We are on Control 12 in our Fireside chat with Matt Lee and are digging into a control with only one IG1 safeguard and only one IG3 safeguard. Network Infrastructure comes with some rabbit holes and tangents, but I think you will find that this control is essential to most MSPs.
[00:00:00] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together not alone.
[00:00:30] We had a particular episode, but in order to capture the fireside chat with Matt Lee, we had to run a little after hours. So, Matt, welcome to the show.
[00:00:39] Oh, thanks man. We do it. We do what we have to. Don't be brother.
[00:00:42] Yeah, we'll squeeze in the time when we can from one hotel to another.
[00:00:46] In fact, this is by the first time in a while that I've been the one in a hotel and you're the one in the office.
[00:00:51] And I'm not. Yeah, my studio. Yeah, exactly.
[00:00:53] Exactly. So I did pack the microphone for the listeners, the voice sounds somewhat similar to normal, but we are doing this from a hotspot.
[00:01:02] So bear with us as we could have some glitchiness. You know, I could end up in my techno voice.
[00:01:10] We are on control CIS top 18 control 12 network infrastructure management.
[00:01:18] We already started talking about network infrastructure before we even got to talking about control 12 already today with my challenges here at the Marriott.
[00:01:26] Sure.
[00:01:28] So Matt, talk to me a little bit like give me the high level. I think this is one that I would argue that most solution providers.
[00:01:37] This is a control that one would hope that they are particularly keen on.
[00:01:43] This is an area where they've spent a lot of time and energy over the years helping their clients develop and build out appropriate network architecture so that they can be secure.
[00:01:53] In fact, I would argue that before it was a approach of security first mindset, it was a how do I ensure QOS for things like your VoIP phone and streaming a video.
[00:02:04] Exactly. Exactly.
[00:02:07] What's interesting is I'd like to talk about control 12 in the before, like a BC and an AD type model.
[00:02:15] And what I mean by that is like there was the old wall garden mentality of supporting traditional infrastructure which is I have a network.
[00:02:24] It is defined in the RFC space for me to have private IP addresses right.
[00:02:29] Private IPs, the varying degrees are segmented into multiple VLANs that I'll meet through firewalls and then ultimately leave this castle and go out the front gate past the moat like that was the common infrastructure and a lot of control 12 is about that world is living about that life.
[00:02:44] Like it's talking about things you have control over.
[00:02:47] Whereas I'm really like pre like these things come to you already in a box that's on doing some of these things and pre COVID right and really pre COVID and pre modern companies like
[00:02:59] think about why we had that type of infrastructure we built servers we built VPNs we built line of site communication connections for crappy line of business software.
[00:03:11] Right now I have to be able to see the head of line of sight exactly and so but now we're in a world where I'm working at a Starbucks like what am I going to do on control eight you.
[00:03:22] Hey Starbucks like do you mind sending me the logs right my buddy Chris was over there working for about four hours so I need the logs from three PM to have you configured WPA to do the adequate standards if you.
[00:03:34] It was just impossible and I would like a latte and I need to print six pages out of that latte and your and your art dump right like like a latte log file package and your
[00:03:45] hard top and no with sprinkles with sprinkles please but the reality is I like to just remind people that a lot of this conversation in 12 is speaking from the lens of a traditional infrastructure when you start living in a world
[00:04:02] of Z TNA and sassy right zero trust network architecture or secure access service edge or VPN type extensibilities and cloud models when you start living in that world and and and then some of these controls become less relevant different changed shared responsibility
[00:04:22] to the reality delineations things that are really awkward and how this has to be looked at so I just want to start with it.
[00:04:27] I'm just going to throw relevance out for not throw it out but I think to your point about relevance I think it's the lenses are different while trying to address some of the very I don't
[00:04:38] want to say same but what we're shifting in what's as it's not as important or there are things that now are just different different yeah it's different it's a different paradigm this is not an
[00:04:49] evolutionary delineation this is a bit of a revolutionary delineation in my mind and the things that are changing in our world so that's what I would just kind of start with.
[00:04:58] Let's go through the controls though and talk about it what is the purpose control 12 as a premise for its overall starting point is establish
[00:05:06] common space implement common space and actively manage which then has further delineation parenthetical to track common space report common space correct
[00:05:16] space network devices in order to prevent attackers from exploring and exploiting vulnerable network services and access points.
[00:05:23] What's funny enough I think of access points is kind of being a part of that like somehow they've got their own like delineation away from being part of that network infrastructure like all in the exception here we have an access point like you should also treat that with some level of.
