The Last Control Domain discussed on the fireside chat is Physical and Environmental Security. This domain was taken directly from the CompTIA Cybersecurity Trustmark, and while it wasn't done in sequence like the majority of the domains, it is not a result of it being overlooked. However, many MSPs often fail to give much attention to it. Join Matt Lee and me as we walk through the 16 safeguards.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone.
[00:00:20] Yeah. Okay. Welcome everybody to another episode of MSP 1337. It's that time. It is Fireside Chat with the infamous Matt Lee. Matt, welcome to the show.
[00:00:30] What's up brother. It's great to be here. It's been a lot of these episodes and I think we're nearing the end of covering this yearbook end to end, aren't we?
[00:00:37] This is of the 18 domains. 18th domain.
[00:00:43] Let me count. Yep.
[00:00:45] We've been doing this for a year and a half. Like this, I think started not long after you and I met, which would have been at CCF in Chicago.
[00:00:54] Yeah. And we sat at the bar for umpteen hours talking about stuff like this.
[00:01:00] Yeah. And then it turned into hundreds and hundreds of hours of talking about it since.
[00:01:05] And yes, hundreds of hours. Um, yes. Wow. So we are, we did a couple of these out of order, I think, more largely because we knew that those following along mostly would have a familiarity with the CIS top 18 sequential logic.
[00:01:21] Uh, with the trust mark, we added governance and physical security. So governance comes at the beginning.
[00:01:26] I would like to put that in front of everything because it's kind of important in your journey.
[00:01:31] Well, and I was just talking about this, Chris, you, you trigger me just real quick. We'll take a little sweet.
[00:01:35] Uh, I was trying to order my discussions for, um, uh, a thing I'm doing next week at security bootcamp.
[00:01:43] And the first order was governance and the governance has to be, and I love saying it this way.
[00:01:50] And we talked about it the other day, but governance has to be first. Um, because if you say we're going to do these controls and then you're not inspecting whether they're being done or the proper things in business or functioning, make it happen.
[00:02:00] Then you're not providing governance and it's not going to happen. Like you have to expect what you expect.
[00:02:06] Yeah. It's, uh, you know, it's the three key components for cybersecurity governance, strategy, culture.
[00:02:12] And if those three don't have a, an operational maturity to them, cybersecurity becomes a line card or skew.
[00:02:18] And somebody might try to take you off on a tangent and go, what about funding? Funding comes with governance, num, num.
[00:02:23] Right. Yeah. Yeah. And, and, and, you know, and there's, and there's, and there's several scenarios where it's like, well, are you saying that?
[00:02:30] That we can't sell cybersecurity if we don't have those other things in place.
[00:02:33] No, that's not what I'm saying. I'm saying that that's all you will be doing.
[00:02:36] You will just be selling it. And I think what's great about the fireside chat and what we've stepped through is these are building blocks for a strategy for, for governance and for your culture to have an alignment.
[00:02:50] So that as cybersecurity becomes embedded into your business, into your MSP, it's not some random snowflake.
[00:03:00] It's an actual, um, measurable, you know, picture that others can look at and go, I respect that.
[00:03:07] I have confidence in what you're doing.
[00:03:10] Yeah. Well, and even if we take all that away, like I talked to somebody the other day, I think it was with Wayne, but either way, it was around this concept of compliance versus security.
[00:03:21] When we come to these things as a constant conversation. And when we talk about what is compliance, compliance is meeting a standard within a definition enough to prove to somebody else that you can move forward.
[00:03:32] And I'd like to make that like karate, right? In karate, I can do this kata. I can accomplish this. I get my yellow belt.
[00:03:40] Right. Now that's compliance. Now, if you can take those skills and when the bully comes to whoop your butt, not get your butt whipped, you have now reached security.
[00:03:50] Sure.
[00:03:51] Those are very different statements. Right. And you might take all the way to a black belt, not ever be really secure. If that makes sense. Right.
[00:03:59] Or afraid to use what you've learned. Right.
[00:04:02] Very secure and have no black belt. And those points may play out right to the other side, too. So anyways.
[00:04:09] So there's there's 16 safeguards in this category. It's actually one of the largest ones that has been built out in the trust mark. And and I want to preface a couple of things.
[00:04:20] One, you may find yourself thinking like, well, that safeguard doesn't apply to my company because we work from home or, you know, we're not responsible for the building that we're in and any number of reasons why this doesn't fall on you.
[00:04:33] And well, I'll give you some yeses to that. That may be true.
[00:04:38] Well, what I will say. Yeah, good.
[00:04:40] I was going to say, I think it's important to go. But what if so at least being aware and having an understanding of allows you to make decisions in the event that something goes sideways.
[00:04:50] And I think that's really important more than any of the other pieces around where you may not have full responsibility, like, say, the elevator or the physical building is to go, OK, well, what happens if your physical building has no power?
[00:05:03] You know, what's the game plan? Do you have a strategy? Do you know what the options are in the building that you're working out of?
[00:05:08] So as we go through this, think about, like, could this be something that you should be thinking about, even though it seems maybe a little bit outlandish that it would apply to you?
[00:05:19] Well, let's start easy. OK, first one, which is ES dot one control visitors at all facilities, including sign in sheets, monitoring activities.
