BSidesSF 2026 - Cringe, Corrected: Hot Takes Fixed by the... (Lawrence Cruciana, Amelia Cruciana)

Well, you're in for a treat because when you think of security do you think of it as a family affair? So, I'm really excited about this talk called cringe corrected hot takes fixed by the CIS controls and let me just introduce the speakers of this father-daughter pair. So, Lawrence Cruciana he is the founder and president of the corporate information technologies also known as Corp InfoTech and he actually runs one of the hottest cyber security managed services in the US and let's introduce his daughter Amelia and Amelia is a cyber security and privacy student and researcher with a focus on practical privacy privacy preserving security. She her focus really applies on CIS controls in ways that non-traditional

practitioners and early career security folks can actually understand. So, let's give them a hand. We'll have questions at the end. Thank you and welcome to cringe corrected hot takes fixed by the CIS controls. My name is Lawrence Cruciana. As you heard, I'm the president of corporate information technologies. I've had a little over two decades working in regulated high consequence environments and I've been aligned with the CIS controls well since before it was the CIS controls and it was a sans project. I've been fortunate enough to author hundreds of cyber security programs and my organization was the first organization to complete the CIS accreditation. I'm very excited to introduce Amelia who's going to be joining me on stage for the first time.

Hi, my name is Amelia. I am a cyber security intern doing some alert triage and I'm also a student. A hot button for me is your data protection and privacy on the socials and this is my first time presenting anywhere much less B-Sides. So, thank you FOR HAVING ME. >> [applause] >> SO, THIS THIS SESSION IS INTENDED to be a fun way to introduce the CIS controls. It's going to be a crash course. We only have 30 minutes and about 90 slides to get through. So, we're going to offer a couple of examples of mapping real world scenarios to the CIS controls and and really try to help make some applications. All of this is intended to allow you to

to take away making practical cyber cyber defense techniques a little bit more approachable that you can use the controls to map and connect things. So, you don't have as much trial and error. The controls are after all quite effective and we'll share some of that. Yeah, so today we're going to share some of the wisdom we learned on social media, introduce an on-ramp to the CIS controls and hopefully make cyber defense a little bit easier and let's have some fun along the way. So, let's get into it. So, this whole talk came about because I get really frustrated about false information that you find online that someone in the early career might actually believe to

be true because I'm sure there are times that we have all struggled knowing what cyber defense strategies actually effective because you will always continue to get false information online. Now, it wouldn't be a cyber security conference in 2026 unless we had a legal legal slide here for the lawyers. This is all intended to be for educational purposes. So, please don't base your entire cyber defense strategy on a 30 minute session at B-Sides even though we do have some really good guidance and advice in here. Do do your own research make your own applications. So, before we get started, I want to talk a little bit about the CIS controls. The CIS controls is a cyber security

framework and the controls are very unique and I could talk for hours on this but I promise that I wouldn't and we'll actually get to to some more more fun things but I think we need to set the stage. So, the controls are a set of 18 controls or families that are based around thematic taxonomies. Like if we look at control one, control one is the inventory of enterprise assets. Know what stuff you have or control 11 data inventory. Know the information that you're actually trying to protect. The controls are a risk sized framework meaning that they're adaptable to the specific situations and like different risk scenarios. Yeah, so each control um they are organized into 18 controls or

families. Each control or family has multiple safeguards that are under each control which ask us to do just one thing. They also use real world information like successful attacks to inform their inclusion in the controls. It's all good. Now, I want to talk for a second about bank robberies. In the United States, I think we can all agree it's a probably a pretty bad idea to rob a bank. And in the US one of the many jobs that the Secret Service has is to figure out how those robberies were successful. So, the Secret Service uses an an offense informs defense strategy that they take and understand how the bank robbery happened and that goes into

understanding everything or influencing almost everything for how bank lobbies are laid out to how information assets are flowed through a bank, identifying insider risk profiles, everything. But that example of an offense informs defense strategy is also core to the CIS controls. That offense informs defense strategy allows us to really under for one of the most effective things of the CIS controls and that is it's a risk sized framework. You're going to hear us say that over and over but it's one of the most important parts of this. In the in the instance of the CIS controls, we use real world events. So, coming from law enforcement like IC3 from Veris, the Verizon DBIR, we use real world

information about how successful attacks were propagated, what the vic the victim taxonomy was, what their profile was and then ultimately we can align then the safeguards to stop the bad thing from happening with the risk size like the appropriate risk profile of who the victims were, who that threat actor targets. So, offense informs defense. So, the safeguards are organized into three implementation groups, IG1 through IG3. One being the most basic and as simple as brushing your hands and washing your teeth all the way up to three. Three being appropriate for organizations with higher risk and more valuable information assets. Absolutely. So, the organization of the safeguards is important to to understand before we get into this.

