BSides Toronto 2019 Jason Murray

so I'm sorry I couldn't help myself I couldn't help myself I didn't I didn't pitch it that way because I'm actually gonna present the same talk with a lot of extra filler at Mesa which is the municipal security IT conference and about when is it it's next it's not next week because that sector it's the week after so this this really is like Toronto's version of security summer camp right but it's not summer so what do we want to call it our back-to-school camp or something like that like it's it's all security all the time so if we're all here or it's sector or at Mesa or wherever hopes nothing really happens out there because we're not there to fix

it anyway I need to get some water and let's get on let's get this show on the road come on technology's letting me down I changed the batteries I swear no it's the it's the it's the remote control that's all I did but then I I turned it back on there we go there we go so that's me as you can hear I'm suffering I'm recovering from a sore throat all week so you can follow me on Twitter that's my work address there I tend not to get too snarky on tinner Twitter I tend to like to be a little irreverent if you will so I actually work for MNP how many people have heard of M and P

what do you know about us other than sponsoring I'll because I get to talk for 10 minutes tomorrow so I'll clue you in tomorrow but what we are and what we aren't I'll give you a clue we used to be NCI so what are we trying to do in security it's an interactive talk come on coffee's kicking in what do we what are we actually trying to do here in security some of you guys are new some of you guys have been around a long time some of you guys got more gray hair than I do what are we doing here no that's the law thing down the road okay we're trying to support the

business right of course that's like we don't exist within these business entities just to do security for Security's sake we're trying to support the business that's kind of a dumb moment but what does that really mean and don't anyone try to stand up and talk about the CIAA triangle you ever had to have have you ever tried to have that discussion with someone from the business CIA properties of your information and it's for protecting that and they're like what are you talking about man so let me give you some examples of some security objectives from a business point of view and I crypt these from some of the material that I pulled so I'm not just making

this up this is from some other documents right so here's some examples of some business objectives that we support invoices are accessible and only to accountants and the collections team paid invoices are kept for three years and then destroyed after no more than four years now in your head what I want you to oh sorry no no there's known you guys ever seen death by PowerPoint yeah I actually abide by that so if you catch a bullet point let me know cuz that's a mistake there should be no bullet points so as I'm saying these objectives I want you and you had to think well what's with the C in the eye and the a what is that

really affecting here right so another example would be the system registers the user name date and time every time an invoice is created yeah these are all kind of billing related stuff right let me skip to some other ones the license for the system is up to date fewer than five errors per hundred invoices the system hosted internally in the data center is under control controlled environmental conditions that provide reasonable safeguards against flood fire etc right that doesn't talk that this is the language that sometimes the rest of the business talks about they need to keep the business running they want invoices paid on time now I could draw examples from payroll right because people want to be paid and they want to

be paid on time and if you don't get paid on time people get very upset how many get upset when their expenses don't get paid on time yeah but does anybody really think about the availability of the expensive system only when they don't get their expenses on time so that's what we're trying to do in my opinion is from the business perspective we're trying to help the business keep the keep doing what it does both creating value for our customer base so we can make that fat stacks of cash but also to make sure that the the in the other stuff that businesses have to do just keep on working the way they should be working

because what's that what's the yarn about security when we do our job well nobody notices us then they cut our funding because obviously there's no problems right but how do we do this how do we do this well traditionally we implement controls now buy controls I mean in this talk asset level technical controls we do the firewalls we do the antivirus we do the data leakage prevention who's doing any data leakage prevention I kept trying to recommend that people go that was 1999 nobody buys that anymore pardon my french um but that's what I'm talking about when I mean control so if you start thinking well Jason controls our policies and procedures and all this

other stuff yes you're right and we're gonna get into that a little bit but I mean more specifically we like our fancy boxes that have blinky lights and we like to put them in we'd like to buy technology and we like to deploy it and then we like to think that that's what that's all that we need to do now I mentioned before that some people might think policies are control who thinks policies are controls good I love you all because I don't think policies are controls now I have some accounting friends who do audits at MNP who would disagree with me now the reason I don't think policies are controls is because the policies just in a statement of