[00:05:29] Now, I do not mean put handcuffs on them. It doesn't mean that kind of control.
[00:05:33] It really just means make sure someone's guiding where they're going, that sensitive areas are not accessible.
[00:05:39] Does it mean hold their hand? You know, if you need to hold hands, you don't land here, bro.
[00:05:43] Like, I'm not I'm not opposed to it. But monitoring activities and limiting access to sensitive areas.
[00:05:49] This is really the visitor log as a minimum required documentation.
[00:05:52] But the spirit of it goes much further.
[00:05:54] You can have a visitor log when I show up with my AT&T shirt and say, I'm here to look at our T1 endpoint.
[00:06:01] And they're like, we don't have a T1. No, but you actually do have an easement that we have from a former tenant that had this here.
[00:06:06] If you don't mind, just take me back to where your network terminates.
[00:06:09] I'll make sure that thing's not here anymore. I'll document it. My records will get done.
[00:06:12] If you don't guide me back there, I'm doing bad things when I get back there.
[00:06:18] You might still be doing bad things when you're guided back there.
[00:06:22] This is certainly this is one of those easy social engineering stories that we hear so much about.
[00:06:27] Like, it's not hard to get your hands on an AT&T polo.
[00:06:30] No, not at all, man. It may smell like somebody's worn it and slept in the streets.
[00:06:34] All right. So that's the first one. But really, you all have a visitor's log.
[00:06:38] I think it does get more interesting as we get into physical access as we go into this.
[00:06:42] So maybe let's not burn that bullet here, Chris.
[00:06:44] Right.
[00:06:44] So anything to add on this one other than make sure you're controlling visitors when they're in your building and make sure that you have a log.
[00:06:51] And control does mean usually one to one body or very, very sound plans of physical access limitation that allow for the access to happen.
[00:06:59] For example, to a mall that's open 24-7, but every store is locked and the bathrooms are locked and everything's checked and you have to walk around.
[00:07:08] You basically get your steps in and walk laps.
[00:07:10] That's it. Yeah, I've been there. It's a very interesting affair.
[00:07:13] I will throw this out there. I think, you know, the point that it says to also include, you know, monitoring activities.
[00:07:19] Yeah.
[00:07:20] Like, you know, it's when, be aware of when visitors are in your space, right?
[00:07:25] Like thinking through things like, okay, if someone's their client or otherwise are there for a meeting, okay, well, what's the meeting timeline?
[00:07:32] Do you know about it? Like, is it on the calendar?
[00:07:34] Is the staff aware that there are people there?
[00:07:37] If they go to the restroom, you do not need to hold their hand.
[00:07:38] Correct.
[00:07:39] But you might just have a certain timeline of which they come back and have ease of vision where they're at.
[00:07:43] Right.
[00:07:44] It's kind of a thing. You may not need to go in with them.
[00:07:46] This isn't like in the movies where they're like, yeah, we need to use the restroom.
[00:07:50] Climbing up the ceiling, tile in the bathroom, off the back of the toilet seat. No, we're good.
[00:07:54] It's third door on the right. What's after that?
[00:07:56] Yes.2 says, and this goes tangential, right? These are all physical and business continuity discussions.
[00:08:03] So this one says, have alternate worksite security.
[00:08:07] That means if you go work somewhere else, protect sensitive information at alternate worksites.
[00:08:12] And guess what, Chris?
[00:08:13] That does mean when you go to the freaking airport lounge and that is your alternate worksite.
[00:08:18] And I just let a little country come out of me by saying alternate worksite.
[00:08:23] Right. That's your alternate worksite.
[00:08:25] Then you need to lock your freaking laptop when you go get food from the fat boy and girl line.
[00:08:30] Like you have to do that.
[00:08:32] Like that is the reality of it.
[00:08:34] When you go to the bathroom, lock your laptop.
[00:08:36] We talk about this.
[00:08:37] This is where I see this every day, Chris.
[00:08:39] You know, I do.
[00:08:40] Yeah, we lock it up.
[00:08:42] And we have hundreds of these pictures of open laptops.
[00:08:45] We keep it OPSEC, but they don't keep it OPSEC.
[00:08:48] I've seen financials of giant companies like Boeing.
[00:08:50] I've seen all kinds of stuff that people just leave open.
[00:08:54] And this is the spirit of this safeguard, in my opinion.
[00:08:58] I had one the other day that was the guy's literally texting on his cell phone.
[00:09:02] He sets his phone down and leaves to go get food.
[00:09:05] Oh, I've seen the trifecta, right?
[00:09:06] The phone, the FIDO token, and the laptop.
[00:09:09] Like I've actually seen a Homeland Security office where he had left his, I don't think it's a CAC, but whatever the replacement card is for CAC.
[00:09:18] Yeah.
[00:09:19] But he left his identity card plugged in, a CGIS screen up with active searches.
[00:09:23] And he had walked out in a little tiny closed room where the screen, we'd have to be, you know, 10 foot from the door.
[00:09:29] You can see it.
[00:09:30] But once you go in, it's very hard to see me.
[00:09:32] And, you know, I sat there and filmed it for 40 seconds.
[00:09:35] And they had left that screen open.
[00:09:37] I walked over to talk to the guy.
[00:09:38] And I'm like, hey, somebody left their identity in this machine.