Now, one of the ways that that we have the dimension of adaptability in the safeguards is this use of implementation groups. So, as you can see in this graphic, we have the individual safeguards like IG1 and or sorry safeguard 1.1 and 1.2 organized into implementation group one. Controls 1.3 and 1.4 then adapt into implementation group two. So, higher risk environments would be those that want to implement the IG2 or eventually IG3. So, each of the safeguards are organized in this way. So, each control family has one or more safeguards aligned to it. Each of those safeguards are aligned into one or more implementation groups. Now, the controls are different than many other cyber security frameworks in the fact that

they're very very adaptable. They're very adaptable using the the implementation groups but they're also highly prescriptive. They ask us to do only one thing. They don't it's not nebulous, it's not squishy, it's very specific with very specific actions or metric based thresholds that need to be implemented. It's also important to say that you know in in the the cyber security world, I think we hear a lot about compliance, we hear a lot about legal risk. Now, I'm not a lawyer. I do I may have the opportunity to hang out with a potentially disturbing number of them. Um but when the legal profession identifies something as effective at mitigating risk, I think we in cyber security should pay attention.

And the the CIS controls are one really good example of that. There's five states today and that number is growing that have implemented cyber safe harbor laws and that organizations that meaningfully implement and attempt to comply with frameworks like the CIS controls actually have a safe harbor against civil liability in the event that a bad thing happens that there is some type of cyber incident. It's incredible that this is an incredible superpower that the CIS controls have and it's something again that if the if the legal profession understands this and they make the application of efficacy, it's something that we in cyber security should also pay attention to. Yeah, so with that that background out

of the way, we can really have some fun now. So, we looked to the source where all power and knowledge is stored, the web particularly on the socials for some good advice. What we found was anything but that. These are real posts. We had high standards for the ones that we included, too. They had to be recent, have into action and had to have someone actually trying to respond to the post. >> Someone trying to actually answer the question. >> Yes. >> All right. The handles of the less than innocent have been obscured. Now, before we move on, let me set this up a little bit. Now, in in each of the next couple of slides, we're going to

share the post. This is the actual post with an actual highly upvoted highly engaged response. So, someone early in their cyber career may or may not have a difficulty in really understanding like what's real and what's not. Now, I've been doing this for a couple of decades and and I can tell you that even the things that that like have very clear deterministic statement that that sound legitimate, sometimes it's hard to cut through the noise and that's what we hope you'll you'll take away from this is that the controls that they give us something that we can use to cut through the noise, a filter by which we can determine are the things that we're

seeing online like are they real? Do they have like can they hold water or is this just someone's opinion that may or may not be like real or applicable. So, as we do that we're going to share each of the posts and I'm going to give Amelia the opportunity to share what she took away from from each of these in her application. So, here's the first one we have. Stop worrying. So, I mean they're going to disable password authentication. So, that seems to me like that's better, right? I mean they're clearly moving to a token-based authentication with FIDO2, which is passwordless. So, it's going to be better and they're implementing fail2ban. So, that seems to me like

that's a good thing. All right, now when did you find this post? October. Of 2025. >> 2025. Come on. All right, 2025. So, this is not that old. Now, I want to understand what was your takeaway from this when you started going to this? Yeah, so I mean my takeaway from this is that this is best aligned with control four. This tells us to use secure configuration. So, not having a password seems like a great idea. We don't have to worry about password authentication and we're reducing the attack surface by implementing other authentication methods instead of using a password. I mean we're implementing fail2ban, which also is going to support what control four tells us to do. 4.3 tells us to use

a su Oh my goodness, secure protocol. Which SSH is. Yeah, and 4.6 tells us to securely manage enterprise assets and software. All right, so control four does implement all of those things, but the thing that stuck out to me and I don't know if anyone else noticed this was CentOS 6. Anyone else catch that? Right? 15 years old. I mean that's almost as old as Google, right? So, CentOS 6 has massive vulnerabilities. This is a very old operating system. I mean maybe maybe they're implementing password on a like a passwordless technology, but I think they're probably implementing like good old-fashioned SSH keys. But we still have a very old operating system that's directly connected to the

