The transcript of the video follows
Lee Neubecker: Hello, I’m here today with Gary Rimar he’s here to talk a little bit about one of the NIST frameworks that can be very helpful in helping you to keep your organization safe. Gary, Gary’s a CISSP, it’s great to have you on the show. Can you tell me a little bit about the framework your going to talk to us about today?
Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53 and it is a security controlled catalog. So if there is a security control for whatever you’re going to need in an organization it’s going to be in there. In something, it’s where your government actually did earn there keep because this is your tax dollars hard at work and it’s available publicly. Most people, and this is one of the things that always bothers me Lee, is that most people go for these real exotic threats and they’re real, they’re real, but there’s so many people out there that don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security, they tell them that their IT guy, “Oh, you can do security, it’s okay, “you don’t have to worry about it, “you’ll get it good, I’ll except the risk “of you doing security.” when the IT guy barely knows how to do computers. And so what ends up happening is they don’t know anything about security which is very deep and important and technical. And so when it comes to things like how do you do access control? What can you do to do access control? Today at work one of the people, and I work with a security guy, we have something where for what ever reason they can’t do two-factor authentication. Two-factor authentication is definitely a better way to go, but they can’t. So they said, “What mitigating factors “are there that you can use to help us “be able to do a one-factor authentication “and be less in danger?” And so I looked through the catalog IA5 and there’s a bunch of different things you can do just to make it simple and safer. You know they’ve done all the imagination for us.
Lee Neubecker: What would you say are the more important, if you had to pick the top three parts of this? What would you advise companies to focus on first if they’re starting down the road of trying to implement this framework?
Gary Rimar: Well first is planning, because, and that’s the PL family, if you don’t do planning nothing works right because you have to have a basis for security. If the CEO and senior management aren’t on board then when security says, “You need to do X” and operations says, “We don’t feel like doing that. If the CEO doesn’t say, “No, I need “to be secure, you need to do X.” then your hosed. So that would be the planning family. Second would probably be access control, which is actually 20% of all of it. You know, you’ve got several hundred controls and access controls 20% of them.
Lee Neubecker: Do you feel sometimes that companies don’t really care about security and just want to ignore it and pretend it’s going to take care of itself.
Gary Rimar: Well I don’t know that that’s necess… that could be. I think it could be willful ignorance, what I don’t know won’t hurt me, but it’s not true. For example, the Sony hack. The Sony hack they said “You know, I’m not “going to spend $10 million fixing a $1 million problem.” and that in its self makes sense. Cause you don’t want step on a dollar to pick up a dime. However, it was a lot more than a million dollar threat that they were compromised on and had they done it correctly and had they taken security seriously things would have been a lot better for them.
Lee Neubecker: So Gary are there any portions that deal with some of the current vulnerabilities involving hardware and firmware that this could apply to?
Gary Rimar: You know, yeah. Cause hardware and firmware are definitely part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head without looking I think it would probably be SI7, because that, if it’s the control I think it is it deals with hardware it deals with software it deals with firmware because if your firmware’s corrupted your done, your owned. If your hardware’s corrupted your done, your owned. In fact supply-chain management is even a factor in NIST 800-53. I don’t have it remembered exactly which control that one is. But it’s important, you have to have all of your system protected from the beginning to the end and monitored and audited in the middle.
Lee Neubecker: Yeah, but there was a notice last month from the NSA about Cisco routers being compromised in that there aren’t fixes yet out. So if that still accurate it’s a concern and one of the ways using this framework IT professionals might try to assess this would be to open up the routers, get inside and dump the firmware off the microchips and compare that against the manufactured supplied hash values, but the challenge I’m seeing with that is a lot of companies aren’t putting the hash values for their firmware. They might do it for their software, but if you have a home consumer router I’d be challenged to see how many home consumer routers have the manufacturers listing the firmware version with hash and really letting you get there to apply the software, because the ISPs are controlling that for the most part.
Gary Rimar: Yeah, but you also have to recognize that your definitely going down a very valid, but also very deep rabbit hole, just as an example, one time I was talking with this guy it was like 1999, I lived in the Detroit metropolitan area and I was at a coffee house and this guy, who looked like Boss Hog, but tall said, “Everybody’s stupid, they’re “buying windows, they should build “their own operating system, they can use Linux.” And I looked at him and I said, “Your an idiot.” He said, “Well, why would you think that?” I said, “We have people who can hardly “find the on/off switch. Your going to tell them they’re supposed to compile their own OS.” and so when your talking about no, I don’t know. The thing is when your talking about the level of inspection you probably need to have somebody do some appropriate, professional vetting. That’s over the skill level of a significant number of professionals that your going to meet in the market. Your right. Your totally right. But you probably need to get some people who eat and drink and breath this stuff and real experts to do this. I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it. Inside a USB chip, I’m thinking you know this, but not everybody knows this, is that there’s this own little operating system inside the USB. So if you have an 8 gig USB, you know a small one these days, that used to be huge, it’s small now, that there’s actually more chip behind it that’s its own operating system and if that operating system is compromised its firmware and if that firmware’s compromised then whatever you plug that in is potentially owned.
