Common Mistakes And Getting The Basics Right - Nic Miller

so hi everyone so got to talk today so this is essentially to talk about what I think is probably kind of a key thing for a lot of organizations to get right and my focus now in my work is actually working on small organizations so I am a virtual see so is a thing it's a nicer way of saying part-time I work with organizations maybe a day a month maybe two days and months maybe as a one-off project and then I go back in three or six months and see how things ago but the point is is that a lot of these organizations come to me and they might be anywhere from five through to 300

people in headcount turnover can vary massively from being a charity to being up to towards 100 million pounds or more so you get a whole range of different people under that banner but their initial assumption is is that they can't do security because they either don't have the budget they don't have the people or you know anything I think we've managed to somehow kind of up turning like upturn security and focus on completely the wrong things okay so what's my background I was H key for as a do th key for about six years I left and went to the city about five years ago worked in financial firms and got bit bored of that about two years ago so

I went and set up by myself and started doing this virtual seaside business so that's kind of where I've been ow so I want to start with something that I think needs to be an honest assessment of where we're at as an industry which is that the majority of breaches that you read about today are prevent one thing I should highlight this isn't really going to touch application security so much this is much more focused on generic both infrastructure security and just the wire issues that companies face so application security is a part of that but I'm not focusing specifically on that this is kind of a wider topic but the majority of breaches are preventable that's kind of where

we're starting from today so that then leads to the question of why look why is this happening where are we at and I think I'm gonna go through a few different layers of where I think we're at son and start with like from a strategic level how organizations think about security their approach to security the sort of the strip the strategic barriers then there's a set about implementation how do we actually attempt to get secure like what's the path that a lot of companies actually take to implement security where are some of the issues there the third is going to be buying how to actually bring people on board can I actually get the buy-in to make it work and then the

fourth is assuming that you've done all of that how do you actually check that you've done it correct and how do you maintain it going forward and some of the issues around pentesting which is not in any way issues with pen testers it's how companies employ and use pen testers so I think the first thing is what's the approach that a lot of people take when it comes to security and you see something a culture that's very much driven by trying to do quick wins and why is that because it's really hard to do long-term commitment to change where's a great example where this is evident legacy technology if you've got an organization that is still heavily

reliant on legacy technology like legacy operating systems there are good reasons that those may still be in place in some instances but the question is always what's the plan and it's a topic that no one ever wants to talk about why because it's really really difficult but you still have to come back and ask what's the plan you cannot forever keep using over operating systems that are no longer supported you can't use Hardware it's no longer supported there has to be a plan and so I think this where you see this sort of like approach and where you see this clash it can come at different levels right you might get on board a sort of SEP senior at my execs who say

honestly this is a problem I don't understand but I'm somehow responsible for I just want this problem to go away as quickly as possible from some of these people's perspective if you've been a board member for the last 20 years cybersecurity is a relatively new topic it's come out of nowhere and so your perspective might be this is a been a problem for the last five years and in five more years it might have gone away and the next thing has come around so some people still haven't acknowledged that this is a long-term problem that's here to stay former CEO CEO type perspective and what you might get is I actually want to solve this problem but I'm really not

willing to commit the time or the resource to actually do it I just kind of want to I want to do as much as I have to do but I really don't want to do anything more on top of that you might get a CTOs approach which is I want to just solve this with technology and that's the only approach that I'm willing to take and you might even get a CEO whose approach to solving security is I expect to be here for two to three years tops I'm not interested like it's a lot of effort to put in place a long-term organizational change I can do some quick wins make it look good on my

