Data Security Podcast

In a recent interview with Cybercrime Magazine's Editor-in-Chief, Steve Morgan, Robert E. Johnson III, Cimcor CEO/President, discusses the best practices and frameworks. 

 

Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak

Q: Joining us today is Cimcor's President and CEO, Robert E. Johnson III. Robert has been a pioneer in the development of next-gen system integrity monitoring self-healing systems and cyber security software. Rob, great to have you back with us again. 

A: Great to be back, Steve.

Q: So I want to jump right in today and talk to you about best practices and frameworks so you're just one of the top people in the industry on this topic. You have to tell me with so many best practices and security frameworks, we read about it, you know in so many different places. CSOs asking himself or herself, "Where should I start, and why does one provide a better structure than another?"

A: Right, well you know, I get that question a lot and the real answer, Steve, is that there isn't a silver bullet. There's not one framework that kind of fits the needs of everyone. Every organization is unique and they all have their own set of regulatory and compliance requirements. So really, the right answer is dependent on the industry that you're in so you really have to assess what's out there and then select that framework that makes the most sense for your organization.

Now, am I biased towards things? Yes, I have some biases. I am more biased toward frameworks that are more specific. Frameworks that provide security professionals with little guidance of exactly what we need to do. So that you know you aren't forgetting steps. A good example of a framework that provides that level of specificity is the CIS Controls framework. Especially when you combine it with CIS Benchmarks. I mean, that provides security professionals with a lot of strong, actionable information and guidance in this framework. And I think it makes it easier for folks to understand exactly what they need to do, and also audit where they are in this compliance and framework implementation continuum. But, ultimately, you have to pick the framework that works for you.

I would say, regardless of the framework that you select, you need to find a way to measure where you stand from a level of compliance with that framework, and you need to identify the frequency that you're going to measure yourself. And you also want to look for trends, you know? Are you compliant today, and if you check again in a week, are you at the same level of compliance? Or has that dropped over time or this past week? Or increased? So, you need to measure that over time and to measure, continuously measure, where you stand in terms of the implementation of that framework. We're working on creating tools to help you do that with our product, CimTrak, but there are a variety of methods that you can implement. A lot of them are manual, to assess where you stand and I recommend doing it as frequently as you can.

Q: So, Robert, for our listeners who don't have a lot of experience with this, or maybe you know, for the first time they're thinking seriously about CIS. Can you give us one example of a CIS benchmark?

A: Sure, sure. So, you have CIS Controls and that's a framework, and you have CIS Benchmarks, so I'll describe both. So, CIS Controls is the security framework and they define 20 key controls, that when implemented, improve the security posture of your organization. So those controls are broken into three core areas: basic, foundational, and organizational. So, for those basic controls, they include items such as inventory of your hardware assets, inventory what software is running on those assets, perform continuous vulnerability management, ensure that you have a handle on administrator privileges. So those are the kind of items that are listed in CIS Controls. And they go on to even things like to ensure that you have an incident response system or ensure that you're performing security training. It's that general framework.

Now, what's interesting about CIS Controls is, they also have their sister product, CIS Benchmarks. Now what that does, those CIS Benchmarks, are a bunch of recommendations of how systems should be configured in order to ensure that they're in a hardened state. So CIS Controls is generic and applies to everything. CIS Benchmarks are very specific and they apply to a particular operating system. For instance, you may say let's assess this particular system, this Windows 10 system, against the Windows 10 CIS Benchmark. And in that scenario, there are perhaps 300, 400 configuration items that will be checked to make sure that, that Windows 10 system is configured in a hardened state, and really the CIS Benchmarks recommend the best practices from a hardening perspective. And those benchmarks is for Windows and Linux and CentOS and Red Hat, databases, different network devices. So, it's a really great way for security professionals to really drill in, go deep, and without having to understand every single little parameter or configuration item, actually, configure those systems in a secure state and harden it. So, I think that this is a shortcut to make sure that you are actually in the best security posture that you can, based upon a consensus and good practices.

Q: Well, that was great Robert. I'm glad I asked, and you shared that for anyone listening. You can go off and learn more at Cimcor.com/CimTrak they've got a lot of great information published. Specifically, on CIS controls and benchmarks. Robert, great having you today.

A: Love being on with you, Steve. Can't wait to catch up with you next time.

New call-to-action

Tags:
Podcast
Jacqueline von Ogden
Post by Jacqueline von Ogden
March 31, 2022
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".