[00:05:36] It's weird about this to as you can show more if you look at CIS 4 4.1 says configure all this stuff but not network and 4.2 says configure network and so they've really focused on you can tell what used to be the most predominant ways of attacking or an organization and still maybe today for a lot of brown field old I mean the ball game sure yeah okay so let's let's clarify something I think there's something really interesting about this control control
[00:06:05] that we don't see a lot of elsewhere it creates sort of a an exception here says if you are a small SMB here is a completely separate set of guidelines for you that you should go and explore before tackling these safeguards.
[00:06:22] How so it literally says for telework and small office guidance you should refer to the CIS controls telework and small office network security guide
[00:06:33] before you get into the safeguards which breaking that down from the enterprise piece right so yeah I love the guidance if you're not reading those components and actually getting into that which to your points right there in the bowl before you get into safeguards you should because they give you some of that context awareness of what you're about to stumble into right if that makes sense yeah
[00:06:53] it also feels like it's a bit of a tackle on as well to this oh crap this is changing and I'd be very interested to see what network security layers look like as recommendations in the kind of post coved era version nine model as we go like what is that SDP or software defined perimeter
[00:07:10] yeah the rules change a little bit now that we're dealing with a more abstract like it's just not it's not it's not clear there's no more black and white
[00:07:20] but you're best way to say it Phyllis Lee said this best and I it's an oldie bit of goody so I'll just go way back to like three years ago Phyllis said your network ends where your users fingertips land right
[00:07:34] and you start getting into this understanding that it's much more consumption point oriented and much more identity oriented than what the former state would have been which is I can protect this castle because I got guards walking around with walls
[00:07:47] and I ain't never what's that horse doing in here right you have one castle that you needed to remote into to access data now you don't even know necessarily where the castle exists
[00:07:57] on the castle sometimes right you're going to somebody else's castle right the guardhouse like what do you know this was here all right we've burned enough of everybody's your balls for this so let's get into the safe guards 12.1 this is the only IG one y'all it's the only implementation group one
[00:08:13] update your stuff I think that's how it says in parent phrase yeah I think that's the is at the the message the the yeah yeah that's the distilled what ensure network
[00:08:23] infrastructure is up to date ensure that's a measurable right ensure is I need to show that you actually did do that the your network
[00:08:30] infrastructure is kept update example implementations include running latest stable versions duh or using network as a service offerings
[00:08:38] like your maracas and your other physical layer type network as a service offerings and review those offerings monthly or more frequently you know how frequently as often as there's a pure
[00:08:48] fricking 10.0 on my damn network equipment right that's the that's the how often yeah but well and you see this you see this is you mentioned
[00:08:58] Maraki and in some of the players that are that are in that space a rackness as a few others sure you know I would I
[00:09:05] would argue even Cisco's now really shifted that direction of of that you know with the
[00:09:10] Maraki model a little bit I think what's interesting here is it used to be that someone that did do this level of depth and network
[00:09:18] management we all remember the good old days of like you had to literally hook up a console cable to have the
[00:09:24] management interface for a switch that is not for every you know solution provider today but no I don't have anybody that knows how to
[00:09:30] do you can add online on on Cisco catalyst switches like this isn't necessarily easy stuff which I think is a good point to
[00:09:37] to make out like that hey you may not have the resources internally to truly manage network infrastructure at the
[00:09:45] switch level at the firewall level on some of those things and it's important that you have the right resources in place
[00:09:50] but cloud services scaled at so much better really absolutely and that's where and why those type of players and really even if you look
[00:09:57] at the macro environment you have watch guard cloud you have four to cloud you have right you have all these players trying to do similar things
[00:10:04] one config that I can push appropriately to multiple switches in different zones and they overwrite configs
[00:10:10] or maybe accidentally plug in an old switch to new with VTP on and maybe blow up an entire network for Sierra Nevada
[00:10:16] corporation let's say or put a or put a patch cable into two ports on the same switch and I forgot about spanning tree
[00:10:22] yeah yeah no never it made the packets faster that's right it's right control 12.2 is and really y'all if you're not doing patching on this
[00:10:33] there's a reason they felt the need to go ahead and step out like why is this different than seven patch your
[00:10:38] stuff why is this different and it comes bound to because practitioners weren't doing it practitioners aren't