internet, which at least in my experience that's just a recipe for disaster. Now, >> [clears throat] >> the controls do give us some grounding for this, right? Like like what we're in control four it does give us some grounding, but we still have these software vulnerabilities that at the end of the day allows an attacker to bypass all of this great stuff that we're implementing even fail2ban. And it's probably an easier attack for them to get through with that CentOS 6 that has lots of unpatched unpatched vulnerabilities to have an easier way to exploit the operating system and carry out their objectives. Yeah, so I mean maybe they could just be authenticating locally and control 5.1

tells us to maintain a centralized record of all accounts. All right, so by pulling the authentication back so it's a little bit a little bit more difficult for them. Yeah. All right. Yeah. Well, I think that the controls here really do cut to the chase, right? Control seven tells us that well, we can't patch CentOS 6 anymore. Control seven tells us patch our stuff. And at the end of the day if we if we look at just like boiling it all down, well, control seven tells us we can't meet its requirements. So, maybe we shouldn't do that to begin with. So, CentOS 6 is a very old operating system. It's end of life. We can't maintain it

anymore. Yeah, so you can tell that there is more to this than control four and fail2ban and this is not a good idea. Yeah, pretty bad idea. Yeah. So, here's our next one. VMware is bulletproof. All right, now this one's like super special to me. I mean 688 upvotes, lots of interaction. People like really were engaged with with this post. And the thing that got me was when when was this from? I think May. May of last year. Yep. Now, I mean I know, right? It's it's not like anyone can pop over to Shodan and do do a quick little search and see that there are hundreds maybe thousands possibly thousands of down level ESXi hosts that are directly

attached to the internet that are vulnerable to a lot of really bad vulnerabilities. I mean no one would ever possibly do that. So, with that aside, like walk me through kind of your application of this. Well, a quick Google tells me that this bulletproof claim for VMware is totally untrue. VMware looks like a security nightmare. So, we have to train properly to understand what's going on. This seems like dropping VMware on the internet internet directly is a bad idea. So, I think they might want to look into control 14, implement a security awareness and skills training program. >> [laughter] >> Or the side of 17, security incident response because they're probably going to need it. Man, I all right. I

absolutely love the fact that you landed on on like a security awareness training program. That's that's really really solid. I mean VMware absolutely is 100% critical infrastructure. No no question about that. It has a long history of security vulnerabilities. Directly connecting critical infrastructure to the internet probably a bad idea. Yeah, so we can also look to control 12 and control six being telling us how to properly manage infrastructure and access control management because these can reduce attack surface and potentially identify better ways to administer this critical infrastructure. Yeah, I I think the increased exposure here is really less than good. The controls do give us a solid path forward to reduce risk and control management of ESXi. I mean

clearly VMware is not more secure. It's not bulletproof. It does have very real exposure and the controls give us a way to to kind of frame that in a little bit. Like it's been exploited for a long time. It's something that we as system administrators really should be evaluating very carefully and very carefully control and guard. Yeah, so we can learn here that there is a lot wrong with placing this type of system directly on the internet without any other controls. Yeah, solid. All right, so here is our last and final post. Just turn it off. So, not sure why a Chrome update would break electrical medical record system, but here we are. So, I had never heard of course, but I

can confirm there are some old janky web apps that just don't work right in between modern browsers. So, this seems more like a server-side issue, which led me to control 16, application software security. This seems like the software publisher did not do enough regression or end-user testing and so this seems to me like the poster is right that the EMR just has to work, right? I mean this seems like a bad thing in a clinical environment. >> [snorts] >> So, your takeaway was that this thing had to work and and like maybe that disable web security. I don't know did anyone else catch that? Right? Like just disable web security, replace the Chrome icon with

disable web security. I mean, you know, seems seems like it seems like a solid device, right? It's it's absolutely magic. Magical things seem to happen. For those that aren't familiar, CORS is cross-origin resource sharing. So, it it is a way that our web browsers our modern web browser browsers use to place a barrier between adversary in the middle attacks amongst many other things, but it really it prevents and and makes it more difficult for eavesdropping or altering data in a session between a workstation and a server, which in a clinical or EMR environment that might be pretty bad. You can have some pretty bad outcomes that could could could come from that. Yeah, so there are several controls that

come into play here starting with the application vendor themselves doing a better job in control 16, application software security and end-user testing, which flows into control nine that tells us effective ways to If they have to exclude the EMR from browser security controls, that should be pretty tightly scoped. And then finally, control 15, service provider management also comes into focus here. So, we need to drive the EMR vendor selection process by requiring they maintain compliance with modern security standards like CORS. That's solid. All right, so as we come to the end of our time today, let's do a CIS recap. So, the CIS controls are a cybersecurity framework that provides a risk-informed decision path, meets your organization