[00:09:40] They've got stuff up.
[00:09:41] Like, you should go lock it.
[00:09:42] I'm a security researcher.
[00:09:44] And the guy's like, it was me.
[00:09:45] Like, he was the guy in charge.
[00:09:47] And he was like all upbeat and someone would say something.
[00:09:49] Anyways.
[00:09:49] I have a badge.
[00:09:52] The other thing I would add to that that I think is kind of important is, like, you don't have to take your entire office with you when you go to an alt worksite.
[00:10:00] Yeah.
[00:10:01] And sometimes you see that, too.
[00:10:03] Like, I had to look in the airport.
[00:10:04] Oh, like, the whole app.
[00:10:04] Like, everybody's got the spread out sheets next to them and all the data folders sitting there.
[00:10:09] Right.
[00:10:10] I actually saw that on the airplane the other day.
[00:10:12] Like, they flipped out their binder and they had it sitting there.
[00:10:15] And I'm like, oh, my word.
[00:10:16] These guys are doing the accounting on the airplane.
[00:10:18] What would you want to see?
[00:10:19] So you need to see a business continuity plan, a physical security plan.
[00:10:22] And really what it needs to be is something that says people understand how to protect sensitive information when they're traveling.
[00:10:27] Do they do it?
[00:10:28] No.
[00:10:28] Quite evidently, they don't.
[00:10:29] I actually rarely find one where someone does.
[00:10:32] In fact, if I see a glowing laptop screen in an airport, I know I'm about to find an unlocked laptop.
[00:10:36] I would also say, though, in the number of times I've polled a group around having a business continuity plan or a physical security plan,
[00:10:43] I have never had someone yes to a physical security plan.
[00:10:46] Agreed.
[00:10:47] So even if you write out something and start where you are, they need to cover these items.
[00:10:51] What do we need in a physical security plan?
[00:10:53] These items.
[00:10:54] These are the education content we're missing.
[00:10:57] We're quick to do, you know, like how a phishing simulation and make sure you don't click on the link.
[00:11:02] But we don't do this.
[00:11:03] So in your plan, you would need to address the following things.
[00:11:06] The first thing we've talked about is protecting sensitive information at alternate work sites.
[00:11:10] In your physical security plan, you would need the next one, which is ES3 that says restrict physical access to authorized personnel.
[00:11:17] Well, we have two concepts that have to play out here.
[00:11:20] Right, Chris?
[00:11:21] Yeah.
[00:11:21] We have them authorized personnel.
[00:11:23] We need to define who is authorized.
[00:11:24] And then we need to provide physical restrictions.
[00:11:27] Most people do this with what, Chris?
[00:11:28] How do people do physical restrictions in most companies, mine included?
[00:11:32] I mean, usually it's going to be a key.
[00:11:34] Yeah, key or a badge.
[00:11:35] Yeah.
[00:11:36] Right?
[00:11:36] Usually a badging system, you know, some type of a HID badge of some sort.
[00:11:43] But there's at least some sort of gated access.
[00:11:47] It's not just a, you know.
[00:11:49] And it could be a key, to your point, right?
[00:11:50] You could give employees a key.
[00:11:52] That is the most common method of you saying that.
[00:11:54] Here, you are now a supervisor at this organization.
[00:11:56] You have a key to access this.
[00:11:58] Or, Matt, you have no key to the cage because you keep taking equipment and not putting it on tickets and forgetting customers.
[00:12:04] That may have happened.
[00:12:05] Allegedly may have happened.
[00:12:06] Right.
[00:12:06] Allegedly.
[00:12:07] Unauthorized personnel for that cage at my organization.
[00:12:11] And I think that lends itself to the next one.
[00:12:14] So ES4 is design and apply physical security to prevent unauthorized access.
[00:12:20] Yeah, those are twins, right?
[00:12:22] Yeah, very much so.
[00:12:23] You can't restrict unless you have designed physical security to prevent.
[00:12:27] No, no, no.
[00:12:28] Not that this works.
[00:12:29] It'll work on the patio.
[00:12:30] It has a three and a half foot fence.
[00:12:32] No one's going to get in there.
[00:12:33] Matt promised he wouldn't go in the cage.
[00:12:34] Yeah, until he had that one mad customer who was just looking for that laptop.
[00:12:38] Yeah.
[00:12:39] And you don't realize that that laptop's not the one we ordered for that customer.
[00:12:42] Anyways, yeah.
[00:12:43] All right.
[00:12:43] So continuing on the same vein, ES5, design and apply physical protection against disasters and disruptions.
[00:12:51] So this is where we shift a little bit and say, hey, this is more than about protecting just from people.
[00:12:56] Yeah.
[00:12:59] It's weird, right?
[00:13:00] Because they talk about physical protection.
[00:13:04] Design and apply physical protection against disasters and disruptions.
[00:13:08] So in this case, you're in a tornado alley.
[00:13:10] That would be your tornado shelter.
[00:13:12] But when you talk about disruptions.
[00:13:14] Make it way easier.
[00:13:16] Man, we're making this way complicated.
[00:13:18] So yeah, tornado got it.
[00:13:19] But let's think about the janitor's closet is also the server room.
[00:13:23] Yeah.