[00:10:44] doing it patch your switches and network equipment because by land there probably have a home there forever
[00:10:49] okay I know to have a secure architecture and what's interesting is when you go back and look at controls
[00:10:56] earlier that talk about architecture in general 12.3 is saying have segmentation as a minimum
[00:11:03] least privilege as a minimum and availability as a minimum we're coming back to five six right now five
[00:11:10] and six yeah five and six on some of that identity aspect right but really when it comes to a secure network
[00:11:16] architecture 12.2 is the first time you really get into this segment really
[00:11:23] list data part have different segmentations but if you look 12.2 goes back to data access control
[00:11:30] list being a part of that conversation from three three three dot eight documenting data flows
[00:11:35] that architecture has to be part of that three seven data classifications come from architectural
[00:11:41] decisions or vice versa encrypts sensitive data and transit has to be part of an architectural
[00:11:46] decision so three 10 four dot two I have an argument question yeah I have an argument question
[00:11:51] I think in in three do we not have a space where it calls out needing to have a diagram
[00:11:58] that articulates data flow it actually recommends having a data for the three dot eight is
[00:12:02] document data flows and it's so thinking about that and realizing that we haven't got
[00:12:07] a diagram in this control yet and yet those two they like what what good is my data flow
[00:12:14] diagram if I don't have a network diagram to go with it that is why it is three dot eight
[00:12:20] and so we're later in the threes in the iG 2 i g 3 compendium so at least you're hoping
[00:12:25] that this 12.2 falls before it if it's i g 3 but you're right I haven't looked at that but they do
[00:12:30] this a lot where you'll have these things out of order or called as something that you're end up
[00:12:34] going to be really specifically called for later that had to have existed before in order
[00:12:39] for you to do let's say three dot eight with a tennis we're talking about if we look it
[00:12:43] through the lens of i g's the implementation groups that it would be fair to say that
[00:12:47] you may have gotten to this point and now we're going back to enhance yeah because we're
[00:12:53] now saying you have to make sure that you address segmentation least privilege which might not
[00:12:58] have been part of just documenting the data flow the first time now it's a oh wait a minute
[00:13:03] from non secure to secure or secure to non secure that's a problem right let me tell you
[00:13:07] how this will play out right Microsoft logged stuff from a secure area that included keys
[00:13:14] being used for their signing they logged that into a non secure area a data flow diagram
[00:13:19] would have shown a crossover from a secure area to a non secure area of data that needed
[00:13:24] a sanitization layer right or needed some segmentation of access things that nature so
[00:13:29] you know that was in the signing keys aspects but anyways 12 to is make sure you build this
[00:13:34] with p o l p principal police privilege availability and segmentation in mind if you're building
[00:13:39] architecture securely so that's an architecting and designing 12 three then gets on to
[00:13:45] securely manage it like don't use insecure crap don't use tell net right no swear
[00:13:51] you got don't know I know I know I swear I swear it really matters no no not getting
[00:13:56] not I know I wasn't meeting I didn't mean to be I was it's funny not haha I know it is it
[00:14:03] is but the point being this is really getting into have use SSH and if you're using
[00:14:08] SSH maybe use keys with passwords not passwords stored in credential files right use
[00:14:13] HTTPS don't use HTTP and it really just gets into a lot of the things that say use
[00:14:20] secure you know infrastructure management right and so anyways 12 three it didn't always
[00:14:28] start out this way like we're talking about security that has come as a result of
[00:14:34] the evolution of threat actors right like we didn't start out with port 4443 is an
[00:14:38] option when browsers first came out right like we didn't talk about like oh man you
[00:14:41] got to lock them at browser so those weren't like we were happy to have a browser
[00:14:45] so I think if you think about some of the things that are in place today we're still
[00:14:50] dealing with the legacy of more than 20 years of layers upon layers of technology
[00:14:56] well you and I just had this conversation here's a great example which they are
[00:15:00] talking about the management of the infrastructure using HTTPS but let's turn it
[00:15:04] on its head you're at Marriott you can't get on their Wi-Fi because they haven't
[00:15:08] updated their cert right HTTPS and your organization as a stringent policy it says
[00:15:14] we're only good with valid certificates right to improve site is the site and you
[00:15:19] can't then get on the Wi-Fi right it's my point is like you're been you've been
[00:15:23] put in a position where someone has set up HTTPS but not managed it and
[00:15:27] maintained it to the extent that you're now not capable of and you're either having
[00:15:31] to make a Sophie's choice of lowering your own capabilities and protections which
[00:15:37] I've had to make that choice before as a professional right or well been here right
[00:15:41] yeah you know thinking about self-signed certs that we did for years because hey this