CV and get out I these are all reasons that you have for long term chain not being present in organizations but you have to acknowledge that that is one of the things that is holding us back so one of the analogies that I'm going to use is I really like I think it works quite well is I compare like the security of an organization so obscurity to weight loss right there is a general sort of area where you would say right most people a healthy weight is four somewhere in this band there's not one specific place that everyone needs to get to but it's the same rough area how easy is it to do that some people you're already there

some people you are already where you need to be there's nothing else you need to do some people you're a little bit further away some people you're a long way away right take two people one of whom is relatively physically active and eats quite well they might say okay I need to lose a couple of pounds and I'll actually be in that way you've got someone who's 28 stone needs four pizzas a day they cannot get to where they need to be tomorrow that's just not going to happen that is a long-term commitment that they need to make now the other problem you've got with this is I sometimes go into clients and they're the equivalent of the incredibly

unhealthy person eating four pizzas a day I want to be healthy but I still need to eat four pizzas a day that's a challenge that you can't really overcome and I think that's where you need to have realistic expectations and goals right if you are sitting there with legacy technology all across your estate and the management of the organization believed themselves to be secure from a sophisticated cyberattack know if you believe yourself to be secure from sophisticated cyber attacks and you're still getting hit by eternal blue across your network you're not like where can you be based off like a realistic expectation of this is where we are this is where we can get to these are the

resources that we have and this is the challenge that I've got with small organizations they will never have huge amounts of resources to throw at this problem so it's all about trying to find where is it that they need to prioritize what is it that they can realistically expect to get to another wheel bugbear of mine is this if you are most people what their security strategy is they give you a list of tools a list of tools is not a security strategy right it is perfectly acceptable to use security technologies as long as you actually know why you're using them what is it that they're actually doing for you and if you didn't have that what you could

do instead like patching is a great example application patching from end-user devices operating system patching it's a fairly straightforward process but actually the more complex your state the larger it is the more applications that your end-users use the heart of this problem becomes and at some point it may be a better idea to go to a third party and buy their off-the-shelf application an OS patching tool deploy across your environment that's fine because you know why you have that product and you know what it's delivering what I see is a whole bunch of and ceases are sometimes the worse for this they basically say I want this product and you ask them what's that actually delivering for you

tell me how that reduces your risk what you get back sounds suspiciously like the marketing material for the products I mean it might be on the back of that slide but we don't I've used it and actually I would have good things to say about it but I'd have very bad things to say about their marketing team but where do you get to ensure is this it is we are looking for I can solve your problems if you you don't need to commit to that long-term change you don't really need to struggle like just buy this and your problem goes away everyone's going to love you the clouds will part it will be fine right and we are just ignoring the real

problem here so this is what to me is the crux now again I can say all of this because I like to work with small vendors small organizations you can't really walk into an organization of 250 people that is so broken it's not fixable go up to an organization of tens of hundreds of thousands of people and it's a dumpster fire an IT estate and I would just walk back out the other door because some of these things I have really really hard problems and I recognize that I am sort of saying that I don't work with big businesses because they can be too hard to solve I sometimes wonder if they can even be

secure at the scale they're at but I like to work with small businesses because you can get them to a good place fairly easily and that's one good thing to talk about here which is when we talk about that back to basics let's not assume that basics are easy like basics they might be simple there might be like like fairly simple kind of philosophies or fairly simple like principles to stick to but scale is what makes them complicated installing a patch on a server easy installing patches across ten servers that's still fairly straightforward ten thousand servers that's a monster task and good luck trying to do that in any reasonable timeframe with a whole set of businesses

that are going to have competing demands on those service types right so it's not easy to do the basics well but that is not a reason to skip over them and not do them yes they're hard but they are still the critical things that you need to do so with that in mind what we're actually talking about with basic controls I've got three lists MCFC 10 steps reducing the impact that's probably the highest level of all of them C is critical controls is one of the others my favorite by far remains the asd essentially that's rebranded I think now to the ACS see because ASD is the Australian of equivalent of GHQ they've stood up their Australian

cybersecurity Center anyone who hasn't seen this list they have been publishing this this since about 2010 and it is fantastic and it is the best prioritized cybersecurity guidance you will see they have a top 35 controls and as of a few years ago what they do is now they've score all of those as to whether they're essential helpful useful there were eight the get marked is essential that cover the full range of different there's still quite external threat focus there like stopping sort of intrusions into systems controls but they are they run the full gauntlet of the sort of the spread of controls that you need they are also very clearly prioritized by how much it costs how