intention we intend to do something ok that's great did you show me um so that's how we do these things all right we implement these controls and we pick it we pick a framework or maybe a framework has been chosen for us and then we go and we implement all the controls on that framework so who's got a favorite framework here come on call it out come on call what's your favorite framework ISO which one okay not 18 not not o5 it too particularly okay okay anyone else anyone anyone who loves PCI Oh john loves custody works for the console so of course he loves PCI they pay his paycheck anyone like that cybersecurity framework anyone digging that yes yes

high trust which is really just the cybersecurity framework anyone like what's that what's the Canadian one there's a Canadian one I TSG 33 is that the one you can tell them very familiar with the government of canada and ontario regulations which is really just NIST 853 with some maple syrup poured on top like so we implement all these controls off we go but oh there's a bullet missed it breaches just keep happening right they just keep happening what's the latest breach I'm fatigued I don't even pay attention anymore I listen too risky biz and I kind of go oh another breach another breach another reach what is it this week what's the one that just happened someone tell me

what okay what the ransomware hospitals I remember what was the one you were saying Jordache I don't know that one no food really okay I heard one about Zynga games so there's a guy at M&P who he likes to kind of keep track of this and send it out to the rest of the senior managers in the firm to go look we're here we're cyber we can help you cuz look at all the bad stuff that's happening um but you know controls so how's that working out for us so in the last in the first six months of 2019 which I realize we have another three months that we put under our belt but I

got this from this report here so the slides will be available at some point so don't try to copy that if you don't want to but I got it from that page and in the first six months that's how many disclosures that's just the ones we know about of course because there's some that don't bother to report they still try to sneak sneak away and get under the radar it's 4.1 billion records that's 55% of the population of the earth so half the earth has free credit reporting now and all you have to do is wait for a little bit more if your credit reporting is expired wait a little bit and you'll get some more free credit reporting so it's

not getting better is it getting worse I don't know there was a paper a couple years ago at Weiss which is the economic what is it's it's economics as is applied to information security and they published a paper they did some research where they basically said it doesn't look like the that the situation is getting worse per se it's just we get better reporting and we're more aware of it and it's in the news but from my feeling from when I talk to non like people who aren't here at besides as it is getting worse and what are we gonna do about it right well the business don't get me started on that I only have 25 minutes

okay so we got a lot of controls but let's pick some controls oh that one came up too fast so we we we noticed some control frameworks out there right we got PCI we got ISIL dis we gots how many are familiar with the critical security controls from from used to be sans now it's CIS M&P really likes them because they're pretty basic but they're also very implementable and they're very do this do this do this and you should be good well baseline anyways so what if we combine them which you can do cuz this lovely company here the unified control common controls hub which if you're an ISC member apparently we get like a free

membership to login to these things now don't it's a free basic membership because there's some really advanced stuff that they do but I bring these up because there is a way other than Excel but you can take these frameworks and combine them together and actually see what would it look like if I've created a Frank and Fraser and said well I need to do ISO and I like this not put them all together what we go okay so we can do that and we can now comply with not just all the controls but all the frameworks but that's just kicking the can down the road right so there's my two lovely pictures kicking the can down the road

let's stop kicking the can down the road but I'll get to how we stopped doing that in a minute let's run a little this is the dashboard this is one part of the screen from the unified or the common controls hub so this is PCI so PCI there's a lot of numbers here I'm not going to go into them the one that's really important here is is it that one there yes that's the mandated control so look at this number here mandated now if someone wants to ask me a question I'll explain more about what the other numbers are but let's just stick to the stick to the point here so there are 365 mandated PCI controls that's one for

every day of the year it's convenient number did you do that on purpose you guys it just happened that way but hey for doubt always coming and it's gonna get shorter isn't it yeah yeah everyone keeps asking me what's happened in Fort Otto and I said probably not good things are you having challenges with 3.2 yes well then 4.0 is not going to be your friend so that's PCI well let's take a look at the CIS this is a critical security controls oh wow that's not so bad 223 mandated ones but if you've ever looked at them some of those controls are just batshit insane like do you turn your servers off when you don't use them