[00:15:45] is just my local stuff I know it's me connecting to this firewall you know and
[00:15:49] now we're seeing where like even that is not a good security best practice
[00:15:54] 100% not and managing pk i extensibility or doing let's encrypt type management
[00:15:58] and scalability or you know scripting you know those are type of solutions for
[00:16:02] those type of things which really should be a part of this conversation in
[00:16:05] absolutely right is how are you going to manage these more and more
[00:16:09] general certificates okay so there are other maybe other means right that's
[00:16:14] actually something down back a little further to is I could do other things like I
[00:16:18] could use other methods of pk i other methods of proving my identity I could use
[00:16:24] like I said SSH yes other things that are mine that are possession based also in
[00:16:30] that way so okay side tangent aside 12 4 establishing maintain architecture
[00:16:35] diagram so it goes back to the point you were making which was 3 8 is already
[00:16:38] talking about data flows right and as we get into 12 dot 12 dot 2 we're
[00:16:44] talking about needing to take configuration of my segmentation all these design
[00:16:47] elements right things that would factor in yeah now we're drawing it boys
[00:16:53] now we're like this is like we're giving you the numbers we're giving you the
[00:16:56] colors associated with those numbers right here's what we have a shape like yeah
[00:17:01] here's orange yeah exactly oh god okay well now here we are we need to make a
[00:17:06] diagram and then there's two things that are highlighted here establish and
[00:17:09] maintain and for your reference Chris I'm looking at the place mats were about
[00:17:13] to release that you and I helped build for this and establish a maintainer
[00:17:17] two things one is did I establish it do I actually have an architecture
[00:17:21] diagram but then also I look at this diagram is it like Matt Lee's ugly five-year
[00:17:26] old drawing of my mom was she's like yeah honey I looked so pretty it looks nothing
[00:17:31] like her or is it actually a picture of my mom right you know one the same as
[00:17:36] well I think well I just think I want to add something there you know I think
[00:17:40] network diagrams are often one of the most overlooked thing as I've seen
[00:17:45] and as people are going to the trust mark like hey yeah it's important that
[00:17:49] you have one and they're like well we've never had one before because
[00:17:52] all worked from home I'm like okay so maybe your diagram isn't that complicated
[00:17:57] but I'd love to see it like you know why matters I know why it matters
[00:18:03] when you tell me why do I care well because it might be wrong that's true but
[00:18:08] why does that matter we're tactically and operationally do I give a shit
[00:18:12] about a architecture diagram where does it matter where does it come up well I
[00:18:16] think one of the what places it comes up and you see this a lot with like things
[00:18:19] like PCI so if you're dealing with like credit card when a sale type stuff I
[00:18:24] think it's not always that obvious until you put together that diagram
[00:18:29] that you may have devices that are not going in the right place right your
[00:18:34] villain might not be segmented what where else there's a big one a big one and
[00:18:39] I'll share that won't make everybody wait and suspense anymore yeah because obviously
[00:18:42] I'm not as smart as I used to be oh no you're absolutely accurate in the
[00:18:46] visualization there's an extensibility of it that matters even more okay that's
[00:18:50] during an incident oh sure trying to determine how do I contain and to
[00:18:56] radicate this incident how do I stop its damage how do I determine how big the
[00:19:01] damage is how do I determine who gets involved out of a determined what my
[00:19:04] reportability right responsibilities are how do I determine those things if I
[00:19:09] don't know what connects to what and how it looks and what it does visually it
[00:19:13] be like a general operating with no map but only painting in their head where the
[00:19:17] enemies positions are relative to mine well this kind of gets into like flat
[00:19:21] flat networks versus more of like the complex violins that are segmented by types
[00:19:26] of service study right then we just asked for her and we know that you'll see it's
[00:19:31] going to flat network in an incident scenario it's like too late right a flat
[00:19:36] network is like it's just you hit it all at once right the flip side yeah the
[00:19:42] flip side of that could be just as bad if you don't have a diagram helps
[00:19:45] articulate where things go 100% and that's my argument having a detailed
[00:19:51] and accurate up to date architecture diagram is the only way I would fight a
[00:19:57] battle as a general is to know where the positions are right the obstacles
[00:20:01] between me and no which segments I need to say if I know that Sally's computer
[00:20:06] went off in your point in a flat network and it's anywhere within line of sight
[00:20:10] because guess what flat network means everything's in line of sight yeah up to
[00:20:13] make a controller or a data holder or something with it was sensitive
[00:20:16] to Starbucks so that's true I'm already seeing the line of sight it fills
[00:20:20] computer that's right being is that I have this line of sight aspect in a segment
[00:20:26] of network I may not which means I'm playing a game with the threat actor