much user resistance you'll meet and how effective they are so you can really actually start to see how useful these things are and again this is a critical thing in my view this all comes before you've got any detection the essentially has no detection controls it essentially also doesn't have antivirus I think they were making more of appointment that than anything else but antivirus is not in the essential eight right because it's not actually that critical anymore there's a lot of stuff that it is quite a useful for but there is a lot of other stuff you should be looking at doing and detection I'll come onto this a little bit later but a lot of companies will

jump straight to having good detection and all that does is means you are then fighting fires right and you never actually get the time so then implement the rest of the controls detection is only useful when you've actually got a set of controls to slow down your attacker right if you think of like a cyber attack as a race like the detection is the starter gun for you but the attacker may have already started a long time before right so the starter pistol goes in the attack is already halfway down the track detect like preventative controls like the stuff that's in the essential aids so op o s patching end-user application patching privilege control multi-factor

authentication application whitelisting like these are the sorts of things that act as debris in the way of the attacker and it slows them down right without that you've got no chance of actually responding to an incident all you can do is recover like responding to an incident is catching one in process stopping it and then undoing the damage you have no hope of doing that that incident will get complete before you have the chance to actually get in front of the attacker so all you're going to be doing is recovery so detection doesn't really buy you that much it just lets you do your recovery potentially a little bit sooner and what else does basic mean well they're free they're not

free but they're kind of free they look free you don't actually spend any money on them but you're gonna spend more time and effort and resource so are they free well I don't know but also like we said earlier at some point when you scale you might want to spend some money on them because actually spending a bit of money saves three people's time because one technology product can manage that system more effectively here's my view in an SME you shouldn't have a cyber budget it's unnecessary it distracts from the goal of what you're trying to achieve which is that somehow cyber is a separate thing that you need to spend money on like fully agreed there in

larger organizations this is not practical and you need to have that money assigned but in a smaller organization there is no need because actually the critical things that you need to do when you go and look down that list of the essentially they're all things that will probably be done by you whoever controls your itst and so actually from my perspective when I wasn't in house II so and people would ask me if I needed more budget I said if you're going to do that by downsizing the window server team by a person no because I'll lose patching I'll lose privilege controller lose all these other things just to buy an extra analyst to partially cover that risk

that you've created managed service providers won't do all of these by default think about a managed service provider who manages an IT estate if your organization doesn't have internal IT here's what they're gonna do they're gonna say we're gonna go out to where someone else and we're gonna pay that company to manage our IT network and their whole sort of contract value is going to be based on them delivering us a working itst what incentive do they have to put in place potentially disruptive security controls what application whitelisting to any level they're not going to get thanks for it all they're gonna get is if it goes wrong they're gonna get in trouble so again some of this stuff is

not in and IT teams incentive to actually do naturally so you have to request it or you have to say look this is the standard that we expect you to me and the other thing about these controls is they're not binary they are not on or off their dials not switches right so actually the question isn't do we have this control application whitelisting is a classic for this if I say application whitelisting are probably a lot of you've just clenched up because you're thinking full hash-based application whitelisting which requires a team of 20 people to manage I would argue the very first step in application whitelisting might be something as simple as using a block and

not to not allow unsigned applications to run that is a form of application whitelisting how far is that gonna get you it's gonna get you a little way along with it it's not gonna get you very far but it's gonna get you that's a good chunk that's a good chunk of just craps that is not going to work anymore office service office restrictions on things like macros is that in a application whitelisting sort of it's about not allowing unknown code to run macros are unknown code office macros right I work across financial organizations finance organizations use Excel macros to turn over like probably trillions of dollars of the UK for global economy because it's across the

