Cyber Security and NIST Frameworks: An Interview with Gary Rimar, CISSP

HAYSTACKID LLC’s CISO and resident cyber security expert Lee Neubecker, CISSP, MBA, recently sat down to chat with Gary Rimar, CISSP, about NIST Frameworks and how organizations can leverage existing materials to better protect themselves from threats. The transcript of this interview is below.

[Transcript]

Lee Neubecker: Hello, I’m here today with Gary Rimar, he’s here to talk a little bit about one of the NIST Frameworks, which can help you keep your organization safe. Gary is a CISSP, and it’s great to have you on the show. Can you tell me about the framework that you’re going to talk to us about today?

Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53, and it is a security controls catalog. So if there’s a security control for whatever you’re going to need in an organization, it’s going to be in there. It’s something where your government actually did earn their keep because this is your tax dollars hard at work and it’s available publicly.

Most people, and this is one of the things that always bothers me, Lee, is that most people will go for these really exotic threats, and they’re real, they’re real. But there’s so many people out there who don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security. They tell their IT guy “okay you can do security, it’s okay, you don’t have to worry about it, I’ll accept the risk of you doing security” when the IT guy barely knows how to do computers.

What ends up happening is they don’t know anything about security, which is very deep and important and technical. When it comes to things like, how do you do access control, what can you do for access control – today at work one of the people – and I work with a security guy – we have something that, for whatever reason, they can’t do two-factor authentication, and two-factor authentication is definitely a better way to go, but they can’t.

So they said what mitigating factors are there that you can use to help us be able to do one-factor authentication and be less in danger. I looked through the catalog, and it’s I85, and there’s a bunch of different things you can do just to make it simpler and safer. They’ve done all of the imagination for us.

Neubecker: What would you say are the more important – if you had to pick the top three parts of this – what would you suggest companies start on first if they’re trying to implement this framework.

Rimar: Well first thing is planning, and that’s the ‘PL Family’ – if you don’t do planning, nothing works right because you have to have a basis for security. If the CEO and senior management are not on board, then when security says you need to do ‘x’ and operations says “we don’t feel like doing that,” if the CEO doesn’t say “no, I need to be secure, you need to do ‘x’” then you’re hosed. So that would be the planning family.

Second would probably be access control, which is actually 20 percent of all of it. You have several hundred controls, and access control is 20 percent of them.

Neubecker: Do you ever get the feeling that companies don’t really care about security, just want to ignore it and pretend like security is going to take care of itself?

Rimar: Well, I don’t know if that’s necessarily – that could be, I think it could be woeful ignorance, like what I don’t know is not going to hurt me, but obviously that’s no true. For example, with the Sony hack, with that one, they said I’m not going to spend $10 million to fix a $1 million problem, and that in itself makes sense because you don’t want to step on a dollar to pick up a dime.

However, it was a lot more than a $1 million threat that they were compromised on, and had they done it correctly, and had they taken security seriously, things would’ve been a lot better for them.

Neubecker: Gary, are there any portions that deal with some of the current vulnerabilities that deal with hardware and firmware that this could apply to?

Rimar: You know, yes. Because hardware and firmware are part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head it would probably be SI-7, because if it’s the control I think it is, it deals with hardware, it deals with software and it deals with firmware, because if you’re firmware is corrupted, you’re done, you’re owned, if your hardware is corrupted, you’re done, you’re owned.

In fact, supply chain management is even a factor in NIST 800-53, I don’t have it exactly remembered which one it is, but it’s important. You have to have all of your systems protected from the beginning to the end and monitored and audited in the middle.

Neubecker: There was a notice last month from the NSA about Cisco routers being compromised and there aren’t fixes out yet. If that’s still accurate, it’s a concern, and one of the ways, using this framework, that IT professionals might use to fix this, would be to open up the routers, get inside, and dump the firmware off the microchips and compare that against the manufacturer-supplied hash values.
But, the problem I’m seeing with that is a lot of companies aren’t putting the hash values for their firmware. They might do it for their software, but if you have a home consumer router, I’d be challenged to see how many home consumer routers have the manufacturer’s listing, the firmware version with hash, and really let you get into there apply the software, because the ISPs are controlling that for the most part.

Rimar: Yeah, but you also have to recognize that you’re definitely going down a very valid but very deep rabbit hole. Just as an example, one time I was talking to this guy in 1999. I was living in the Detroit metropolitan area and I was at this coffee house and this guy who looked like Boss Hogg but tall said “everybody’s stupid, they’re buying Windows operating system and they should be building their own, they can use Linux!” And I looked at him and said “you’re an idiot.”