[00:20:29] saying it went off on Sally's computer I now believe something may have moved
[00:20:33] forward we had this conversation off air right about about your friend yeah so
[00:20:37] the point being is having a diagram helps you in the moment in the battle and
[00:20:42] it's really really valuable but it is only valuable once you know you need it
[00:20:45] uh... this next one helps to aid the battle to say kind of piggybacks a lot
[00:20:51] of twelve when it comes to the model of networking which these same concepts I joke
[00:20:56] about the network being different these same concepts apply when you're in cloud
[00:21:01] they just now are under ZTA or shared responsibility matrix ease or things
[00:21:05] that nature but they're still the same thing so I'm beating it up but they all
[00:21:08] still common so let's look at twelve five twelve five is probably that
[00:21:12] that one that is the most valuable during a moment yeah during an incident
[00:21:18] and also in how I run my day to day operations of finding those incidents which
[00:21:22] is centralizing triple a authentication authorization and auditing into the same
[00:21:27] identity framework and playing which means I'm extending five dot six as an
[00:21:33] identity of Matt to an identity of the authorization and authentication
[00:21:39] principles being applied at the network layer meaning I'm now before I get a
[00:21:43] network port actually validating that I'm Matt and we'll get into that
[00:21:47] in port control but when it gets into like a following where Matt's going yes
[00:21:51] and I know that's Matt not some kind of no device that's on the network
[00:21:56] and this is tough and this is why this is so valuable as if you centralize
[00:22:00] principally you now are actually bringing the unified identity playing
[00:22:04] together with the unified device and asset plane from that authentication
[00:22:08] authorization and the most valuable is the freaking auditing bringing it into
[00:22:15] one plane where I now have a common normalized response of where Matt and
[00:22:20] Chris went in the unfairious adventures in this organization which means
[00:22:24] that you can flag it when that doesn't look like it's the name of path that
[00:22:28] matter Chris would normally take and it also extends I draw in my drawing that
[00:22:33] I'm going to be releasing to everybody that's listening to this three different
[00:22:37] type number one yeah yeah exactly three different types of lines there are
[00:22:42] dotted lines dashed line or dotted lines straight lines and then there's this blue
[00:22:46] line is bidirectional this is a unique one because six dot seven is bidirectional
[00:22:51] it feeds as a data source when six dot seven says centralized access control well
[00:22:56] now we have a control in 12 specifically speaking towards access or
[00:23:01] authorization which is the byproduct of creation of access right and so six dot
[00:23:06] seven being centralized now we're saying all the way down to the network layer
[00:23:10] authorized well let's talk about how that correlates in a pure cloud world well
[00:23:14] now if I'm on a sassy vendor I'm principally signing into that VPN with my
[00:23:18] cloud identity right so I am bringing the centralization of that triple a
[00:23:23] layer out to that new definition of a network that is this much more
[00:23:28] undefined network structure that we speak about right that private internet
[00:23:33] access and those type of movements and motions were seeing going so it also
[00:23:37] bring that auditing plane for the identity in the sign into that network
[00:23:40] device back to that same six dot seven and five dot six right so just kind
[00:23:46] of my paint that 12.5 is the five dot six and six dot seven
[00:23:49] and six dot seven compendium in my opinion yeah as is that last six I mean
[00:23:54] I think that to some extent for those listening we may have actually gone
[00:23:58] down a rabbit hole on level of nerdiness as it pertains to safeguards that
[00:24:04] being said you know when we talk through the safeguards and you you hear
[00:24:09] Chris and Matt banter on some of this stuff largely what we're trying to get a
[00:24:13] cross to anybody that will listen is that there is a relationship not
[00:24:18] just between safeguards within a control but within safeguards throughout the
[00:24:23] control mapping across all 18 domains so when we refer to these other
[00:24:30] controls it is an opportunity if you're listening to make a note and go hey I
[00:24:35] should maybe go back and check my work maybe I should go make sure that I did
[00:24:39] capture what I thought I did if you're in fact on control 12 this is a continuous
[00:24:44] improvement process it's not a one and done process I like to say we always say
[00:24:49] checkboxes are bad I'm going to disagree for a second and say if the
[00:24:53] checkbox is referencing an activity that's probably good because activities
[00:24:57] they just keep coming and I hope you can check off activities all day long
[00:25:03] because I hope that your box goes back away when it's not neat when it needs
[00:25:07] to be active that's right come back activity keeps coming back
[00:25:11] right this is a little static we are checking off well you know what you
[00:25:15] think about it I joke but have you ever seen post office people scan a box on the
[00:25:20] side of a wall and then drive off like literally that's all they're doing
[00:25:24] they're checking in on their route they're they're checking into set time