US and UK Excel macros run most of world's finance and that should scare you as much as it scares me but they don't need word and they don't do PowerPoint so you can turn those off really quickly like yes you can't do much about Excel macros so then you have to look at how well so you can solve that risk but again it's sort of like these are not just full on or full off there are bits that you can do when it's what level you implement them to and that's where I want to come on to now which is realistic goals and realistic expectations like what are you actually talking about when it comes to cyber

threat the majority of what we're talking about is untargeted they don't know who you are they don't care they've never even heard of you as an organization as an individual whatever it is just mass market spray and pray wherever I land I'll and right that is the bulk of what you're talking about and that is all handled by doing things like the basics well right there is a level on top of that which I would call like the basic targeted they know who you are like I am an attacker I want to deploy ransomware I'm gonna look through a list of quite well-off companies that might be quite small but have quite high turnover I'm gonna try to put ransomware

IAM because if it gets in I can get like maybe a few hundred thousand in a ransom if it bounces off or it doesn't work I'm not coming back I'm just going to move to the next one on my list so it's a little bit targeted but it's not they don't really care then there's the okay they want in you or your information or it's actually you're part of a wider supply chain that they're trying to infiltrate they will come back they may remember like takeshi's Castle or I think was called it's a knock out but this is my idea of like the types of attackers right if your security setup is like a sort of like Total Wipeout sort of run

an attacker who gets to run it once will probably get knocked in the water fairly early on right the chances are someone give them one of these things to run without any prep can get through all of those stages is very very low but these guys at the top they're gonna come back and so they get knocked in the water but then they read it and given infinite numbers of tries to run this corner you never change those controls they will eventually learn them all and they'll be able to complete the whole course right so the danger with these is not their sophistication it's their targeting it's their ability to come back and learn from their previous mistakes that's what

makes these guys so dangerous right it's not a zero day it's the fact that this didn't work so they're gonna refocus it and send it back in and they've got this far and they're just gonna slowly edge further and further and then at the very top the people that get by far the most coverage the apt groups right which define the difference between the face together and the apt I don't know because a lot of the e clamp groups look better than China China he'd getting the most coverage with North Korea's better than China NSO Group suddenly pop up and you know they get like and exploit and all of a sudden that's what everyone's talking about

again if you're at that level where that is a sophisticated thing that you need to worry about like you need to acknowledge that that's the level you need to be everywhere but this is the other argument which is you need to figure out where you are on this pyramid what level of security you were actually aiming to achieve because the companies who are aiming for that top that have Levicy technology you've got no hope so what do we actually map onto this this is my view of where the basics cover you right I'm using the five miss pillars here identification protection detection response and recovery right so identification protection and recovery is the basics know your assets do basic IT hygiene and

have a recovery process in place not a response process of recovery process you're not going to intercept any attack in progress you're just going to recover from it when it happens restore from backups white machines whatever you need to do you just recover and move on that gets you even into some of the targets if you're doing this well that will slow down even a targeted attack but remember the targeted attack if they get to come back we'll learn this course and even the basic targeted maybe there'll be a little bit smarter to jump through some of those hoops so this is where SEC Ops then sort of kicks in and that's your other two main

pillars of detection in the spots right but it layers on top of your detect of your preventative controls because your preventative controls are what slow down the attacker within your environment enough fee to actually be able to detect and respond to them without those actually slowing them down you could have all the fancy detection technology that you want all you're going to get is by the time the alerts actually come in from the tool or the third-party provider that you use they've already got two main admin got the credentials and they're out the door because actually responding to one of these incidents still takes enough time and finally red team threat hunting those sorts of more advanced features yeah if

you are after a sophisticated attack who's going to run your gauntlet repeatedly you need to prep for that and train for it but you only need to do it if that's the level you go like if that's the level you're trying to keep out that's what you should test against if you're not do you really need to hire some red teamers I know it sounds cool and sounds great but in reality what are they going to tell you more comments on a minute so here's the other thing very quickly about implementation I think companies get wrong if you think of these as the strands so identity protect a tech worker then what they do is this they go

straight into built with I'm going to put in place the most amazing detection technology in the world what does that start doing detecting loads of security events because you've got no preventative controls oh crap what do we need to do well let's get a really good response and recovery process in place fine you're probably using third-party instant response and at this point any hope of budget that you had has been blown out the door because turns out firing mandiant are cheap so where do you get their left well maybe we should do some identity we should put and say some policies and things like this in the dues like I didn't ask the identification etc fine