where you are. They are not a fixed checklist. They are highly effective even at IG1, which is just basic your basic controls and keeping it together. And then give some context to the often humorous or blatantly wrong advice on the socials. So, I want to speak to both system administrators and cyber defenders. The controls reduce your level of effort to implement meaningful cyber defense defenses, less trial and error. They lower the barrier of entry for organizations and system administrators, even early career admins like me, to implement meaningful defense strategies. One of my big takeaways is putting together this when putting together this talk was control 15. This deals with strengthening your supply chain. This levels up your awareness and position in

a company as a young sys admin. Now, I want to talk to the software developers in the room. And uh control 16 specifically really applies here, especially those who are in early stage or startup companies. So, control 16 gives tells us how to implement secure software development secure software development life cycles. And control 16 gives us the ability to use the implementation groups to better risk inform our development, right? Like like if we build security in early, if we build it in as a default function, and we use the IGs to help guide that to guide that implementation, right? It gives us a progressive guide to implement that security and ultimately levels up the the software development and really the

overall defensibility and cyber defense capability of the product that you're building. Yeah. So, frameworks like the CIS Controls beat improvisation. And using an offense informs defense strategy yields a better and and more advanced defense strategy overall. The controls are a set of 18 prioritized, real-world informed, risk-sized defensive strategies that provide better outcomes. The risk-sized approach is delivered through implementation groups with IG1 taking care of largely 74% of common TTPs, the tools, techniques, and practices of attackers. That's a huge number. Thanks for joining us for Quince Collected, a CIS Controls take on some bad social media advice. Now, that's all the time that we really have for today. Um I did have one slide, and I know QR

code at security conferences generally bad, uh but along the bottom is the the link that it takes you out to. If you'd like some additional information on a white paper that we put together on the CIS Controls, you're absolutely able to get it there. Um and we do have a few minutes for questions. Thank you for coming. GIVE ME A HAND. OKAY, ANY QUESTIONS? WOW, WE DID THAT GREAT. You did it. It was perfect. Oh, fantastic. Oh. Yes Heidi. My question has to do with um if you're in an organization that has um a lot of the tools already put into the environment, how is it that what would be a good strategy of actually

implementing the CIS Controls um into that environment? Cuz you have so many different things going on. How would you prioritize actually implementing that to get your um network in a better place? Oh, that's a that's an amazing question. Um I mean, I think that that uh it's easy to spend money, right? Like it's it's easy to spend money. It's easy to buy blinking lights or tools and and implement them. It's difficult to change human behavior, and it's difficult to change strategy at an executive level down. Um so, my guidance for that would be really to start with executive buy-in. And like I mentioned with the CIS Controls, even at IG1, there's incredible data that has been put

together on the efficacy of the controls at IG1. 74% um mitigation of common commodity attack TTPs. I don't know about anyone else, but but in cybersecurity, if we can mitigate 74% of of commodity attacks with just some simple things like like really the effective like washing your hands and and brushing your teeth, uh um I would I would start there. That's that's a data-driven approach to get executive buy-in, to change the the culture of the company to do this thing because it really is the right thing for the organization. Uh so, starting with that conversation at at the executive level and drive a data-driven buy-in to then move into the implementation of of turning the the proverbial screws. Uh I

mean, most organizations have out of the gate most of the tooling required to implement IG1. It's it really is very basic. And that's it. Any other questions? Fantastic. Um do you have any opinions on So, there's a lot of compliance and government regulations out there for cybersecurity. Do you have any opinions on them? Um I'm a lead CMMC assessor, so I have lots of opinions on those things. Yeah. Um Uh so, um I'll I'll I'll say this. I think that uh um mandatory compliance, it really it's unfortunate that that it's required. Um uh I think there are many organizations that wish to do the right thing. They they wish to implement the right thing, um but my experience in

the CMMC world, uh which is DOD adjacent, uh has told me that even a circa 2017 rule um that has been required across the entire Defense Department for uh well, you almost 10 years now, um and it's really it's a struggle to implement it even today. Um there are a lot of organizations that either don't understand um what the what those requirements are, or they they want to find an easy path to do that, and and they really don't implement those things. So, I I think it it's uh it's it's necessary that we have mandatory compliance. Um I don't think mandatory compliance necessarily uh enforces meaningful cybersecurity in all the times, cuz I think those that wish

to do the right thing are still going to do the right thing and exceed the minimum compliance standards. Cool. Thank you. Any other questions? Anything from up front? All right, let's give them a hand. Thank you, Lauren. Thank you, Amelia. Thank you for [applause and cheering] having us.