[00:13:23] You know, my Dell, ES, PowerEdge, whatever it is.
[00:13:26] It sits right underneath the mop bucket.
[00:13:28] Oh, you're 100% right.
[00:13:29] So let's say we're talking about a server, an infrastructure or something that you're keeping, right, that needs to be on on-prem.
[00:13:35] And let's just say you maybe put that in a room where there's this standing pipe that you don't know why it's there.
[00:13:41] Right.
[00:13:42] Let's just say allegedly this might have happened in a career, a friend of mine named Matt, let's call him.
[00:13:47] And let's just say one day we went to a Chinese restaurant and my buddy, our service director, still service director for a massive now organization,
[00:13:56] may have had an inadvertent clogging of the toilet next to this room.
[00:14:01] And we learned what that stand pipe was actually made of and for.
[00:14:06] It was a pump pipe to raise the pressure up above to get it out to where the sewage was.
[00:14:12] It ruptured.
[00:14:15] That was a bad design.
[00:14:16] We were in there carrying with gloves, carrying servers out, running, trying to carry them out running.
[00:14:22] Without vomiting.
[00:14:23] It was so bad, bro.
[00:14:24] It was so bad.
[00:14:25] But that's exactly your point, right?
[00:14:27] When you're thinking about where I put sensitive or critical things, make sure that you're looking at the way they're designed.
[00:14:34] And we see this all the time, right?
[00:14:35] Another great example is an air conditioner that the servers are right underneath and it starts dripping, right?
[00:14:40] Like maybe one shouldn't have placed it underneath that.
[00:14:43] Like that's probably the discussion here.
[00:14:46] But it had the best airflow.
[00:14:48] Yeah.
[00:14:48] And I will say some of these controls change a lot depending on how much infrastructure you have, depending on how much sensitive information you have.
[00:14:58] The criticality of these safeguards for sure.
[00:15:01] Yeah.
[00:15:02] Yeah.
[00:15:02] And even the way they would be implemented would be the useful.
[00:15:06] Like if I don't have a room full of QE, then I don't have a problem of restricting physical access to that room full of QE.
[00:15:12] If I don't give network equipment access, I don't have network equipment.
[00:15:16] I'm doing, let's say, let's say you were in some world where I'm living maybe remotely and everybody works from, where are you sitting there, Chris?
[00:15:23] Where am I sitting?
[00:15:23] I'm at home office.
[00:15:26] Now imagine you start working on that.
[00:15:27] Like the way this functions and the level of things you're going to have there that you have to deal with in that physical site would be delineable.
[00:15:35] And that goes back to that alternate worksite conversation.
[00:15:37] As long as you're dealing with how that – anyways, getting off on a tangent.
[00:15:41] No, you're fine.
[00:15:42] I think this is important though.
[00:15:43] I think it's that reminder of like what is there.
[00:15:46] And I think to your point about QE or not, remember now they've also added in the assets that are used to secure.
[00:15:53] And SPD, all those.
[00:15:54] Yeah, so like you can run into things like, well, that's where our manage engine box sits.
[00:15:59] Well, that manage engine box may not be the QE.
[00:16:01] You're back to the infrastructure point that I mean.
[00:16:03] Exactly.
[00:16:04] That's where I'm getting at is I believe there is a direct correlation to the level of infrastructure one hosts as to the level of these physical security plans criticality other than the endpoint.
[00:16:14] That accesses those things.
[00:16:16] Well, and that lends us right again to the next one, which one could say they may be out of order.
[00:16:21] This is a physical design secure – or physical design safeguard ES6.
[00:16:25] Yeah.
[00:16:25] Design and apply procedures for working in secure areas.
[00:16:28] I see all this stupid way.
[00:16:29] Like I know there's ways you can interpret this of secure areas.
[00:16:32] Here's my secure area.
[00:16:33] But I'll give you a simple one.
[00:16:34] Don't turn your monitors towards the street in a building that's public next to a sidewalk.
[00:16:39] What?
[00:16:40] I swear, Chris, I know you might be blown away.
[00:16:42] This exists.
[00:16:43] I know this might blow your mind.
[00:16:44] But I took a picture in Boston, I think, the other day.
[00:16:48] I don't remember where it was, but it was somewhere.
[00:16:50] I've had somewhere.
[00:16:51] But what was funny is when I took the picture, the reflection of the glass, the camera picture wouldn't work.
[00:16:55] But my eyes looking through the glass could see everything on screen.
[00:16:58] Oh, no, I had a perfect one.
[00:16:59] It was so good.
[00:17:00] In fact, it was got hundreds of comments.
[00:17:02] People were teasing like, Matt, creeping in your bushes.
[00:17:04] Anyways, I was like, no, I was on the sidewalk.
[00:17:06] I was on the sidewalk.
[00:17:07] This was readily available.
[00:17:08] I was leaning up against the window to cool off of the shade.
[00:17:12] I was not.
[00:17:14] All right.
[00:17:15] But the point is, again, you have to have procedures as well for working in securities.
[00:17:20] And this does come to mind if you are handling stuff like ITAR or COUI or SPD protecting those people or anything that comes into secure or sensitive stuff that needs to be secured as secure areas.
[00:17:31] And it would be simply like, I don't know.
[00:17:35] Forget security, Matt.
