Confessions of a Security Auditor

thank you so there should be a captain it should be a captain effect with the pirate stick absolutely Stacy thank you everybody for using to come spend a little bit of Saturday with me and uh and latest Place seriously feel free to laugh I do make my presentations funny on purpose okay so I will not bore you with Death by PowerPoint or any of that typical stuff oh my God it's fun for you in this section at least so covered the uh you know the traditional high points yeah I got all the typical notifications that you gotta have for this thing and you know for the social I am your captain now I also do fun stuff such as Endurance Sports goruck Iron Man that is why I am the iron pirate when I cross that finish line I got announced as also an iron pirate so and yes the captain went down with her ship this past fall getting out my gigantic lawn ornament which is a pirate ship complete with pirate captain of the skeleton yeah it fell on the tore my ACL yeah yeah got that repaired right before Thanksgiving but yeah the captain went down with their ship and I'm back to walking like six miles a day so hey so this is one of my favorite things and I love it because Mist actually said this this is it missed special publication 853 revision four compliance is not security I use this in every single compliance presentation that I do and life is where we start it will be available to you guys and you know where to find it now the evenness sets this is our Baseline this is what we use this is our commonality so we know that we are similar wavelengths we're not using this as we are all secure because we're not if we were we wouldn't keep having all these data breaches and why is that um okay let's be bad guys because this is another thing I also like to support as Defenders we need to think like our adversary we need adversarial thinking for our Defenders work with your red team get that verbal team going so you've got that offensive unit set you can't really protect your systems and yet unless you're looking at it from the point of view who's going to come in here and really play with all this okay I still got TLS 1.0 running can they physically get in and do something with this or you know plenty of Roblox these are things to consider is at the end of y'all but first so here's where I get scary a little bit so in this survey there is 5600 it professionals surveyed 66 of the healthcare organizations that these professionals are experienced ransomware in 2021. that's a pretty hefty lift right it's pretty widespread we're saying if stand up as we go along it's very popular because it's easy and the thing is you know there's been about 5150 data breaches between 2009 and 2022 reported to HHS Health and Human Services so that's quite a considerable amount and that actually resulted in 382 million records that were breached so when you think about that now that does include anthem Anthem is still the biggest overall single loss and that's quite considerable but we have a lot of stuff that's out there that keeps getting more thanks aside from that credential theft it's also continuing to rise um 55 of the respondents were highly concerned about credential theft more so external than intra obviously this is a concern because when you have data breaches at other programs people are reaching passwords it's very easy to go take Bob's password and see if it works where it works because we can find out from LinkedIn sensitive data and employee we haven't played well not everything is encrypted unfortunately so you might have you know your health information Social Security numbers which you shouldn't be sending over email doesn't mean people don't do it p-i-i-p-h-i I've even had clearance information gets out there yeah these top two this is out of IBM's X-Force and their surveys so out of what their respondents and what they saw theirs they had 41 percent of phishing attempts that it's the top method initial way into the networks and then there they were easily in the networks and going around one thing is so easy all you got to do is just click on a little link are we doing pitching exercises go hands okay something even the university I teach at for fun you know they I got a report like you know not still with all of this people still fall prey so fishing exercises because it's just easy we don't take the time and it's like oh I might have won something or you're your electric Bill's not getting paid but this isn't my electric company they're still going to click it Shannon but it still works so 20 26 of known vulnerabilities are still being used as an entry point so while this has been a decrease in terms of entryway it had been higher in previous years it's still showing that we're not keeping up with patching now this could be for various reasons such as having Legacy systems or patch is not working due to other underlying issues we've all had those you roll it out it breaks something roll it back sometimes it doesn't get addressed but then it doesn't get blocked at the fires forgot but there's too much of a hassle and you're not getting audited on it but security misconfiguration continues to still be a top issue and this is things such as simply you haven't configured your user access correctly you have you know you're not removing people when they've moved on to different jobs so they have elevated privileges that they shouldn't for you've taken away ports and protocols that shouldn't be there someone just stood up a new server why is there FTP on it well some of us did not follow the configuration plan yes I can actually see these or when you're walking around and you're doing the physical and audit and it's like what's their Bluetooth on the system that shouldn't be Bluetooth allowed what's this it's real life so why are my family well there are multiple things that we need and this is stuff that you will see it doesn't matter if people are supporting so what metrics you want to use that's up to you higher love this is going to be what is it that actually matters what is measurable to you what is your maturity model that you are focusing on are you looking simply at vulnerabilities close do you want to focus on how you're doing on your are you aiming to get to where you're going to pass cmmc 2.0 and do you have to get through PCI are you upgrading to PCI 4.0 yeah that's coming up really fast with this still see this we need to have validation before