He replied “why would you say that?” and I said to him that “you have people who barely know how to find the on/off switch and you’re going to tell them they’re supposed to compile their own OS?” When you’re talking about the level of inspection, you probably need to have somebody do some appropriate professional vetting and that’s over the skill level of a significant number of professionals that you’re going to meet in the market.

I mean, you’re right, you’re totally right, but you’d probably need to get some people who eat and drink and breathe this stuff and real experts to do this.

I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it, and inside a USB chip – I’m thinking you know this, but not everyone knows this – is that inside there’s its own little operating system inside the USB. So if you have an 8 GB USB, a small one, used to be huge but now it’s considered to be a small one, there’s actually more chip behind it, it’s its own operating system, that’s firmware.

And, if it’s compromised, then, whatever you plug that into is owned.

Neubecker: There’s no cryptographic process that checks and validates that software is authentic on many devices, so it’s easy for nation-state malware to get into the chips. When WannaCry wreaked havoc on many hospitals, I saw that there was one out east that they said they replaced all of the hard drives and all their systems.

Rimar: Did they replace them with ones that went through appropriate supply chain risk management.

Neubecker: But even if they did replace all of the hard drives, if malware injected into the mouse, CD-ROM, printer, then that was a waste of time because those computers are going to be compromised again.

Rimar: You’re right about that, but this goes back to supply chain risk management. If you don’t know where you’re getting your stuff, you don’t know what you’re getting. And, what I did read, is that China has actually started making their own chips, for themselves, they don’t market them outside of their country.

Now, one can say that maybe that’s their motivation, that they don’t want to be infiltrated by another country? Or do they want to infiltrate their country, because of their politics? I don’t know, I can’t know. However, it might be a good thing for countries, at least as big as us and with such a big target on our backs, to start creating our own chips and our own designs in our own country where we can control the entire process from picking up the sand off the beach to handing you a laptop.

And, you’re right, it’s not just the hard drives and the laptops, it’s all of the peripherals.

Neubecker: Well, that’s the struggle because we want cheap, affordable products. But quality, cheap, doesn’t work. Actually, it was interesting to see that they brought Broadcom, it’s coming back to the U.S., and we’re seeing some of these key moves that the President is making in trying to get key industries back to protect from some of these compromises. You know with Apple, some of their chips are going to be made outside of China.
There are other things happening there. It’s a real concern, it’s one that the framework identified here can hopefully give companies an outline to have and go through to evaluate, and decide things like where are we, what have we worked on, and what do we need to do more work on.

Rimar: Yes, you know, back to our original topic of NIST 800-53, it’s in there. Supply chain risk management. And, when I was first starting in IT back in 2000, I knew enough about security to know I didn’t know enough about security, and I hired it out. And had I been availed of this book I would’ve probably been able to do a much better job, and I probably would’ve gotten into this career a lot sooner because this stuff is cool, but I didn’t know it then, now I know it.

Neubecker: Do you have any advice that you’d like to give our viewers as it relates to keeping themselves secure?

Rimar: Well, I used to joke about always practicing safe hex, but the one thing I don’t think people are doing, and this is way off topic, is even though all the concerns we’re talking about, there’s still getting owned because they’re surfing in places that are not safe, and there are a couple companies out there, I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser, it’s like Browser-as-a-Service.

So you log into their site and then they fire an Ubuntu instance, and then fire up a Firefox browser behind it and the only thing that touches your computer is pixels. There’s no risk of Javascript or anything.

Neubecker: I think that kind of sandboxing makes a lot of sense and I can almost see a point when the end-user desktop is basically just a sandbox that you wipe clean and start fresh.

Rimar: I have a former computer client who does legitimate research – he’s a psychologist – and he does legitimate research into pornography, believe it or not there is such a thing. And his computer at home, he has one computer, and he had his HIPAA data on there, and he’s surfing these kind of website, and it scared the heck out of me.

I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and nothing could ever touch it – the only thing he could swap out was pixels. And what I found out about one of these services, I found out, and I called him and said “Hey Marty, you should use this.”

So now he can continue to do his research and not put his client records at risk.

Neubecker: Well thank you for being here, happy to have you for the interview Gary.

Rimar: Thank you very much, I’m happy to have been here.”