How Does SAT Align with Compliance Frameworks | EP 43
Transcript
Connor Swarm
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security. And welcome to Gone Phishing.
Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, CEO at Phin Security, and today, I'm joined by a friend of mine, the off-brand Jason Slagel who moonlights as the security director of Simplex it, Adam Evans. How are you?
Adam Evans
I'm good. I'm good. Connor, how are you?
Connor Swarm
Never a bad day in my life. And if there is one, it must have been a really bad day. So I guess we'll figure that out together.
Adam Evans
Yep, absolutely.
Connor Swarm
So I've known you for a little bit now, almost a year, I guess. And you have an incredible amount of awesome thoughts around security, much smarter than I am at those very specific things. So today we're going to talk about how SAT security awareness training aligns with compliance frameworks.
Is there any specific area you'd like to start when discussing this incredibly broad topic?
Adam Evans
Let's start at the top. So we know out there in the industry, in the MSP industry, that governance risk and compliance is something that's out there.
Our clients have their obligations, whether it be from their contracts with their clients they do business with, whether it's handed down from the government along the DoD contractor lines and whatnot. And there's also those more voluntary frameworks like the CIS controls, that we can always elect to adopt internally at our MSPs or help our clients in their journeys. But there's a common thread throughout all of them because I know all the compliance acronyms can really get lost in the shuffle.
And there's a half dozen of them, and we put them all together. It looks like someone spilled Alphabet soup all over the laptop. But the common trend is all these frameworks are requiring some degree of security awareness training. Whether it's HIPAA, PCI, CMMC, they all require it. So that's where it starts to fit in at that point.
Connor Swarm
Why do you think these frameworks require it? What's the thought process behind that?
Adam Evans
At the end of the day, your people are your main first line of defense. When we look at the threat landscape out there, end users get phishing emails all the time. They're patrolling and walking around their company facilities. They're interacting with their client base. They're the ones that see these threats start to occur, and they need to be empowered and educated to detect those threats, to ignore those threats. So they're not the ones falling for the phishing links and whatnot, but also when they see stuff that's out of the ordinary, to raise the flags internally with their appropriate staff to say something weird is going on. I don't know if it's a security incident or not, but someone needs to take a look at this.
Connor Swarm
Yeah, I've always viewed security awareness training as a piece of, it's not just teaching them the skills to recognize that something weird is happening or to, if a phishing, pedantic example, if a phishing email is in front of them for them to handle it properly, it's also to create this culture of almost like the TSA saying see something, say something, kind of deal. Weird things can happen in your business all the time and your people are the ones that are going to need to catch it.
Adam Evans
Yeah, absolutely. And if you look at the industry as a whole, and really any industry. there are so many different kinds of threats out there and depending on the company, it could be something if you're dealing with high security facility, knowing that you shouldn't be holding the door open for the person following you.
I love listening to darknet diaries and John Strand and all those physical social engineering exercises. And innately, people want to do good things and be good people to our friends or family, we want to be helpful. The attackers know this, so they want to exploit that however they can.
So hitting those points and training those people to recognize the stuff, even if it's just following the company policies, means a lot. And that helps build that defensibility for those companies. Keep them more secure, keep their secrets and just prevent bad things from happening.
Connor Swarm
Yeah, you mentioned something that I think a lot of people typically, I don't want to say glaze over, but move past without recognizing. It's that the organizations and the people who are taking advantage of your employees through social engineering or some other form of social engineering like thing, like walking in behind you at all, tailgating or there's words for all these.
I hate using the term smishing, so. If I ever say that you can hit me or something, but fishing, at some point it's like, or fishing, but. I hate, I hate that we're coming up with terms. It's like, next thing they'll make one up for sending spoke signals or carrier pigeons and interpreting that incorrectly or trying to fish you with definitely fishing. Birdfishing.
Yeah, birdfishing. And one thing is that social engineers and the malicious actors that are doing this, they recognize that people, like you said, when you're tailgating, you're just holding the door open for somebody who's carrying a large box, or you're letting somebody into the office and having them wait next to somebody else's office, as opposed to staying with them because it's more convenient just to let them pass than let them wait there. But social engineers and people who are willing to take advantage of you recognize all of that kindness is going to occur and they try to exploit it.