you go ahead and you add your new technologies got to have your security integrated into that full system life cycle and it's not just when you're doing your software development it's the full system so if you're going to be doing some upgrades maybe at least ask security pays this is going to introduce some new vulnerability if we're moving over to it it's a major difference because it might not be something that seems obvious but it could trigger another issue if there's a disconnect especially when you do have someone like me coming through hey hey you didn't have this last year guess what where's your documentation where's your change management what about your records what did this get signed off didn't okay what did we do about that oh food here has a third party credit card yeah yeah it needs work she didn't want me to raise my hand again assume you've got everything so with third parties we do have issues because we are reliant on them look at this for this with the anthem Bridge you know they had all the health information because you had a whole lot of like Social Security numbers and other related information along with all the information associated with the individual but after that hold on organizations started having third-party vetting especially requiring Anthem to provide cyber security Insurance proof I worked for a company that required them to show that they had a ton of cyber security insurance yeah and they also they had levels of requirements based on of other companies would answer while they performed as far as did they have thoughts or were they PCI client depending on what services they were purchasing services or software that they were purchasing from these other third parties you know so it was basically go through the list watering the risks because the other thing is if they have a breach how's that going to impact you and your client base are you gonna end up having your customers exposed because of your data right there foreign it's a never-ending something like that to me and configuration management sanitizing with that validation but yeah there isn't always a configuration management process in place for this you know we want to have put in your change request get it reviewed get it approved before it goes through pretty simple but sometimes just gets done I'm basically they made you said for the third parties we use that because we'll Outsource business functions but the thing to remember you can never Outsource your reputational risk oh that's true and say oh it wasn't my fault it's my third party who screwed it up um yeah no it's your customer and it's your loss so recognize that please absolutely well and that's fine you want to bet your third parties because if they mess up and it's still you because you're going to lose well there's not all just the date of reach aspect of it but there's just the continuing business functionality we have a where I'm at we had a recent issue with a uh our mail house it's ransomware and that literally stopped us from being able to send invoices for about a half weeks which turned into a cash flow issue it's kind of important to ask them what their father it doesn't match with our business needs and they're not a good match period as a partner so absolutely you have to consider what is that service level because if they have an issue and they can't get back up and running that's going to impact what they can deliver to you and how weird if your RSO is four hours there's just three days yeah yeah inventory oh yeah so you have a massively worldwide organization how do you track this stuff you know hey we all got barcodes everywhere but yeah you go around you scan scan scan but you go around it's like well let me play this part of what I do as a qsa is what I'm going out on taking pictures of various things and then I'm going back and I'm comparing it to my list is this barcode on my inventory list and this is part of my spot check you know I'm looking at the payment devices I'm looking at computer systems and I'm doing spot checks everywhere and yeah sometimes you end up with hey this is Duff doesn't match what's the last time you uh really fully double check the stuff it happens and sometimes it's just because they're not updating the barcode fully or they've switched it they changed their systems but that still leaves holes someone can come in they could take something they could physically take a system but you gotta know or you know the whole story of the system that got walled off behind drywall and no one knew where that server went that doesn't look so sad net joke yeah but it did happen somewhere in place and time but knowing what assets you have and where they are you know it prevents having things such as people taking assets home that they're not supposed to you know having things grow legs and water off also Legacy systems are continually an issue it's the pain of everybody but it also introduces security issues particularly when you have in a life cycle for software support and when you have PCI coming through and that's not supported anymore uh what do you have from Microsoft for your contract you're gonna get off of that next year right this this is going away right so you have a lot of sharpening pushing yeah not hurting everyone heard of cyber hygiene at this point yeah your antivirus do your patches be good try to be good doesn't always work I want to say these last two are really important I don't just say that because I'm biased you know improve your audit support functions there's a lot of offense when it comes to audit not all of us are the bad guys I mean hey I'm I'm pretty personable people usually like me when they get me for their audits because I I try to make everyone laugh joke today but but yeah I try to make it easy give me your documentation we're good to go I'll get what I can get and then I ask you the follow-up questions I do the mandatory interviews part of what it is but it's a back and forth support whether you're internal or external audit it's all about a give and take you got to have documentation it is just how it is but also it's not battle we can actually help you guys because we can help you get more budget it's not a bad thing you just gotta know how to word it so you can get your budget increase because oh hey we're not going to pass audit if we don't have and also it's too difficult this one really gets used a whole lot bring it up in a chunks