[00:25:27] stamps to show that they made the route to do the things that you done like
[00:25:31] there's some element in those tickets that's valuable in that check
[00:25:34] and I think it's the exercise or the activity is definitely
[00:25:40] merited it's that it's not the end goal right in goal is how can I
[00:25:45] make this go away that's not the validation we want it's that I get
[00:25:50] the element of work complete or as complete as I can at this moment this
[00:25:55] juncture and I think that's what's important like I don't want to discourage
[00:25:58] people from thinking that checkboxes are entirely bad especially if you
[00:26:01] you know you suffer from it like I do we're like I will write a checkbox got
[00:26:05] to you didn't they yeah I saw no no I'm gonna tell you right now yeah no
[00:26:10] no I'll tell you right now you said hey Chris I need you to do something
[00:26:14] and I go oh yeah I already did that but you know what I should write that
[00:26:17] down so I can check it off man very fair all right back to the controls yes
[00:26:23] well five said centralized triple A now 126 says two things in one which
[00:26:29] we said we're not going to do yeah we really don't like this one yeah because
[00:26:33] it's got a eG in there which EG does not mean air go right if I remember
[00:26:38] correctly EG actually what was it actually stand for I can't do this because
[00:26:42] I got I got corrected if you remember correctly quite well EG is in
[00:26:46] this particular case I think it's referring to examine it's simply
[00:26:49] Russia which means for example and so it's me to be exemplary in that
[00:26:54] discussion not this is exactly what it is right and it's giving to very
[00:26:58] disc two specific different different things one is
[00:27:04] depot two one ones WPA to just basically stating wireless or
[00:27:09] wired protected or does WP oh man that's personal no got to get it now
[00:27:15] now I know wireless by an access was wired equivalent protection
[00:27:21] but what's WPA's that is privacy works no that's not it why
[00:27:32] if I protected access it's a self described and the acronym I hate you so
[00:27:37] much okay fine why if I protected access to which now WPA three is out as
[00:27:42] a standard so WPA two was called for an in eight dot one that's
[00:27:46] talking about the type of standard chosen for the encryption algorithm
[00:27:50] basically for me and my access point protected session right so how
[00:27:54] people cannot spy on me but what's interesting is 8021X is a different type
[00:27:58] of protocol it's speaking towards authentication and validation
[00:28:02] of centralization of AAA so this is a little bit of a muddy control
[00:28:06] one is only going to be for wireless right like one is only related to
[00:28:10] wireless the other one to one X could apply to a port a physical switch
[00:28:14] yes another usages so the point is they've kind of muddled a couple
[00:28:20] things together with examples but the core control says used secure network
[00:28:24] management communication protocols and what they're really saying is if
[00:28:28] there's a more a more relevant and up to date standard you should use that one
[00:28:33] as WPA two is not probably the standard I go to now it'd be WPA three
[00:28:37] and so you start getting into that difference so anyways just wanted to call
[00:28:42] on this one use I like it use that take the spirit of this one not the example
[00:28:46] used exactly seven require users to authenticate to an enterprise VPN
[00:28:52] and authentication services prior to accessing enterprise resources
[00:28:58] and they're saying to use your AAA infrastructure which means using solar
[00:29:01] winds one two three probably isn't what they're talking about here
[00:29:06] but this does go back to I believe it is six dot three six dot four six
[00:29:12] dot five the different if multifactor authentication
[00:29:16] kind of gets into the same thing right where it talks about using MFA
[00:29:20] with your remote access to infrastructure via VPN
[00:29:24] it's six to go to hand in hand yeah 100% and but the point is even then
[00:29:30] I could use MFA and and my VPN and not meet the spirit of this control
[00:29:38] exactly the spirit of this control is actually to tie it in to my central
[00:29:43] triple a infrastructure which means my central identity source
[00:29:47] and it does not mean some third party MFA Jank app that I use with solar
[00:29:52] winds one two three and a shared username to get to the VPN infrastructure
[00:29:56] they're really saying the same thing of I don't care where you're coming
[00:29:59] from make sure I know it's Chris that's it it's not just plug in and get electricity
[00:30:04] it's I want you to run an extension cord from the office to wherever you are
[00:30:08] so that I know you're getting power from our office
[00:30:11] and I know that it's you and I know that I can attribute it to you
[00:30:14] right and the extension cord doesn't really solve that because I have to know
[00:30:17] that your plug in the next to Chris's desk and the Chris's desk was where
[00:30:21] we're tracking power I guess I was trying to create the mapping physically
[00:30:25] to say like you know we don't want you to just this isn't just about getting connected
[00:30:29] to the office it's about knowing who you are right that's why it says use
[00:30:34] authentication and then authentication services that's twice on there in
[00:30:38] that safeguard so and we see this comment right this is common in the VPN
[00:30:42] space where you have a device that you have keys that allow you to VPN