but you still haven't done the stuff that is the protection and actually well before now your budgets run out so you never get time to do that so where you end up most companies end up maybe there maybe they're right instead a basic set of controls will do a lot more built up if you need to go to that level if you're worried about more targeted stuff yes if you're worried about highly sophisticated then you need to go to this level but it's still about doing it in those layers this is going to make really no sense then there is another version of this that I'll show you on the next slide but this is also the

argument of when you're talking about security operations and you're talking about detection there's all sorts of cliches floating around like perimeter security is dead bla bla bla but as long as you think about attack paths it's a cyber security breach is not one one incident it is not one thing that happened it is a whole chain of events that got put together and every single one of those events was your opportunity to block or detect that that activity was occurring right so the idea out there that is somehow sold by a lot of vendors and people have is that someone in you know on HR clicks on the wrong email and a production sequel data walks

out the door it's like no no no no no there were many many steps between those two things that happened and this is one attempt for me when I was in house to try to like show people here's where we spend our money here's why we have these different security tools in place here's what our security detection framework is around and some of these are processes that we run some of them are technology tools it's more simple than it looks it's a layering of basic controls in detection but again what you find is a lot of companies will get to installation and there's no there's no further controls right so if you actually were to try to map yours out

you've got okay you've got great perimeter security because you've got an IDs you've got email filtering you've got you know and you've got an advanced and next-gen a vida tection on your desktop great very great but the macro that just got through managed to bypass all of those what is there to stop it nothing okay so actually it's very much that passed a certain pointing your attackers free and easy and that's not what you want you want them to face resistance the whole way through that attack path the idea here is very much around spreading your controls out and not clustering here is another way that I then presented it later where I had different colors to

represent different types of things but again it's the idea that like actually you have to start all the way on the left and you have to go all the way to the right and again this is a thing that I want to come on to you later but it's like if you're going to pen test and you're saying to the pen testers come on site acknowledge that what you're starting to test is that middle on words you're not testing those first two so you have to put those results in context as well anyway in summary one big heap of controls is no good what you really want is to spread fine so implementation this is great right how are you gonna

get buy-in if you haven't seen to nobble these next few slides I'm really going to make no level of sense whatsoever but the message still comes clear like so some people don't take bad news well and if you haven't seen Chernobyl spoiler with a power plant explodes but it's really about it's really about decision making in the Soviet Union which I love I think that was that word to me was the crux of the show like people do not accept bad news when it is told to them no matter no matter how obvious and you need to think about this when you're selling something right so you've done a review inside your company you've said

look actually how privilege management is terrible what you need to think about is who are you presenting this to right because what you may be presenting you to is the person who is responsible for that privilege management and all you're saying is you're pretty terrible at your job and it's a huge risk to the firm may not go down the best way right so you have to think about what is the message that you're actually presenting who are you presenting it to and what are they going to hear like so some of this is about tailoring your message so that you can say look here are some risks here are some options etc but the key thing

is that just because you've found something that's particularly worrying not everyone else is going to be happy to hear that news right you are identifying problems that is going to cause other people work to have to fix it I say you just need to kind of take that into account is something I've really found the second is this is that you obviously need to be honest right honesty is the key thing but context matters more than anything else so again in the show they keep quoting how much radiation is there 3.6 Monken because the meters that they had capped out at 3 so the true level was way way higher this is technically a true number but the context is we don't

know this is not really a valid test right this is another thing I see in security right there is an issue with something a critical server like a production server has a critical vulnerability that sounds bad right but actually what are the compensating controls does that server face the internet no okay well so internally who's got access to it it's a vulnerability that's present on RDP but not the web ports okay but it's actually in a VLAN that RDP is restricted to one jump box okay it's not actually suddenly sound in that bad anymore and if you go in sort of like alarmist which again this will tell alarmism is not a good thing in the