Lee Neubecker: There’s no cryptic graphic process that checks and validates that software’s authentic on many devices. So it’s easy for nation-state malware to get into the chips and you know when WannaCry wreaked havoc on many hospitals. I saw there was one out east that they said that they replaced all the hard drives and all their systems and it’s like well that’s great.
Gary Rimar: Did they replace them with ones that went through appropriate supply-chain risk management?
Lee Neubecker: But even if they did replace all the hard drives if malware injected into the chips of the mouse, the CD-ROM, the printer then that was a waste of time because those computers are going to quickly become compromised.
Gary Rimar: You’re right about that, but again, this goes back to supply-chain risk management. If you don’t know where you’re getting your stuff you don’t know what you’re getting and what I did read is that China has actually started making their own chips for themselves. They don’t market them out of their country. Now one can determine is that their motivation that they don’t want to be infiltrated by another country or do they want to infiltrate their country because of their politics. I don’t know. I can’t know. However, it might be a good thing for countries, at least as big as us, with such a big target on our backs, to start creating our own chips and our own designs in our own country. Where we can control the entire process from picking up the sand off the beach to handing you a laptop.
Lee Neubecker: Yeah.
Gary Rimar: And your right, it’s not just the laptops or the hard drives it’s all the peripherals,
Lee Neubecker: Yeah, you know that’s the struggle because we want cheap, affordable products, but your…
Gary Rimar: Mm-hmm, well you can…
Lee Neubecker: Quality, cheap, fast.
Gary Rimar: You have good, fast, cheap pick which two. Yeah, I understand.
Lee Neubecker: Actually it was interesting to see that they brought Broadcom is coming back into the US and we’re seeing some of these moves of the President trying to get key industries back in to protect from some of these compromises and you know Apple some chips are going to be made outside of China now and other things happening there, but it’s a real concern and it’s one that the frame work identified here can hopefully help companies just have an outline to go through to evaluate where are we? What have we worked on? What do we need to do more work on?
Gary Rimar: Yeah, you know. And back to our original topic of NIST 800-53 it’s in there, that’s it’s in there supply-chain risk management, you know. If you know, when I was first starting in IT in like 2000 I knew enough about security to know I didn’t know enough about security. That I hired it out. And had I been availed of this book I would have probably been able to do a much better job and I would have probably gotten into this career sooner cause this stuff is cool.
Lee Neubecker: Okay.
Gary Rimar: But I didn’t know it then. Know I know it.
Lee Neubecker: That’s interesting stuff.
Gary Rimar: Yeah.
Lee Neubecker: So do you have any other advise you’d like to give to our viewers as it relates to helping to keep themselves secure?
Gary Rimar: Well, I used to joke about always practicing safe hacks, but really, the one thing that I think that people aren’t doing, and this is totally off topic, is even though all the concerns we talked about there are still people who are getting owned because they’re surfing in places that are unsafe. And there are a couple companies out there I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser. Like browsers a service, so you log into their site and then they fire up an ubuntu instance and then put a Firefox browser behind it and the only thing that touches your computer is pixels.
Lee Neubecker: So your not having any risk of Java Script
Gary Rimar: Not having any risk of anything.
Lee Neubecker: Well I think that kind of sandboxing makes a lot of sense and I could almost see a point where the end user desktop is basically just a sandbox that you wipe clean and start fresh every time booting.
Gary Rimar: Yeah, I have a former computer client who does legitimate research, he’s a psychologist, and he does legitimate research into pornography.
Lee Neubecker: Mm-hm.
Gary Rimar: I mean believe it or not, there is such a thing and his computer at home is, is his one computer, he’s computer stupid and so he had his HIPPA data on there and he’s surfing these kinds of websites and it scared the heck out of me. So I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and I set it up so nothing could ever touch anything and the only thing he could swap is pixels and when I found out about one of these services I called him. You know he hasn’t been my client for years now cause I moved, but I called them up and says, “Hey Marty, you should use this.”
Lee Neubecker: Yeah.
Gary Rimar: And so now he can continue to do his research and not put his client records at risk.
Lee Neubecker: Well thanks for being on the show today. It’s been a great interview, I appreciate you being on Gary.
Gary Rimar: Thank you very much. I’m happy to have been here.