[00:17:36] Forget security for a second.
[00:17:37] On what planet do you want the sun shining on your computer screens?
[00:17:41] Oh, we're back to that.
[00:17:42] Okay, we had to rewind.
[00:17:43] Okay.
[00:17:44] Yeah, you're not wrong.
[00:17:46] But maybe they have great E-levels or whatever it is.
[00:17:48] Maybe they have no sun coming through as much.
[00:17:51] That's right.
[00:17:52] I'm sure that's what it is.
[00:17:53] That's what it is.
[00:17:54] Spending so much money on the glass that they don't care about the data.
[00:17:57] That's right.
[00:17:57] They're like, long hair don't care, man.
[00:17:59] That's right.
[00:18:00] No.
[00:18:01] Okay.
[00:18:02] But the point is, if you have secure areas, and I had this example.
[00:18:05] We had a client that was an ITAR client.
[00:18:08] They basically did certifications for airplane parts, essentially was what it was.
[00:18:14] And so they were considered an ITAR client.
[00:18:16] And so they very much were, they had to put up signs that said ITAR area.
[00:18:23] Any person who worked on ITAR stuff, they had to define that.
[00:18:26] If you were in there, you had to have a certain badge on.
[00:18:28] If you did not, you were, right?
[00:18:29] They had process and procedure.
[00:18:31] It can be that simple.
[00:18:32] It's kind of like the no-fly zone, right?
[00:18:35] Yeah.
[00:18:35] If you cross this into the security.
[00:18:37] People get stuck in the engines in this line.
[00:18:39] This is what will happen to you.
[00:18:41] It's not spinning slow.
[00:18:43] That's just how fast it's going.
[00:18:44] It looks slow, right?
[00:18:46] Exactly.
[00:18:46] Right, right.
[00:18:47] All right.
[00:18:47] I think we've got some here that now start to see the shift.
[00:18:50] So ES-8 is equipment saying protect equipment against hazard and unauthorized access.
[00:18:56] This is kind of similar to what we just saw with ES-7.
[00:19:00] Or sorry, ES-6.
[00:19:02] We skipped one because there's out of order.
[00:19:06] But protecting equipment against hazard and unauthorized access.
[00:19:10] So anything, any people that aren't supposed to be there would be that unauthorized access.
[00:19:17] And then your hazards.
[00:19:18] We talked about that before.
[00:19:20] We've talked about that quite a bit.
[00:19:21] Like it's just kind of a reminder with a little bit different phrasing.
[00:19:26] That some of the safeguards that are in here are really rephrasing just to emphasize the importance of what it is that you're being asked to do.
[00:19:34] Well, it's the addition of the unauthorized access to the equipment.
[00:19:40] And that goes back to that story I told earlier of like prove to me you have an easement for this and show me what you're going to touch.
[00:19:46] I'm going to come look at it and we're going to make decisions whether you can touch that.
[00:19:49] I mean like it would be very much like protect against equipment, unauthorized access.
[00:19:55] Right now you think of that as that locked door with a five-digit code or something in front of the room.
[00:20:00] And that would be part of how one would say that.
[00:20:02] Hey, we have our to your point.
[00:20:03] We have this infrastructure box.
[00:20:05] We're hosting one site.
[00:20:06] This is the one place one could access that directly and physically.
[00:20:09] I need to protect that.
[00:20:10] I'm going to lock the door.
[00:20:11] I'm going to have a plan for how people access it.
[00:20:13] And from a hazards perspective, I'm going to make sure it's not underneath the air conditioning.
[00:20:16] I'm going to make sure that we have back to the earlier one disaster resilience.
[00:20:19] I have batteries.
[00:20:20] I have other things to that.
[00:20:21] So those are the things we get into.
[00:20:23] Again, back to my statement of if I didn't have that box.
[00:20:26] And it also comes down to somewhat pets and cattle too to some extent.
[00:20:29] But if I didn't have that box, I wouldn't care as much about the battery resilience for that because I'd pick my laptop up and go somewhere else.
[00:20:36] Sure.
[00:20:37] My point is there is a real correlation to the physical aspects of this shifting quite drastically if one does not have a traditional castle and moat mentality of things.
[00:20:46] So I think the next few safeguards that we're getting into, these are the ones that I think a lot of people sort of, well, it's not my responsibility.
[00:20:56] And maybe that's true, but I think it's still needed to have an understanding.
[00:20:59] And this one for me, ES7, delivery and loading zones, control and isolate if possible access points such as delivery and loading areas, entrance lobbies, and other points where unauthorized persons could enter the premises to avoid unauthorized access.
[00:21:14] Yeah.
[00:21:15] I like this one.
[00:21:16] If you don't have a loading dock and if you don't have a loading area of things to that neighbor, then all the rest of this, entrance lobbies, loading areas would be when the UPS guy opens your front door.
[00:21:28] Other points where unauthorized persons could enter the premise.
[00:21:30] Basically, they're saying it's a continuation of the earlier discussion that said control physical access.
[00:21:36] That's what this is.
[00:21:37] This is an extra statement of going, hey, do you ever think about that place where you can let UPS in?
[00:21:42] Like we had a place and a key fob that would let UPS in 247 to our building into a tiny antechamber that that was all they could drop it off in.