Soviet Union but go in with your alarmist view and people just won't listen to you right you have to provide context how big a deal is this you don't get that many occasions to sort of like set your hair on fire and mother man say you really need to focus on this so use them when it matters and don't waste them it really is a case of well I think this is key is helping people who understand risk right and they're not gonna take a piece of technology or a theoretical vulnerability and necessarily be able to contextualize that talk about a possible attack but a great example for this for me is privileged account management right

where you see that especially privileged users have that access on their primary account so the email that they're checking their email they're browsing the web and they're doing domain admin tasks or using one account right you see that quite a lot because people don't think about why it's a risk and you can sit down with even a CEO and you say right okay someone clicks on an email and that email has a malicious attachment that attachment executes as that user so this user has privileged access to every single computer in your organization that means that whilst they think they're really security conscious because they're a domain administrator you understand technology if if they actually make a mistake and click on the

wrong email that attachment that malicious software has suddenly inherited rights over your entire computer state and you've got no ability to stop that like end-to-end it can then just start stealing credentials jumping to other computers it can work its way across your entire organization right and that's an attack part they can understand and you say versus that person has two accounts and they check their email on this account and then when they need to go and do server tasks they have to right click and run as or RDP to a different machine but there is a firebreak and at that point if this account clicks on the wrong email or the wrong attachment there is no automated

hop there is sometimes you know obviously yes you could have some vulnerability that's a privilege escalation etc but your principle is it provides a firebreak there are always going to be work arounds etc but that's a really good example of if you want bring someone on board for doing a change like that you have to be able to explain to them how can this actually be used to hurt you in a way that they can understand finally this is the key thing even if you're the seaso how secure your organization is is not your decision right it is not your decision someone else should be making if the business is saying it's your decision it's not your

decision and they are not paying you enough to make that choice right it's security is not an isolated thing it's all a balance right so if you want to do you know you've got we've got on-premise email we're moving to the cloud we're moving to the cloud and it's going to save us X thousand pounds every year it's gonna save us eighty thousand pounds a year business decides it wants to do it great just one note you are changing our email infrastructure from being accessible only through this like limited window through to being accessible to anywhere in the world because you've decided to go office 365 so if we've got weak passwords they're going to be far more exposed than they

were previously that's not your decision as to which way the business goes as long as they understand both sides of that so my job isn't to it's to give people the information to make that decision it's not to tell them what decision to make now if they say we're going to go office 365 we're not gonna deploy multi-factor we don't think that's a risk at all I will obviously strongly advocate that I don't believe that to be accurate but the key thing is it is someone else's decision and all you need to do is provide them the information to help them make that now finally okay you've got some buying you're going to do some implementation

you've got a set of critical controls you think you've done it what about testing here's the very first thing about pan testing its companies use it to define their security strategy so many people I know will say well we're going to find out what we need to do is we're going to do a pen test a SD essential eight is online in his free pen testers are like twelve fifty a day maybe a bit less in some areas but London rates is pushing twelve fifty day now you don't patch you're gonna pay for two people to come in for three days and the main part of their report is you don't patch yeah I could have probably

saved you the ten grand I just told you that I'd have done that five even a lot of your controls are paper-based and you can self assess against them because you should know and if you don't know that's probably a bigger problem than where you're at if you don't know any of the level of security controls that embedded in your organization getting a pen test to tell you where you are now is a point in time but you need to have the process in place to actually understand how those positions are changing over time what are you actually looking to learn from this test this comes back to my previous point if your whole business strategy if your whole

cybersecurity strategy is we want to be protected from that internet background noise those untargeted attacks we don't see sophisticated targeted attacks on our radar why are you paying fifty grand for a red team engagement for this next two weeks because I'm gonna give you a hint they're gonna get in and quite often you see companies that don't do privileged management and they don't do patching and they're getting red teaming and your life again they're gonna get in and they're gonna get in because you don't do patching a privilege management and it's a fairly simple answer but yeah this is repeatedly I I don't quite still understand why and this isn't a digger pen test like this is I come from