gives it out that bad I know the verbiage is a pain in the butt but as someone like me that's read this stuff for 20 years I'll put into basic terms but going back to that whole compliance it's not security uh yeah a lot of it is check box for the way people usually do it please don't do checklists thank you honestly it doesn't take a lot to me compliance requirements and when you're looking at a lot of them it's mostly straightforward that's like not always but it's not the be-all end-all of security so it doesn't take too much to mean it basically it's just do it as I said work together we could secure your network you know hey listening to the team effort there's no point in us you know beating each other up for those Auditors that aren't great go ahead but you know okay for those of them like me all I can do is do the best I can based on the information that you provide me so the bedroom documentation that you can have together the forehand the better your audit is gonna go I don't say this to be condescending I say this with all seriousness with clients that have their documentation all like ready except for the stuff that they have to get me and like screenshots as we go through it in interviews they're the best people ever because they're like yep here's my four quarter scans here's all my policies here's my procedures I'm good to go I remember what we did last year and it's like great I love those people it's going to be you when I'm bugging you every week where's my documentation you've got those policies did super cool did you update the table that says you someone actually write off that they repeated it in it that's the important thing yeah there's a lot of cyber security Frameworks and this is an all of them this is just stuff I've worked with there's more out there and there's more coming what just a little bit about some of the stuff because we are running I'm surprised I didn't talk faster so let's go this will make your life way better when you do audits particularly if you're doing cmmc or PCI if you can manage to segment and scope it will dramatically reduce what you're responsible for so do you want to have anything that has your cmmc related stuff for your government Dot your PCI anything that actually has cardholder data related you can crunk down you have so much less stuff it has to get tested and has to be documented Stadium and man money find this money and it's less time with me this is a good thing risk assessments yeah risk assessment is on you guys you should be doing a annual in-house excuse me should be doing an annual in-house risk assessment to ensure that you are prepared for someone like me to come through think of it as your dry run are you prepared for your external auditor do you have your documentation have you had your pen test are you prepared for your pen test do you need a pen test not everything requires a pen test it depends on what level you're at things so think about and also did you have a major system change because that requires more documentation are you guys getting out of this documentation how do my honors go depending on the size of the network I'm going to spend one or even two weeks doing interviews with staff and there's going to be purity testing some other team's going to do penetration testing it's like duties and I'm gonna get to do a physical walkthrough so yeah I'm still going to be looking for guards guns Gates cctd and also check in and make sure you know for PCI then there's no scammers even mine familiar is possible if you're having a PCI did you fail you will end up with a prioritized approach or I will lay out for you what you need to do based on the council's recommendations they have to order four-year failures I say that in general as far as like the controls that were noted as failure because they're very black and white you pass or you fail you don't have a compensating control and then there will be a prioritized list for what you have to fix now if you have compensating controls because you change vendors and you weren't able to have all four quarters of passing in results might be able to work with it it depends on your break some are nicer than it also depends on how much of an issue is and of course no poem is more of a federal thing but you should always look at your vulnerabilities and have a plan of action for remediating those and you should be closing them out and preferably 30 days because that should be your patch cycle too now we want to improve your process my recommendations are make it reputable you're going to be seeing someone like me every year so just like you do as far as having estimate response a little Playbook this is totally repeatable structure your team make your timeline a little bit backwards you come out every year there's that's your time frame for redoing your audit so know when you've got to have stuff plan out having your policy is updated and reviewed plan for Gathering Sports oh and make sure that you actually download those from your ASV if you're doing PCI I have had a case where well they didn't and then they weren't able to get it so that caused an issue make sure you have them in your own service and once again you know improve your communication with your audit team because you don't want to have you know lack of communication be an issue that holds you up communicate there's no dumb question there's no wrong question we'll answer it the only wrong question is one that doesn't get asked so a little bit more on solving the problem the only real problem is how we think about it keep up with your internal risk assessments if you need if you have like a major change you might need to do an additional small risk assessment just to make sure it's not going to have a bigger impact make sure that your vulnerability management is actually working that people are actually managing that and following through just because you have the program doesn't mean that someone is following up with the groups that they're doing their patches and that is getting corrected if they're just collecting the scan reports that's not a vulnerability Management program so I think always validate validate scans validate inventory please document and with that questions I have a question um I'd be a long one here so what's the idss small to a small to medium businesses businesses that aren't level one or level two and testing required is 11.3 anywhere I'm having a little problem