[00:30:47] to get authentication into the network but if you don't then add the check that
[00:30:51] validation to check in with your central man managed identity server
[00:30:56] then all I am is a device that's connected to the network
[00:31:00] exactly and that is how you would distinguish devices and identity
[00:31:05] and when you really start getting into zero trust and ZTNA
[00:31:09] that's almost a premise of that I have to know who you are in that SPA
[00:31:12] or single packet authorization before I ever give you access to anything
[00:31:16] in fact even then I don't show you what you have access to
[00:31:19] right I may only let you access it if you know of it
[00:31:23] so this last one this last one is it's a grow so hold on
[00:31:28] I want to set it up a little bit is yeah you do it there's eight safeguards
[00:31:32] in 12 this is the only IG 3 is the only IG 3
[00:31:37] it's also almost unattainable that's where I was going to go the next
[00:31:41] my thunder away I was going to say I knew what I can do this well
[00:31:44] nobody does nobody does let's talk about why and maybe
[00:31:50] talk about the spirit of this control because I think in the spirit
[00:31:54] I think there's a lot better chance of achieving something close
[00:31:58] but if you just try to verbatim take it for what it says
[00:32:01] and do exactly what it says yeah well let's talk about what it is
[00:32:05] yes so have you ever seen that movie where they lock this
[00:32:08] book or blocks in a basement they have this weird dude that comes on the
[00:32:12] PA and tells them to do horrible things until they get out
[00:32:15] saw anyways that's what we're talking about here not the movie
[00:32:19] but a secure administrative workstation right we're talking about
[00:32:22] a sausage like that little whole journey we just don't know
[00:32:25] that was nice I'm not sure I'll ever watch TV again but thank you
[00:32:29] thanks so we're talking about a secure administrative workstation
[00:32:33] and what the control specifically says or safeguards specifically
[00:32:36] says is establish and maintain dedicated computing resources for all
[00:32:41] administrative work yeah keep saying it because I think that's kind of
[00:32:46] important here how many of us do administrative things
[00:32:49] uh-huh all the time and so you think about this and it says now
[00:32:54] that would mean there's already an immediate paradox when it comes
[00:32:58] to local administrating machines because now I have to be an
[00:33:02] admin on a machine I'm administering let's just touch that one first
[00:33:06] it's like looking in the mirror on zoom yeah notwithstanding
[00:33:10] there is the other challenge of what they're really wanting you to do
[00:33:14] is make it to where what I do administratively not only lives on a
[00:33:18] separate account but on a completely separate device that I can treat
[00:33:21] differently that I can put higher restrictions on that I can restrict
[00:33:24] higher I can remove internet access from and in fact this says
[00:33:28] physically or logically separated yeah for all tasks requiring
[00:33:32] admin access the computing resources should be segmented from
[00:33:36] the primary network back to that initial definition of
[00:33:39] and not be allowed internet access alright so you're getting
[00:33:44] into some things where you're saying I need a box that I can
[00:33:48] get on to that I do admin functions from so that when admin
[00:33:52] functions are done they're done from a non-anomalous location
[00:33:55] where something is not exposed to the normal attack surface
[00:33:59] if I hit it with a malware it can't reach out to I see to see
[00:34:03] squared it has no internet you're giving yourself constraints to
[00:34:06] limit the function in the moment of the action where I use
[00:34:09] the weapon to one place and one time one space right and I'm
[00:34:13] going to throw this out there because I obviously are realizing that
[00:34:16] this is near impossible and in many cases especially for
[00:34:19] from a financial standpoint they were talking about an expense
[00:34:22] that's just have hardware dedicated to one job and one job only
[00:34:26] but that gets me thinking about things like if you can do that
[00:34:29] whether it's virtually like it talks about or physically
[00:34:32] or logically so virtually yes so but like along with lines
[00:34:38] I would think of like my starting point would be like this is
[00:34:40] not attached to my domain controller this is not part of
[00:34:44] like I've added some segmentation right there by not having
[00:34:47] it be able to just talk to you know he did the layers that you can
[00:34:52] remove would help but do we get and documented yeah but do
[00:34:56] we get far enough because here's the thing if we talk about
[00:34:58] removing internet and my entire infrastructure lives in the
[00:35:01] cloud then what problems have I introduced because I'm saying
[00:35:05] well but really fine internet right there really mean is this
[00:35:10] untrusted space not needed for administrative functions got
[00:35:14] it okay I would have access to the things specifically needed
[00:35:17] but let's also I will tell you I've solved this I solved
[00:35:20] this at the Belker to the 85 here's how I solved it
[00:35:24] we're all going to ease an apps until Matt puts the grade
[00:35:27] on the Belker fair it's fair so here's how we did this in
[00:35:32] iconic we bought a separate workstation that we put
[00:35:37] every single client site that lived on its own VLAN