financial services like where pen testing is also known as you know how expensive is it to really just take a box and it turns out the answer could be very expensive but there are people who just want a pen test and they don't even know what that means that they don't care what it means and it's a critical part of you've implemented some basic controls you've implemented patching privilege management multi-factor authentication you've even done a little bit of application whitelisting by blocking some macros and a few other bits and pieces right so go to a pen testing company and let them sell you a scope to do X Y Zed of like two weeks internal testing no all we want you to

do is come in and verify that these things that we think we implemented are implemented correctly right there are some other systems that are coming onto the market that are more automated if you're running some of this stuff manually you might run an internal nexus or squalus system that can help you some of this as well and again like if you if you have a bigger estate and you do your own vulnerability scanning like again okay we've got four hundred and fifty external systems and we scan them every day with necess let's pay pen testers for a week to go and scan them all with necess and why not just get them to check that your nessus config is right

and maybe pick three and do a spot test and if the answers come back the same you're probably okay again it's like the amount of money you can burn compared to what you actually learn from that testing it's incredibly low and also I would say this like testing should be independent the amount of times I go to a company and they're like right our managed service provider fry T is X or when they also sell a security monitoring okay and there are pen tester right so that contract may be worth like low six figures to them if a junior pen tester comes in and discovers a critical vulnerability that is the result of their IT services screwing up and their

managed security never detecting it you really trust that that company is going to be honest enough to front that up and not just say to that junior tester know you're gonna wait 24 hours we're gonna fix it you're gonna test it again and that report will be clean because my don't trust pen testers are my life they need they are checks and balances right if you outsource your IT an outsource sock can be a check on your actual outsource to IT users right because they are your domain admins your desktop man-birds they are your they are the privileged accounts that you need to worry about so your sort can test those your pen testers can test that your IT

Standards your IT hygiene is high but they can also test your sock can actually detect the things that they claim because surprise surprise if your pentester and your sock of the same company yet their sock can detect their pen test tools that is not surprising like if they card you've got some questions to answer like they claim that I have all this internal competition but think about this right you're a sock and you have a hundred customers sixty of which use that company for pen testing they get so much exposure to those pen testers of course they're going to detect them even if there is no internal like walk across inclusion they just have so much

exposure to them it is not a valid test so really having independence in your testing of various sorts is critical I think here and I think we are done so if anyone has any questions I would like to take ISO 27001 and burn it I think it's good in theory but the way I see it implemented annoys me the amount of times I've gone into companies there is a literal dumpster fire and ITA state and they proudly show me their ISO 27001 certification because for example the critical data is all held on this server and that server the scope is like a skinny jeans of like ISO 27001 that hugs that server and nothing else it's like

okay but that server is administered by all these desktops over here that all have two main admin privileges on them yep but they're out of scope how are they out of like an attacker does not does not respect the boundaries that ISO 27001 artificially carved your environment into and I understand in a large organization you can't test them like it's just there is it's too big but if it's too big to understand and test is it too big to secure that's where I kind of come down my worry is is that certifications are good but they have to be applied essentially along at the very least like the most likely sort of attack paths all the way through yeah

how do you about a company how the skirt and you knowingly this was knowingly that they redact this I mean this is not something that I really do I mean like I will typically avoid all ISO 27000 like they can tell me that ISO compliant and I'll read through their documentation I then pretty much ignore it for the purposes of any work I'm doing with them because if it matches up great and if it doesn't that's kind of the point of it there are some where I would question how you can be ISO 27001 compliant and in 2019 not do server patching claim to do monthly desktop patching could be six months behind because the latest Microsoft RDP

patch broke all your RDP to your servers because they're not being patched and you're still running Server 2003 in a lot of places I mean again let's come back to the root cause of that is an incredibly poor technology management process for the last 20 years where they just don't care about IT they CIT is something that sits alongside the business and not something that fundamentally is a support for everything they do but yeah that is our question and again I work with small organizations so they sometimes come to me and say should you boo i say so in here and skill and my don't bother and cool we are done but I think people are

probably wondering over so if you have any further questions I'll be around the corner in the bar so thank you very much