well I'm sure if you're the DoD maybe you do but the rest of the businesses are like what are you talking about right or do you keep your what's the control I'm paraphrasing now but if you have templates for your virtual machines do you keep them stored offline with file integrity monitoring and disconnected an air-gapped seriously that's what the control says and that's that's one of those right so some of them are a bit out there most of them are pretty good but that's that's the CSC well here's ISO 27000 to see I anticipated I didn't know I just figured enough knew this is like ISOs like the granddaddy of the security frameworks right it's been

around forever who remembers what it was born as yes wrong No seven seven nine nine that shows how long I'm in at this I look younger than I am so it's got 163 but for anyone who's actually read it it's so objective based it's like you should have a risk management program and that's all they say they don't write it's not quite that stark but it's it's kind of like that right like you should do third party supply chain management and then they don't really give you a lot of guidance that's why they have to go back to ISO and buy that 18s and the 19's and the 35s or higher i'm and PM will come and help you out so the nist

CSF a framework that really just reorganizes all the other frameworks so we can talk about it a little bit better i liked in this CSF but i get customers to say i want to I want to be audited and comply with the NIST CSF and I'm like that's not actually how mnestheus F works mr. customer but sure we'll accommodate you see we can do 132 mandated requirements all right now if we mush these together let me come up with our Franken framework there's some overlap how many total requirements do you think you're gonna get anybody and you want to or take a betting pool 380 450 I honestly can't remember it's been a hell of a week for me that's that's

okay so I combine just these two first so if you combine PCI and CSC there's 537 total controls because there's only where is it where's the overlap I didn't see it there's only about 40% overlap between those two control frameworks so if you were a completely PCI compliant and you said well how do I do against the CSC you're only gonna hit about 40% of the CSCS and the reverse is the same if you were completely CSC compliant including the crazy ones how good do i do on pci about forty percent okay so I combined CSF and ISO together as well to see what that was like and that was about two hundred and seventy one well the reason I did it

that way is these are very technical frameworks and these are more governance high level of frameworks right but let's mushroom both together and see 480 there was a 300 something 760 - good luck with that you ever gonna get there how many how many are close to retirement age do they hope they hope some of those guys in school you might get there but of course we'll have new frameworks to go for right because who announced at the Department of Defense in the state's recently announced their capability maturity CMMC is the acronym and basically they're gonna attach some stuff to nist 801 71 so there's another framework you gotta learn anyway I'm trying to illustrate a point here that

we implement controls and we implement frameworks and this is just kicking the can down the road because it's not helping like it's yet another control yet another control yet another control now it seemed like a good idea back in the early days right how many read the Cuckoo's egg okay good apparently cliff Stoll was in b-side st. John or something like that one of my co-workers got to actually autograph this book and shake his hand I'm a bit jealous then who's got a copy of implementing firewalls elleven and somebody other you got yes I looked I'm like I have a copy this somewhere first edition or second edition or both first yeah well first is about this thick and

second doubled it right so it seemed like a good idea I'm going back in time because it seemed like a good idea at the time bad guys get in this way well let's implement a control to keep them out bad guys get in this way did cinema another control to get about right so we start with firewalls and we start with antivirus because back in the days that was too many ways to do it well that worked how do we know it worked because the bad guys found another way to get in and then we implement a control for that now they're stealing data let's implement data leakage pretension they and on we go and we just keep kicking this that

can down the road but they just keep doing it right now that's why I'm highlighting here that it it suggests the controls that you that these frameworks deploy suggest a certain risk profile they suggest a certain threat actor is going to do a certain thing so let's deploy controls and that should help us manage our risk except if we're doing it implicitly we're not kind of taking the bull by the horns and doing it in an explicit way now I am NOT gonna veer off into a risk-management talk I have one of those maybe next year for those who want a little sneak about what I think about risk management go look up open fair and everything around

that or if someone doesn't show up later I can just do that talk if you want I got it on my laptop so in this is my contention here that the control focus of our in just that our industry has taken for 15 or more years is proven ineffective right I think you not that we have to throw away controls controls are necessary but they're not sufficient we need the controls they help us do the job that we're doing but we can't just take that control focus approach right let's take a different approach so I don't know who said that so I don't attribute it to anyone some people say it was Cain Keynes economist you know