[00:35:41] it had access to whatever internal crap it needed to access
[00:35:44] and it had access to whatever external crap it needed to access
[00:35:48] but it was otherwise locked down with very limited internet
[00:35:50] capabilities sure it was locked down and I then had the
[00:35:54] ability to say I'm on my machine at Matt Lee's work I'm now
[00:35:58] promoting into the machine in which I'm doing admin stuff
[00:36:01] sure red second box it gave you a jump box and that's my
[00:36:05] argument is that is my method I'm restricting the beginnings
[00:36:09] of this from a admin function it might have to be a D
[00:36:12] joined I might need that's first that but I can define
[00:36:16] how I segment it how I separate my identities and that's
[00:36:20] just getting to that point you could also do things like
[00:36:23] virtual desktops wvd in that identity signed in under
[00:36:27] that identity at that identity plane there are ways to solve
[00:36:30] this that can be met not to judge this control but it gets me
[00:36:34] to do some things like that in a way that is not a
[00:36:38] good idea of how I'm making this and I'm making this
[00:36:42] like just how you know six three four five breakout
[00:36:46] different MFA's tied to different access types I can see
[00:36:50] taking this control and doing something very similar where
[00:36:53] you say external SaaS based applications you know making sure
[00:36:56] that you're not giving you know Matt Lee and the normal
[00:37:00] user profile admin rights to log into SAP right this is very
[00:37:03] good for five dot three right right right so I think
[00:37:07] that very much we can see that the evolution of this control
[00:37:10] is going to change it has to because like you said
[00:37:13] it is borderline near impossible to achieve it can be
[00:37:17] done but at what cost to a much smaller organization
[00:37:20] that not following what you've just described as a way
[00:37:23] to do it would be potentially financially expensive.
[00:37:27] Yeah, I think that it comes down to to what degree am I
[00:37:31] natively in the cloud right that's one way this helps
[00:37:35] get easier and if you are in that situation me buying a
[00:37:39] $20 license for Matt Lee admin a $50 monthly skew
[00:37:43] from my cloud VM and I would sign in from my same
[00:37:47] physical asset to that third party cloud resource to then do
[00:37:51] Matt Lee add many add many things right so you get your point
[00:37:54] where that's 70 bucks a month per person just have those
[00:37:57] admin capabilities if they're needed and there's also
[00:38:00] you know when you think about the MSPs listening to this
[00:38:03] there's the Matt Lee at my company had on
[00:38:07] and then there's the Matt Lee as a representative of some
[00:38:10] extensibility to your company that might be in the form
[00:38:13] of some crappy admin password I've saved in ITU
[00:38:16] that might be an extensibility of the Matt Lee real identity
[00:38:19] through GDAp or other things but the point is
[00:38:23] on what's harder hold on it's even weirder
[00:38:26] when everything you do in that role of Matt Lee as an
[00:38:29] admin to your company is Matt Lee whose internet
[00:38:33] facing account for Matt Lee's company is the attack
[00:38:36] surfaced and now you just you just described where I was
[00:38:39] going to go the user that gets popped now pops
[00:38:42] all right that's the real challenge and you and I've
[00:38:45] discussed this in trust mark which is what's the most
[00:38:48] valuable asset an MSP has it's their access to their clients
[00:38:52] which means it is the summation of all of their clients
[00:38:54] risk that they have placed themselves in the line of
[00:38:57] to varying degrees based on their access to their
[00:39:00] client networks well and that's the example of that
[00:39:03] in we didn't have the technology for this for a long
[00:39:05] time but like go change the local admin password
[00:39:08] on every endpoint in every client environment and then
[00:39:11] also have it not be the same password as each other
[00:39:14] machine in that environment and reasonably manage that
[00:39:17] well today we have lots of technologies that help
[00:39:20] solve for that that we didn't have five six years ago
[00:39:23] and all those texts have done is help make people feel
[00:39:27] more comfortable they're doing something they don't
[00:39:29] fully understand truth at all if I'm honest so
[00:39:33] they're good and bad in that with that same right well
[00:39:35] there you have it we just you know went through perhaps
[00:39:38] one of the more controversial yeah like you know
[00:39:43] the words that come to mind are almost legacy when
[00:39:46] you think about post covid like we don't live
[00:39:50] in four walls with a firewall box anymore
[00:39:53] star box I need to step up that segmentation
[00:39:57] yeah it's really disappointed right now also
[00:39:59] do you care where I put my printer
[00:40:01] it needs to be
[00:40:05] so good the printer with the way and poor
[00:40:08] that's awesome yeah like I don't understand why my
[00:40:10] printer just keeps spitting out random documents
[00:40:12] from these different companies
[00:40:14] for those of you listening and you want to print
[00:40:16] to my printer you just need to go to
[00:40:18] Chris dot print somewhere dot com and it'll just
[00:40:22] kick it no that's not as always I appreciate your time
[00:40:26] for those of you listening this has been an
[00:40:28] episode of msp 1337 thanks and have a great week