Adam Evans
Yeah, absolutely. So then that presents the challenge for us security professionals. What do we do about this? And under the lens of those compliance frameworks, how do we do this?
Connor Swarm
Yeah. I always make the comparison. Compliance is an approximation for security in the same way that the law is an approximation for morality. It's a great place to start, but it doesn't mean it's where you should end. What are your thoughts on that you hear in the security profession all the time?
Adam Evans
Compliance does not equal security, but security, good security, doesn't always equal compliance.
So when thinking about that, as a security practitioner, I know there's plenty of people in the industry that love to say that compliance is the referee, but it's not only the referee saying how the game is played, but it's also that baseline.
When we're dealing with HIPAA, for instance, we know that the security requirements around HIPAA are a little outdated and there's some room for improvement. Does that mean that we need to stop at just implementing those safeguards as required by HIPAA? No, we can certainly go above and beyond that. We have to hit that minimum level.
We see the same thing with the CIS controls or Nift CSF. I love frameworks with maturity levels to them because it always gives us that nice place to start and our areas to improve and keep growing that over and over.
And as we do that, if we even hit those most mature levels, we can still do more. But at that point, it's understanding the risks of the organization and what the organization's goals are so that we as security practitioners can help those organizations achieve their goals safely.
Connor Swarm
Yeah, I think that's something that Jason Slagel had told me is your job is to build the solution that's the best for the organization, and that sometimes it's not fitting completely into a compliance framework. Sometimes it's going way above and beyond what's stipulated, because again, it comes down to what is this individual client, what are these companies exposed to and how can we prevent that from in most cases? Because it's a when, not if mentality on breaches these days, but just fitting it to your clients needs and making them as best protected as possible.
Adam Evans
Yeah. And when we look at the compliance frameworks out there and how this really fits in, just about every framework says provide phishing awareness training. That's fine and dandy and that's a great starting point because if you look at the FBI's IC three report, business email compromise has been the largest growth sector for threat actors over the last calendar year.
Yeah, I can tell you looking at our own data, I see more instances of attempted business email compromise and whatnot than I do attempted ransomware.
Connor Swarm
It's probably easier to find an employee that's willing to trust you than it is to exploit a zero today.
Adam Evans
Yeah, there's that. And also to the credit of the vendors in the industry. There's great solutions out there from EDR, MdR, et cetera that's looking for those concrete indicators of compromise for ransomware that are really good at doing their job. But the human aspect of stuff is where it gets weird because are you dealing with that?
Click the link and enter your credentials? Or is your employee getting the text message saying, hey, I'm the owner of the company and I really need some gift cards right now, can you help me out?
Connor Swarm
Yeah, it's actually funny, I always thought that that was a scam, that nobody would fall for the gift card scam. And then I started talking to the owners of some of the MSPs that we work with and their clients deal with that all the time. And then our employees, when they would start at Phin, people would start to text them, impersonating me and saying, hey. I'm in with a client, I need you to go get a skip cards. And we found this out because it happened.
We were on an all hands call. Like, we meet once a week as a team and we report to each other and somebody unmutes and goes, Connor. Why are you texting me? I’m right here.
I’m like, what the heck are you talking about? So it happens to everybody.
Adam Evans
I love the one that I got. And for anyone that knows Simplex It and MSP out of Stowe and whatnot, our CEO is Bob Coppage, who's an absolute great guy, love working for him and everything, but he's also a bit of a character himself.
So I get the message from him saying, “Are you available at the moment? I'm in a meeting and not good with text that works. Let me know if your availability at the moment need you to handle a task” Thanks, Bob Coppich.
That's more words than Bob will ever use asking me for something. I'm more likely to get that text message saying “Hey, do you got a sec?” Versus again, more words, more syllables in the words than I'll get from Bob. And also he's just going to use team. So right away I looked at that had a chuckle and moved on about my day.
Connor Swarm
Why many word when few work?
Adam Evans
Yes.
Connor Swarm
If you've ever watched The Office.
Adam Evans
Yes, all the time we're saving we will see world.
Connor Swarm
Exactly. So one thing that I got a question for you on is you mentioned a ton of compliance frameworks. Let me see if I can remember some of them. The CIS controls, that's the center for Internet Security, CMMC, the Cybersecurity Maturity model Certification, HIPAA, PCI, GDPR, NIST, CSF, the National Institute for Standards and Technology. Are there better or worse compliance frameworks?