[00:21:51] And if somebody else piggybacked in, then they'd be stuck in a warm antechamber.
[00:21:56] Huzzah.
[00:21:56] Right.
[00:21:56] They might be able to steal my stuff, but only that stuff.
[00:21:59] And you just gave a great example of how to solve for the don't have a loading zone because I think about how many if you're having stuff delivered via Amazon, UPS, whatever it is, it's coming to your house, office, wherever it is.
[00:22:12] What controls do you have in place to ensure that it doesn't leave with the, you know, you know, porch bandits?
[00:22:20] I just get Mark Rober to build me one every now and again.
[00:22:24] Nice.
[00:22:24] Yes.
[00:22:26] For those of you that don't know, he's talking about the boom, you just got glittered.
[00:22:31] The glitter bomb.
[00:22:33] Okay.
[00:22:33] So, but really though, level one, we're just adding in ES7, we're just adding data to ES2, I believe it is.
[00:22:39] Correct.
[00:22:40] So next one is...
[00:22:42] ES9, protect equipment from power, communication, and gas reception.
[00:22:44] Power.
[00:22:45] We have basically, again, back to the sensitivity of what you're hosting.
[00:22:49] If you are hosting something here...
[00:22:51] Oh, I forgot the Zoom got my thumbs up.
[00:22:53] That's so funny.
[00:22:54] If you are hosting...
[00:22:55] What if I just do one finger?
[00:22:56] Are they going to give me a thumbs up here?
[00:22:57] I think that's called pointing.
[00:22:59] Does it detect this one?
[00:23:00] It doesn't seem...
[00:23:01] Oh, it does.
[00:23:01] It takes it down.
[00:23:02] It does.
[00:23:03] Yeah.
[00:23:03] Okay.
[00:23:03] Fair.
[00:23:04] So if I do that one...
[00:23:05] Okay.
[00:23:06] Protect equipment from power disruptions.
[00:23:09] Okay.
[00:23:09] So let's just take this sentence.
[00:23:10] Power disruptions.
[00:23:11] That's why you have battery backup.
[00:23:12] Right.
[00:23:13] That's why you might have redundant utility.
[00:23:14] That's why you might have a generator.
[00:23:16] Those are the things we're talking about here.
[00:23:17] Again, if you don't have a server you're hosting needs to be up, I don't know that I care.
[00:23:20] I just move alternate work sites.
[00:23:22] Right.
[00:23:22] The ES1 and ES2.
[00:23:23] Communications one is interesting.
[00:23:25] This gets into more than just like ISP type stuff.
[00:23:29] Okay.
[00:23:29] Go.
[00:23:30] Well, I would just think about like from a communication standpoint, if I have a utility
[00:23:34] disruption like this, how do I ensure that I have in place in my plan that you can get
[00:23:40] a hold of me?
[00:23:41] Yeah.
[00:23:41] Or I can get a hold of others.
[00:23:42] Right.
[00:23:43] Like I think that's something that we often overshadow with...
[00:23:46] Yeah.
[00:23:47] Well, I think a lot of that gets missed, right?
[00:23:48] Especially if you think about, let's say we were going to have what Russia's joking threat
[00:23:52] of cutting undersea cables, right?
[00:23:54] Sure.
[00:23:55] Let's say joking threat.
[00:23:56] I just said that to make myself feel better about it.
[00:23:58] But let's say that the undersea cables caused a global disruption in routing tables or something
[00:24:02] to that nature.
[00:24:03] And you had no internet communications and no cell phone communications.
[00:24:07] Like how are you going to communicate?
[00:24:09] Is it a cell?
[00:24:10] Do you have some kind of backup radio?
[00:24:12] Is it just hope and pray?
[00:24:13] Do we meet at a certain location?
[00:24:15] Like what is it coming?
[00:24:16] What comes out of that?
[00:24:17] But that's an extreme.
[00:24:18] It is, but it's not hard to come up with a solution for.
[00:24:22] Yeah.
[00:24:22] Yeah.
[00:24:23] Well, we actually had ham radios for ours.
[00:24:25] Yeah.
[00:24:26] We've done some fun stuff.
[00:24:28] In the audience now.
[00:24:28] The ham radios with the links and routers where you could actually call using asterisks.
[00:24:33] All we have was...
[00:24:33] Oh, nice.
[00:24:34] All we had was a ham radio operator in each city.
[00:24:40] It just so happened we did.
[00:24:41] So we added it to our physical security plan of saying, hey, if this...
[00:24:45] And we didn't call it that at the time.
[00:24:46] But we just basically said if we were to lose in our DR and COOP, continuity of operations
[00:24:50] plan, it came after we lost our primary IDP.
[00:24:54] Gotcha.
[00:24:55] Microsoft was down.
[00:24:56] We were sitting there thinking as an organization, we couldn't use Zoom because Zoom was tied
[00:25:00] to our SSO.
[00:25:01] We came up with how we'd do our break glass out of that conversation.
[00:25:04] But we also realized like, what if it was just all down?
[00:25:08] Like what would we do to serve our customers, to serve our families, to serve our team members?
[00:25:13] And the answer was if we had a disaster or hurricane in Florida, then we would use a ham
[00:25:17] operator afterwards if we needed to, to communicate with that human and just confirm
[00:25:20] where they were.
