because you didn’t communicate well, But and you’re like, oh my gosh, why are they continuing to do this? Or I can’t believe they did this? But then I would never actually say that to a user. But you also have to take a minute and say, why am I so frustrated?

[00:55:02] Evan Francen: Like, oh, that’s true.

[00:55:04] Brad Nigh: You know, you I can’t believe they did that. Oh, hang on. Maybe I should have done better job of helping

[00:55:14] Evan Francen: one, sometimes two when we’re working with people, you know, not people in our tribe. You know, you see some behavior that is so counter to what we what, you know, I do or what we do that sometimes I need to reach out to somebody else who’s in my tribe and say due to my crazy. Yeah, I

[00:55:36] Brad Nigh: mean that’s a big

[00:55:38] Evan Francen: part of it. I’m so far off here. Please tell me I’m not crazy. Or if I am crazy, please tell me I am so I can change because you see some things just like how in the hell did you think that was a good idea? Yeah. Well, because maybe they didn’t, you know

[00:55:55] Brad Nigh: the one that that I don’t I’m not okay with is like MSP. S that are doing the fundamentals wrong, right? An MSP that hasn’t any any role for a customer or you know, has some of these fundamentals wrong. That I don’t have patience for, right? The end users. That’s a

[00:56:15] Evan Francen: Mhm. Well, truly your hypocrite an impostor if you’re insulting people on information security and you don’t know what the hell you’re doing right? That be like, you know, there’s a reason why, you know, not indian not everybody performs surgery. There’s a reason why not everybody works on your car, right? I wouldn’t Yeah, I don’t have any patients for that either. If you’re taking money services that you suck at performing, you shouldn’t be doing that. Uh Up your up your game, learn the basics, learning the things.

[00:56:52] Brad Nigh: Yeah. Or even I. T. Professionals like, I can’t tell you how many of these incidents we’ve had, where it’s like why is 33-89 Open to the Internet or why is held up, you know, like Yeah, but the end users themselves and I have a lot of give him a lot of the way.

[00:57:16] Evan Francen: Yeah. I have a ton of empathy for him too. Because my job is infamous. Security. You know, whatever’s job, you know, somebody else’s job might be in accounting, right? And so you’re kicking ass on accounting. You’re an expert on accounting. I’m an expert on information security. If you ask me to balance the books or if you ask me to I don’t know whatever. I’m an idiot right? That, you know. So I wonder how much of us, you know, we just don’t empathize enough. We don’t see their perspective enough. We don’t ask enough questions and actually listen because we do need their participate nation. You won’t ever be able to have the human element. The only way you’ll ever be able to remove the human element is to end humanity,

[00:58:09] Brad Nigh: right? It’s like you say, how do you reduce all? Don’t want to go there. Right. Well, yeah. People ask, how do I reduce eliminate risk close. Well, let’s not conducive with the business succeeding, right?

[00:58:26] Evan Francen: Yeah. Because we keep pursuing this and I understand we’re trying to what we do in our industry lives. We try to limit skin manage the risk around humans, which is good, right? There are good products that do that and you know, but you can’t do that at the expense of ignoring the human. The thing is about the humans to men is that they’re the ones who suffer. Yeah. And sometimes the suffering and and it will get worse right? In time? The suffering will result in death. Just that’s where path goes, right? Yeah. We don’t want that man. We don’t want people to die. I don’t know. Some people, some people are industry probably. Oh, I’m here. Yeah. All right. So anyway, that’s the question. Uh, and you can go anywhere and go read it if you’re not connected with me on linkedin. You know, I’m easy to find the question is again and put your own thoughts in. I love all these thoughts. There is no bad thought other than a disrespectful one. If you answer some kind of jerk answer.

[00:59:35] Brad Nigh: You’re gonna get you’re going to get an appropriate response.

[00:59:40] Evan Francen: Yeah. So the question is what is at the root of all information security industry problems and yeah, it’s it’s very interesting. I’ll do it right up on that. Yeah, I think, you know, also in our book brad, you know, we’re writing in the book, we got a meeting on

[00:59:56] Brad Nigh: friday,

[00:59:58] Evan Francen: uh really excited that ball continues to push forward, but these directives will be really important somehow to incorporate and we’ve into the book because it makes you more effective.

[01:00:09] Brad Nigh: Oh yeah, absolutely. It’s good. And it’s good to see you kind of, I would say validation of our perspective because a lot of what we’ve said, people are are saying in that. So

[01:00:21] Evan Francen: yeah, that’s always encouraging. Yeah. And it’s it’s cool too because I do have, I went into this question with an answer already. Already had my own formulated answer and it’s really interesting to see that nobody else has the same answer. Mm Sounds like damn it. I’m a fringe dude right now. Uh, but people I think is that if you look at the number one theme throughout all the comments, it would be people I can’t disagree with that. But that’s I don’t know if that’s the formula if I want to stick to my answer. If I want to dig in on what my answer is, I’ll have to push it and equate it somewhere to, that would be cool.

[01:01:10] Brad Nigh: Well, and I think like I said earlier, we need to say people, it’s not, you have to look in the mirror too as a security professional. It’s not everyone else and not you, it’s your your part of the problem too.

[01:01:24] Evan Francen: Well, right. And if I think the best security people start there, mm The best Csos I’ve ever met aren’t great technologists. They’re great leaders. And I think great leaders look in the mirror first before pushing blame onto somebody else. They take responsibility.