How should someone go about thinking what they should actually attempt to deploy or comply with in their own business or their clients?
Adam Evans
So when I look at that, it all comes down to my scoping and how applicable it is. First off, I look to see if I'm a governed entity in any way, shape or form. So if a medical is HIPAA applying, am I taking payment cards, figuring out which one is actually appropriate? Because that's going to influence a lot of different things. So if I've got those requirements from my industry being regulated, I can't ignore that. It's the law, I have to follow that.
So when I'm working in the defense industrial base and they say that I have to agree to these DFARs clauses and numbers and letters and stuff, and that says that CMMC is applicable, I can't just ignore that requirement. Same with PCI and HIPaa and all that. But moving past that, there are contractual obligations that will flow down as well. So if an MSP is working with a defense industrial contractor, that contractor may say we're required to be CMMC level two. So therefore you as the MSP are also required to be CMMC level two as it applies to our data that you work with. So that can influence things. And if we're lucky enough to be in that random spot where no one's telling us what to do and we get to figure it out ourselves.
That's where the fun begins, right? Because that opens up that big can of worms of what does apply, when does it apply? And which approach makes the most sense? And that's where you get that big debate between Cis and Nist CSF and is one better than the other?
It depends on the business. To me, NIST is a risk based approach which is great for managing organizational risk with clear action items. This is what you do to reduce that risk. But it's a little bit more abstract, it's a little bit more vague. It'll reference those other frameworks.
It's in NIST language. So you've got those hurdles to challenge or to cross, but then you have the CIS controls, which are those focused, prescriptive controls that are designed to have a concrete impact on the company's security. So looking at a business and how it works, if you're great at having risk conversations with your clients and working through those processes, maybe the NIST CSF is going to be a better fit for you. But if you're like me and you're a nerd and you want to, having those business conversations isn't always your strong suit.
Perhaps the CIS controls are those better approaches, because you can look right at those controls and say, look, it's not me saying it's a third party telling you this and we do this as technicians. We're great technical people. We can implement these things. We can automate your asset inventories, we can implement your EDR, and we can handle that as technicians a little bit better. It's a little easier for us to point those controls and say, the people said to do this, so we're going to do this.
Connor Swarm
That makes sense. So CIS is a set of controls that are aimed to, if you actually follow what, it doesn't prescribe anything, it's just like a set of rules that you could decide to follow and create additional security. CIs Control 14 is the one that centers around security awareness training.
And I want to ask you, I would wonder, what do you think it would look like for a security awareness training program to go above and beyond compliance? Let's say just in the scope of CIS Control 14 here, what would it look like to go above and beyond? What's the end goal of an awareness training program? And what, in some nebulous point in the future, in some world that doesn't exist, would it look like to have a perfect awareness training program?
Adam Evans
So to me, a perfect security awareness training program is focused on the company, its operations and what it does, and making sure that all key players in that organization are empowered and educated to make sure they're doing their job safely. I feel like that's a very good bureaucratic answer.
So what does that actually look like?
Connor Swarm
You've been talking with Bob a lot to figure out how to talk with clients, haven't you?
Adam Evans
A little bit. Plus, focusing on GRC, we love to give our big vague answers of, well, it depends, and maybe you should. At the end of the day, people want those tangible action items and what they can do now. So looking at those common threats out there, phishing is a big one. Smishing, fishing, bishop, whatever variant of fishing you want to go with. Those attack surfaces, those aren't going away anytime soon. The threat actors will keep doing their scams, modernizing that a little bit.
We've got the whole conversation around artificial intelligence and deep fakes and whatnot. At the end of the day, it's still a phishing exercise. They're just better at doing it. But the kicker on top of that too is a lot of these companies are building out their organization policies above and beyond just a policy saying don't click the link.
So what's out there saying, here's our company policy and are the employees educated and aware of those policies to make sure they're following them? Those policies are designed to reduce risk. But then take that a step further. Look at the people who are important and relevant and what their roles are and focus on that role based training you're dealing with.