famous dead guy um here's another quote for you there's another man I would like to meet he said that nineteen years ago we still haven't really absorbed what he was trying to say I encourage you to actually go back and read that that article and some of the other stuff from back now that was back when he was publishing cryptogram or whatever it was and he had a lot of good material back then um since then he's wrote a number of books I've stopped reading his books cuz he's starting to repeat himself cuz there's only so many times you can say the same thing in different ways right like it's not he's basically saying this

over and over and over and over again and not not not enough of us and not enough of the business are paying attention so let's take a different approach and my approach that I would suggest to us and I've started to try to get my customers to take this approach is a process maturity approach now who's bumped into business process optimization lean IT or manufacturing side lean approaches that's where this kind of emerges out of now if you go back to 27th oh okay yeah I better hurry up if you go back to 27 thousand one and twenty seven thousand two the expectation if you read between the lines was you were going to build

process maturity around those controls we're just gonna do them you were gonna do something else right so here are some poor attempts to do that well let's take NIST CSF bulton or ISO 27001 and we'll bolt on the capability maturity model who knows the capability maturity model it's the five level or was six if you want to include not doing anything not doing anything up all the way up to optimize it's like Maslow's hierarchy of needs for software process so that's what we do and if you read the NIST they have implementation tiers right and everyone's oh wow that's maturity except right in the NIST CSF document it says this is not maturity don't use it

that way but everyone that I've seen who tries to implement it uses it that way so let's not do that and I've seen it applied to ISO 27000 to write deployed partially deployed mostly deployed fully deployed okay but it's talking about I took a control and I deployed it not I took a control and put a process around it so there are a few suggestions out there for how to do this now I want to ask the audience and you only have 30 seconds to give me this type of stuff is what kind of processes do you guys see in information security on a recurring basis it could be annual could be monthly could be daily could be

weekly yes okay yeah hey backups I saw how come patching wasn't the first one you guys said that vulnerability scanning patching those kind of things yeah exactly now we need to do these quicker so that we can get in an ood a loop or if you prefer a plan-do-check-act loop and we need that's the way we're gonna learn so when we get in a process and we're able to implement recur and implement that hey the feedback on that process we're able to learn hopefully we can learn faster than the bad guys but you must learn we must learn how we're doing it now I'm gonna skip over this slide because this is the one I want to talk

about right because you're like Jane what the heck are you talking about process maturity and all that stuff so you can read as well as I can so I'll shut up for 10 seconds and you guys read that okay you got it good good it makes sense to cut out all the it's kind of jargony but kind of not I tried to cut it out right so here's the five levels that we're used to seeing some people call the different levels different things but basically it's five levels and just so you know there's there's an ISO front there's an ISO standard for this it's fifteen fifteen five forty four something I had to look it up I had no

idea I wasn't surprised if you can think of it there's an iso standard for it it's probably an iso standard for how to put avocado on toast by now so what's available out there there are broadly there are really only two that are really good there's there's one that just came out the CMMC from the Department of Defense but to me that sounds like NIST 801 71 with CMMI bolted on time will tell they only really just released a bunch of paper are a bunch of news news press releases so none of the details are out there but the two that I like that I've seen see there's that one right so this is this is why I'm like

I'm not I'm not encouraged by some of the stuff they say because they go look we're just gonna combine these and we're gonna we're gonna put some maturity levels on there they want to do it for their supply chain management so time will tell on that one whether it's true maturity and casas capability or whether it's just you got to do it because if you want to sell it the department defense that's what you have to do so this is one that I found the open that's the oh information security management maturity model now that's a mouthful open meaning the Open Group oversees this right the Open Group guys who hold the copyrights for Unix

those guys TOGAF that kind of stuff they're a process based approach they break down information security as a as a system within the organization into 45 total processes 16 of which are considered essential and it doesn't what I think is important because I love risk management stuff what I think was interesting is he explicitly says in the standard it doesn't lead with risk management risk management is a big part of it it's one of it's a there are a handful of those processes that are speak directly to risk management but it's not the beyond and all now the the motivating thought behind the O is m3 is every Serta curity control that you might think of technical asset controls need