[00:25:21] Anyways, way, way, way too deep in the weeds.
[00:25:23] Yes, 10.
[00:25:25] And then gas disruptions.
[00:25:27] We're at gas disruptions.
[00:25:28] You can tell me this was written for a enterprise running data centers without telling me this
[00:25:33] was written for an enterprise running data center.
[00:25:35] Right, right.
[00:25:35] I digress.
[00:25:36] At least the beginning controls we came from.
[00:25:38] Yes.
[00:25:38] Protect power-wise and telecommunications cable.
[00:25:41] This comes into play, too, for you in that when you think about, well, what am I responsible
[00:25:46] for?
[00:25:47] You said before the show, Chris, that a lot of people say, well, I'm not responsible for
[00:25:49] that.
[00:25:50] What am I responsible for?
[00:25:51] The way they're hung, how they're structured.
[00:25:54] Do you have redundancy?
[00:25:55] Are they put in stupid places?
[00:25:57] Did you put them down where they might get tripped over or cut or in the way of stuff?
[00:26:01] Are you having to, like, it's protect, right?
[00:26:03] Like do the things you have to do to protect.
[00:26:05] It could be in your office.
[00:26:06] If you were a data center runner, it would be how they come into the building, the way
[00:26:09] they're dealt with, like those kind of things, right?
[00:26:11] Yeah, I've read someone trip on a data cable and snap that endpoint off in that switch port.
[00:26:16] Happens.
[00:26:17] It does.
[00:26:17] I mean, allegedly.
[00:26:18] I mean, those GBIG modules.
[00:26:21] Maintain equipment to make sure it's available and integritous.
[00:26:25] If you've ever had a client ask you, why do you need to blow out this computer or why
[00:26:28] are you taking the server down to do this physical maintenance and looking at this, that's
[00:26:31] one part of this in my mind.
[00:26:33] Right.
[00:26:33] But the other part of this is why would you inspect a physical host for something?
[00:26:37] Maybe because somebody would plug in something between the keyboard and the machine and steal
[00:26:41] all the keystrokes.
[00:26:42] Or maybe someone has put in some malicious tool in between that and the network cable.
[00:26:46] Like, just look at your stuff.
[00:26:47] Come on.
[00:26:48] We've all watched Hackers.
[00:26:50] When he puts the little modem underneath the desk.
[00:26:52] Done.
[00:26:53] Boom.
[00:26:53] Done.
[00:26:53] That's how it happens, actually.
[00:26:55] That's right.
[00:26:55] It's in verbatim.
[00:26:57] In fact, I have the same work belt.
[00:26:59] Yeah, it's the same.
[00:27:02] All right.
[00:27:02] 12.
[00:27:03] Prevent equipment, information, or software from being removed without prior authorization.
[00:27:07] This is a slam dunk, but it comes down to that means you have to ask what people are
[00:27:12] carrying.
[00:27:12] You have to look at what's carried.
[00:27:13] A great example is Deviant Olaf did one where they were talking about having to steal laptops.
[00:27:18] Instead of just stealing one laptop, they realized that would be inspected potentially
[00:27:22] if I came in and left with something as a guest.
[00:27:24] So instead, he put on a work uniform yet again, came in with a dolly, and took every laptop
[00:27:30] over lunch, and then walked out with it because it was so hyperbolic to say, hey, we're replacing
[00:27:34] all the laptops.
[00:27:34] New ones will be coming in from corporate this week.
[00:27:36] We'll get them back to you today.
[00:27:38] Promise.
[00:27:38] Okay.
[00:27:39] Thank you.
[00:27:40] That was it.
[00:27:40] Took all the laptops.
[00:27:42] That's awesome.
[00:27:43] This is so delicious.
[00:27:44] But this point is prevent equipment, information, or software being removed without prior authorization.
[00:27:49] You can get really broad and deep on how you might accomplish this, but really start simple
[00:27:53] of, we don't let employees keep equipment.
[00:27:55] We don't let people take equipment out of the building without it being documented and tied
[00:27:59] to a ticket.
[00:28:00] We double check to that.
[00:28:01] And then what physical controls do you have in place?
[00:28:03] Is your receptionist empowered to deal with that?
[00:28:05] Right.
[00:28:05] Is that something you're doing with cameras?
[00:28:07] Like, how are you doing that?
[00:28:08] If you see something, say something.
[00:28:10] Surprisingly, it's exactly what you just said.
[00:28:12] Yeah.
[00:28:13] Well, it goes back to your culture point.
[00:28:14] Okay.
[00:28:15] Okay.
[00:28:15] So secure assets taken off site, which means if you are going to take it off site, secure
[00:28:19] it.
[00:28:19] And there are a lot of safeguards we've already done to give you this data that you can
[00:28:22] track to, especially at the technical controls level.
[00:28:25] Like mine is encrypted.
[00:28:27] I have, right?
[00:28:28] From CIS.
[00:28:29] And that's why this is control 16.
[00:28:30] This is long past.
[00:28:32] Totally.
[00:28:32] Yeah.
[00:28:33] You would just need to codify those things into how one does so, how one tracks these
[00:28:38] things.
[00:28:38] That's what needs to happen in this case.
[00:28:40] So moving along.