In this instance, we're dealing with me, a security professional who's been doing this a while. I can spot those phishing emails pretty quick. But am I working through making sure when I configure a 365 tenant for a client, am I doing this securely with all those security considerations in mind? Or am I just rolling the default saying, yeah, it's default, it's secure, right?
When we know that's not reality and how we do things. So it gives us a lot of those flexibilities to make sure that the people in their roles are trained to carry out their duties within those roles appropriately.
Connor Swarm
And I think that's where we as an industry have a lot of opportunity. That kind of reminds me of like, so if you're taking a person who's in a nontechnical role, they need security awareness training in the sense of something.
You mentioned, where it's like, hey, this is what an insider threat's going to look like.
And you should tell your manager, this is what tailgating is and you shouldn't let people into your building.
But for somebody like you, Adam Evans, who is a security practitioner and an expert in the field, you still need some form of security awareness, but it's probably not how to make sure you're clicking on a link that's not going to be a phishing email. It's things like configuring an azure tenant to be completely secure for a very specific use case or making sure that you can communicate to your clients what effective security should look and feel like.
It's like education, but at your level. It's a different level of awareness.
Adam Evans
Yeah. To be clear on that too. I'm not saying that someone like myself needs to never don't training because we're still human. We still make mistakes, and as things evolve it's still important to keep that reinforcement there. But to the point there, it's still the bigger picture stuff of are we configuring appropriately, are we executing our duties?
And as security professionals are we trained to support the staff behind us when the end user does report that Fitch. Are we doing that empathetically to make sure that they feel heard and supported and educated?
Or are we being the person going well, you doofus, you shouldn't have clicked that link. Like, don't do that next time because that's going to have a negative result in that program.
So we've got to handle that appropriately as well and be trained to do so.
Connor Swarm
Yeah. To anyone listening that the quickest way to get somebody to hate you is to tell them that they're stupid for not understanding something that comes easily to you. It's not what we should be doing and at the end of the day I'm a security professional. I can do all the fancy security stuff. But if you tell me to run your company financials out of Quickbooks, I'm going to be asking for a lot of help.
Yeah, that's not my job. I defer you to somebody else, please. Yes, I always say a point you mentioned that bad behavior can resurface. So it's like in my mind, the goal of your security awareness culture and your security awareness training program, it should be to consistently measure for not only the remission of bad behaviors, but to make sure there is no resurgence of bad behaviors. Because like you said, everyone always needs refreshers for these things. Threats consistently show up. The one thing you can guarantee is people are going to try to keep stealing your money, access information. They're just going to try it a little differently every time.
Adam Evans
Yeah. And it's that validation of our programs too. I love to think the program that I've built internally is the best thing in the world, but ignorance is bliss. I need to have that constant feedback from the team saying, is this effective? Is this working? Are there areas for improvement?
Connor Swarm
Stress tested? If you had one piece of advice to give to somebody listening where they could begin to learn about compliance frameworks or try to understand it through the lens of their own company, where would you recommend they start?
Adam Evans
So governance stuff is a huge can of worms, and reading into all the frameworks is a full time job by itself, and there's a huge amount of risk and liability in going through that and doing it wrong. The simplest thing I would recommend, find good trusted advisors and peer groups to learn from the experience of other people to make that a little bit easier for you, but also just to build that support network. There's great companies out there. There's great people out there. There's great groups out there on LinkedIn. And other where I applies and they're sharing the love. So I would definitely start off looking for those people, looking for those groups and organizations and having those conversations.
It's too much to do it alone.
Connor Swarm
Awesome.
So it was find a community, find people that are willing to help you out, ask great questions, and find some advisors that you can trust. I think that is some great advice.
Now, we talked a ton about security, but you're also in the deep end of the MSP industry. So I'd love to have you back on to talk a little bit more about the best practices in the MSP industry and where you think things are working and where you think things are not working. So if you're listening to the show right now, we're actually going to have Adam back on to talk about all that here real shortly.
So you're going to have to listen to the next episode, but thank you for joining us today, Adam. This was a blast.
Adam Evans
Yep. Thanks for having me. Love sharing the knowledge.
Connor Swarm
Awesome. Once again, I'm your host, Connor, CEO at Phin, and we will see you guys on the next episode. Bye.
Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phin Security at phinsec.io. That's p h i n s e c i o or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.