some kind of process around it to manage and improve it and maintain it in that kind and that's where they get to now another one so here's kind of a breakdown they break it into four levels G for general that's the top level kind of governance type stuff strategic where you're trying to align the needs of the business and the strategy of the business to the security strategy if your security strategy how many have heard this if your security strategy doesn't line up with your business you're kind of doing it wrong then we go into the technical security things which would be kind of leader at the level of the leadership of the information security operations and then the

operational practices right now this is just the essentials there's a whole bunch of other ones this is some of the other ones and where they might map right so you can do some of these and you'll get a high benefit but it costs a lot of money and what do you call it if it's if it's not essential if you if you label it not essential then people aren't gonna do it right so I put this in a report and I had to come up with a creative name that meant not essential but didn't actually stop them from trying to do that okay so that's one the other one that I really like out there is the cybersecurity

capability maturity model another mouthful C to m2 comes from the Department of Energy and they're kind of pushing on this one so oh man no more bullets sorry about that guys the focus is on IT and ot ot is just computers not doing other stuff right we all know what ot is and was like oh t it's so different that's like it's a general-purpose computer this happens to be plugged into your your your waste processing plant instead of your projector ten domains and there's the domains that they break them down into right so the way they did it was they structured it more like a traditional security framework where they took processes and the maturity levels of

those processes and mapped them into 10 kind of bigger level buckets so that's how it breaks out mill 1 mill 2 mill is maturity index level don't think don't get too worried about it being military's focused it's just an unfortunate side effect so here's kind of some of the stuff you would do for the different mill levels right mill zero nothing mill 1 you have ad hoc processes quality might be variable but at least you have processes that you're doing right then you start to document them and adequate resources the business needs to provide adequate resources to these the adequate resources aren't necessarily trained yet we just have enough people down here and mill 3 isn't

only provide them with the skills and the knowledge right but any way you can break it down and now you can start to progress from we don't have anything do we have this do we and on we go now a wall of text sorry get the presentation take a look at this go get the documentation if you want look at this every single one of those domains has this for every sub process that they're gonna that they're gonna suggest alright so I sped up there near the end so what the heck just happened came to be sides and I wanted some fancy hack and stuff this guy's talking about process the heck so two things happened

at least I hope two things happened I hope I convinced you that controls are beside the point they're necessary but they're not sufficient to what we need to do and to try to start thinking about the process be consistent and persistent in that process and keep moving towards higher maturity levels yeah take your controls implement them to the process and hopefully we'll get there this is I'm hoping it the first step down a road of a shift and the way people talk I'm here all day if anyone wants to bounce ideas off me but this is what I am starting to sell to my customers at M&P and that's that I finished with one minute to spare any questions

do we have time for questions nope no - it's up - I'm not the organ you well let's ask any questions this might not be any no that was either a really good talker it was really boring oh yeah so all the cloud audit reporting frameworks are heavily controls basic like extremely controls bass like mad ramps like do you have passwords how long are they all the old school stuff yeah and some of the process stuff that you had up tend to be somewhat too utterly opaque to the customer do you see process maturity coming into the cloud Auto reporting space and what would that look like if it did go that way I that's an excellent question I

don't know I would like to see it because you're absolutely right when you go to Azure you go to Amazon what do you get to download you get to download there at the station of compliance or there's sock to report but so what what if you fall down are you getting better are you getting more capable because has anyone been through a sock - assessment yeah do you do the bad guys care about your sock - assessment really it comes down to you implemented what you said you were going to implement and it's functioning the way you said it was going to function so what right sorry are there any CPAs in the audience that

I'm offending is that one of the isms that I get kicked out for okay okay I'm safe safe I know that I know the CPAs in the sock twos and those this assurance part the trying hard to help but I would say that we through technology came up and we implemented controls and they implemented a different set of controls organized a different way is still not working right I'd like to see it change but the way I see it changing is it's not gonna change unless we start asking the cloud providers well that's great but what about can you show me an assessment against c2m - and the Department of Energy who's behind that can actually push

that and say you want to sell us stuff you want us to use yours can you demonstrate that to us right and while I think the DoD one with the CMMC might be a lay a little bit of a lame-duck time will tell at least it's moving in the right direction which is don't tell me you have a controller or not have a control tell me how well it's implemented right so it's the best answer I got for you well thank you for your time have a good rest of the conference thank you [Applause]