HAYSTACKID LLC’s CISO and resident cyber security expert Lee Neubecker, CISSP, MBA, recently sat down to chat with Gary Rimar, CISSP, about NIST Frameworks and how organizations can leverage existing materials to better protect themselves from threats. The transcript of this interview is below.
Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53, and it is a security controls catalog. So if there’s a security control for whatever you’re going to need in an organization, it’s going to be in there. It’s something where your government actually did earn their keep because this is your tax dollars hard at work and it’s available publicly.
Most people, and this is one of the things that always bothers me, Lee, is that most people will go for these really exotic threats, and they’re real, they’re real. But there’s so many people out there who don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security. They tell their IT guy “okay you can do security, it’s okay, you don’t have to worry about it, I’ll accept the risk of you doing security” when the IT guy barely knows how to do computers.
What ends up happening is they don’t know anything about security, which is very deep and important and technical. When it comes to things like, how do you do access control, what can you do for access control – today at work one of the people – and I work with a security guy – we have something that, for whatever reason, they can’t do two-factor authentication, and two-factor authentication is definitely a better way to go, but they can’t.
So they said what mitigating factors are there that you can use to help us be able to do one-factor authentication and be less in danger. I looked through the catalog, and it’s I85, and there’s a bunch of different things you can do just to make it simpler and safer. They’ve done all of the imagination for us.
Rimar: Well first thing is planning, and that’s the ‘PL Family’ – if you don’t do planning, nothing works right because you have to have a basis for security. If the CEO and senior management are not on board, then when security says you need to do ‘x’ and operations says “we don’t feel like doing that,” if the CEO doesn’t say “no, I need to be secure, you need to do ‘x’” then you’re hosed. So that would be the planning family.
Second would probably be access control, which is actually 20 percent of all of it. You have several hundred controls, and access control is 20 percent of them.
Rimar: Well, I don’t know if that’s necessarily – that could be, I think it could be woeful ignorance, like what I don’t know is not going to hurt me, but obviously that’s no true. For example, with the Sony hack, with that one, they said I’m not going to spend $10 million to fix a $1 million problem, and that in itself makes sense because you don’t want to step on a dollar to pick up a dime.
However, it was a lot more than a $1 million threat that they were compromised on, and had they done it correctly, and had they taken security seriously, things would’ve been a lot better for them.
Rimar: You know, yes. Because hardware and firmware are part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head it would probably be SI-7, because if it’s the control I think it is, it deals with hardware, it deals with software and it deals with firmware, because if you’re firmware is corrupted, you’re done, you’re owned, if your hardware is corrupted, you’re done, you’re owned.
In fact, supply chain management is even a factor in NIST 800-53, I don’t have it exactly remembered which one it is, but it’s important. You have to have all of your systems protected from the beginning to the end and monitored and audited in the middle.
Rimar: Yeah, but you also have to recognize that you’re definitely going down a very valid but very deep rabbit hole. Just as an example, one time I was talking to this guy in 1999. I was living in the Detroit metropolitan area and I was at this coffee house and this guy who looked like Boss Hogg but tall said “everybody’s stupid, they’re buying Windows operating system and they should be building their own, they can use Linux!” And I looked at him and said “you’re an idiot.”
He replied “why would you say that?” and I said to him that “you have people who barely know how to find the on/off switch and you’re going to tell them they’re supposed to compile their own OS?” When you’re talking about the level of inspection, you probably need to have somebody do some appropriate professional vetting and that’s over the skill level of a significant number of professionals that you’re going to meet in the market.
I mean, you’re right, you’re totally right, but you’d probably need to get some people who eat and drink and breathe this stuff and real experts to do this.
I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it, and inside a USB chip – I’m thinking you know this, but not everyone knows this – is that inside there’s its own little operating system inside the USB. So if you have an 8 GB USB, a small one, used to be huge but now it’s considered to be a small one, there’s actually more chip behind it, it’s its own operating system, that’s firmware.
And, if it’s compromised, then, whatever you plug that into is owned.
Rimar: Did they replace them with ones that went through appropriate supply chain risk management.
Rimar: You’re right about that, but this goes back to supply chain risk management. If you don’t know where you’re getting your stuff, you don’t know what you’re getting. And, what I did read, is that China has actually started making their own chips, for themselves, they don’t market them outside of their country.
Now, one can say that maybe that’s their motivation, that they don’t want to be infiltrated by another country? Or do they want to infiltrate their country, because of their politics? I don’t know, I can’t know. However, it might be a good thing for countries, at least as big as us and with such a big target on our backs, to start creating our own chips and our own designs in our own country where we can control the entire process from picking up the sand off the beach to handing you a laptop.
And, you’re right, it’s not just the hard drives and the laptops, it’s all of the peripherals.
Rimar: Yes, you know, back to our original topic of NIST 800-53, it’s in there. Supply chain risk management. And, when I was first starting in IT back in 2000, I knew enough about security to know I didn’t know enough about security, and I hired it out. And had I been availed of this book I would’ve probably been able to do a much better job, and I probably would’ve gotten into this career a lot sooner because this stuff is cool, but I didn’t know it then, now I know it.
Rimar: Well, I used to joke about always practicing safe hex, but the one thing I don’t think people are doing, and this is way off topic, is even though all the concerns we’re talking about, there’s still getting owned because they’re surfing in places that are not safe, and there are a couple companies out there, I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser, it’s like Browser-as-a-Service.
Rimar: I have a former computer client who does legitimate research – he’s a psychologist – and he does legitimate research into pornography, believe it or not there is such a thing. And his computer at home, he has one computer, and he had his HIPAA data on there, and he’s surfing these kind of website, and it scared the heck out of me.
I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and nothing could ever touch it – the only thing he could swap out was pixels. And what I found out about one of these services, I found out, and I called him and said “Hey Marty, you should use this.”
So now he can continue to do his research and not put his client records at risk.
Rimar: Thank you very much, I’m happy to have been here.