[00:28:41] Oh, media to be reused or disposed should be sanitized.
[00:28:43] What do you mean?
[00:28:44] You have to have a way to dispose of securely data as called out earlier in CIS.
[00:28:49] Again, this is already kind of dealt with for you.
[00:28:51] It is.
[00:28:52] The cycle of when is it considered retired?
[00:28:56] When that sensitivity has lost the context of the user, it needs to be wiped and managed
[00:29:01] so that you can really use it if you are in the right way.
[00:29:03] I think this is interesting because we have a whole section on media disposal and media
[00:29:08] protection before you get to this control.
[00:29:10] However, this gets into really specifically stating the retirement of assets more than it's talking
[00:29:18] about portable media.
[00:29:20] Yeah.
[00:29:21] Yeah.
[00:29:21] Oh, yeah.
[00:29:21] This is a laptop, right?
[00:29:23] That's what this is.
[00:29:24] We're talking about a laptop that is about to be reused with Bill who does not have access
[00:29:29] to sensitive data or is about to be reused in the community who should not have access to
[00:29:33] sensitive data.
[00:29:34] Not your SanDisk flash drive.
[00:29:36] Well, and even that, if it were to be in that context.
[00:29:40] It's fair.
[00:29:40] It's fair.
[00:29:41] But we do address that, though, prior to this.
[00:29:44] I think this is more of like the retirement piece.
[00:29:49] Yeah.
[00:29:49] But it says reused or disposed of should be Santa Claus.
[00:29:54] And so it does recover that point.
[00:29:55] A lot of these are in, you know, like I say, sisters and controls, right?
[00:29:59] They're the same in some ways.
[00:30:01] Okay.
[00:30:02] Implement a clean desk policy.
[00:30:04] No, we're on the one.
[00:30:05] No, we're not that far yet.
[00:30:07] We need to do ensure that unattended equipment is protected.
[00:30:11] Funny enough, this one kind of irks me because, you know, I don't know if you noticed, but
[00:30:16] the Apple laptop device space no longer has the place to put the security chain on it.
[00:30:23] Like the bike lock.
[00:30:24] Like it's gone.
[00:30:26] Like, hey, no one wants to steal these.
[00:30:28] Was it called the Kensington lock?
[00:30:29] I think it was.
[00:30:29] Kensington lock.
[00:30:30] Yep.
[00:30:31] But that's kind of what this is talking about, right?
[00:30:34] Ensuring that the equipment can't just be removed because you're not present to say,
[00:30:37] hey, I don't know if you should be able to take this.
[00:30:39] You'll think like kiosks, right?
[00:30:40] Kiosks are things that come to mind for this.
[00:30:42] So have some way to show that.
[00:30:43] That could just be the way you physically enclosed it.
[00:30:45] Could be.
[00:30:46] Okay.
[00:30:47] All right.
[00:30:47] Now you can have your clean desk.
[00:30:48] Implement a clean desk.
[00:30:49] Like, come on, y'all.
[00:30:50] Number one, don't just leave sensitive crap laying around.
[00:30:53] You wouldn't do it at home.
[00:30:55] Like, imagine you're about to get caught for something you did that you shouldn't have
[00:30:58] done.
[00:30:59] That's how I want you to treat data when you have it.
[00:31:01] Don't just leave it in the trash can by your desk.
[00:31:04] Man, I left those bloody gloves right there on my desk.
[00:31:06] That'll be all right.
[00:31:07] Nobody will care.
[00:31:07] No.
[00:31:07] Them sumbitches getting hidden in a plastic bag.
[00:31:10] You put it in a backpack, right?
[00:31:11] Like, treat your data like that.
[00:31:13] That's all.
[00:31:13] And that's why you keep the backpack on or do you get rid of the backpack too?
[00:31:16] You try to get rid of the backpack very quickly.
[00:31:18] Okay.
[00:31:19] That's the way I would state this.
[00:31:20] Well, that took a very dark turn.
[00:31:23] I'm worried about you.
[00:31:28] I digress.
[00:31:31] But the point is, lock your laptop, lock your screens and keep data sensitive.
[00:31:35] And really, I mean, Chris, you were there and we'll wrap this up.
[00:31:38] But we were on a call.
[00:31:40] It was George.
[00:31:41] And George was showing his whole financials of all of his employees accidentally to try
[00:31:45] to show something on a screen.
[00:31:46] And I was so dumb.
[00:31:47] I just put my hands up to like cover my camera as if that would somehow help.
[00:31:50] But the point is, keep OPSEC.
[00:31:53] It's burning my eyes.
[00:31:55] Remember that you have sensitive data.
[00:31:57] And when you do, make sure you keep that OPSEC and don't show it.
[00:32:00] And sensitive data doesn't have to be sensitive in the context of financials or operations.
[00:32:05] Maybe it's a Slack message.
[00:32:07] And it's telling you.
[00:32:08] It could be like, so free.
[00:32:09] It could be data to users.
[00:32:10] Yeah.
[00:32:11] Yeah.
[00:32:11] Sorry.
[00:32:11] Yeah.
[00:32:12] Any number of things.
[00:32:13] All right.
[00:32:13] With that, this has been an episode of MSP 1337.
[00:32:16] Thanks and have a great week.