[01:01:47] Brad Nigh: Yeah, I mean Yeah. Yeah. Well, that’s is that the like part of being like that just makes sense to me like this. Uh Anyway,

[01:01:58] Evan Francen: you think so, man. But you see a lot of leaders that don’t lead like that,

[01:02:03] Brad Nigh: you’re not going to build a lot of faith and following by constantly throwing people under the bus, right? Ultimately buck stops with you.

[01:02:13] Evan Francen: Yes. No, totally

[01:02:15] Brad Nigh: true. Anyway, alright, some news,

[01:02:19] Evan Francen: It’s just newsman

[01:02:21] Brad Nigh: and so shout out to uh my shot out of the week victoria for the for doing this. I’m totally uh booted off of her work and the consultants that provided feedback. Excuse me, A couple of big one. Zd net. Cisco says it won’t patch 74 security bugs and older RT routers that have reached into life. So uh if you are using an end of life. Cisco device, uh stop you support itself. The hardware. Um that’s a but, you know, I can see that being a big problem.

[01:03:00] Evan Francen: Uh Yeah, that stuff always. It’s me. I don’t know how to approach that, you know, the it’s something that you made you put out into the world. People paid you for it and I understand that you can’t support it forever. Yeah, that’s Yeah, that’s a tough one because the

[01:03:21] Brad Nigh: let’s see uh pull it up, you know, the big thing for me is how old are these? Right? Like it is something that’s You know, 10 years old. Yeah. Uh Let’s see, they all the RV so small business routers, They reached end of life in 17 and 18 and maintenance window Part of page for contracts in December of 2020. So, you know, honestly, you know, if if you’ve had three years to know that this is going to happen, you probably should have fixed it by then. Yeah, and I have to look and see how long this been out. But uh another good one, I like this one is uh it’s from threat post Microsoft implements Windows zero log on law enforcement mode. So by default it’ll block vulnerable vulnerable connections, man, I can’t talk on devices that could be used to exploit the flaw. Starting february nine. So that’s a good good proactive step. Uh Well, I guess reactive step, but proactive for the people that haven’t been compromised by it.

[01:04:38] Evan Francen: Proactively reactive. Yes.

[01:04:42] Brad Nigh: Um Yeah, but I mean that’s it’s the right thing to do, right, Like, how many times do we see? Yeah, there’s this massive flaw and you should do this? Well why don’t you enforce it? Like do do security? Right, So yeah, and then the last one I wanted to talk about was the uh was around the solar winds breach and you know, Fireeye has released a couple of really good tools they have uh that is your a d investigator that you can use to help determine if the solar wind hackers used those techniques and then a um a tool for auditing networks looking for those indicators of compromise specific to this. So really good work by Fireeye and continuing to release some open source tools and and really I mean it’s been their work from respond and so responders perspective has been amazingly helpful.

[01:05:48] Evan Francen: Yeah. Mhm. Yeah this has been a good, they definitely came out looking better than they did at the beginning right at the beginning, people like what the hell, you know, some people, not many, but yeah, it’s nice to see how they worked through this, you know, from a pr perspective, from a business perspective, they look great. Uh they helped people, they actually, you know, they provided a lot of value to the community, so I think all those things are good, the the problem is still there. Oh yeah, you know what Yeah

[01:06:31] Brad Nigh: they they’re doing a lot of really good stuff, I’ve been really impressed so

[01:06:36] Evan Francen: yeah, me too and our team and our team uh you know Oscar’s team has been doing some bang up. Are you still helping them on things?

[01:06:45] Brad Nigh: Just keeping an eye on it? Uh The one we were worried about, it looks like it was just the beginning, but not actually ever exploited. So that was a huge relief.

[01:06:55] Evan Francen: That was the city, that city one you’re talking about,

[01:06:57] Brad Nigh: yep. Yeah, so that’s been that was very good.

[01:07:04] Evan Francen: Yeah, that’s good.

[01:07:08] Brad Nigh: But yeah, so just monitoring that

[01:07:11] Evan Francen: good, good stuff, notice of things we’re working on, is there?

[01:07:16] Brad Nigh: No, you broke up a little bit there.

[01:07:20] Evan Francen: Yeah, I’m always I’m always breaking up bob bob bob bob bob bob.

[01:07:25] Brad Nigh: Uh so any any shout outs for you this week,

[01:07:29] Evan Francen: I’m going to give a shout out to what can I do? Uh yell at Penrod, so you may not know who that is, but I yell at is uh a really good advocate in our industry. She lives in Israel, a company called Sai sai influencer, but she uh preached out, preached, you know, our CSP metro program, her followers, uh and also the daily insanity check ins. She’s just a really good ethical ally in our fight. So channel I tele

[01:08:16] Brad Nigh: yeah. Um and I’ll keep mine from the news show up to victoria for all the work she does every week, putting that stuff together and then everybody that helps give her some feedback and puts together these notes that that we use. So thank you for that.

[01:08:32] Evan Francen: All right. It’s

[01:08:33] Brad Nigh: Well, that is it for episode one 16, I think we said it’s been a long time. Uh, you can reach out to us, uh, email, uh, Uh, I met @BradNigh and Evan is @EvanFrancen. Follow our companies @FRSecure and @StudioSecurity. Uh, they keep keep you up to date on all the latest greatest things that are going on. So, dad, you’ll see all hockey next week.

[01:09:09] Evan Francen: Awesome. Thanks man.