DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views on verifying "Trust", and why "Trust But Verify" is important in today's cybersecurity climate. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Robert great to speak with you again on the show, welcome back!
A: Hillary great to be back on your show.
Q: So, Robert we are all hearing "Trust, But Verify" and I think people are wondering what is the idea behind this, what on earth does this actually mean?
A: Yes, I know more and more folks have asked me that. I've been using that term quite a bit in terms of cybersecurity, and here's why. Back during the Cold War, the US and Russia entered into this agreement that banned land-based, short-range, and intermediate missiles that could carry nuclear weapons. And, at the time that was a major step toward nuclear disarmament. Ronald Reagan was once asked about this treaty and his relationship with Mikhail Gorbachev, and how this treaty was being monitored, and what were his thoughts about its effectiveness.
And at the time, Ronald Reagan responded "Well we're going to trust, but verify." And he said that over and over again. In fact, one time Gorbachev told him "Why do you keep saying the same thing over and over again", referring to "Trust, But Verify."
I think the same philosophy applies to our IT infrastructure, and our networks, and all of our IT assets. You know they run our business, they manage our transactions, they hold our critical information and we depend on these systems, nowadays. We don't really have optional systems, you don't have an optional accounting system or human resource system, or e-commerce system. These are the heart of our businesses, we depend on them.
So I believe that we all need to move toward the approach of you know, yes, trusting these systems but verifying them. The real question is how do we verify these questions, how do we do both, how do we trust, but verify? I think that we can accomplish it in two ways. Monitoring those systems to ensure that they are in a state of integrity, but that also means ensuring that executable files and config files haven't been altered in any way. But then the second way of verifying this ensures that all of those systems that run our business are in a hardened state and verifying it on a continuous basis.
Q: Okay, so things being in a hardened state, I guess, can you elaborate more on system hardening and what that truly means sure.
A: So system hardening is a process of configuring a system or IT asset in a manner that reduces the overall threat profile of that system or set of systems. So this process usually involves using a set of guidelines, which there is a couple of common sort of hardening standards or guidelines, CIS benchmarks and another is DISA STIGs. And security professionals will use these hardening guidelines as guidance to make the configuration changes and other changes to the systems to ensure they're configured with a strong security posture and strong security configured state, based on best practices.
Q: And so, why is it important to continuously monitor your hardened systems?
A: Well, I think because that's one of the biggest steps that folks forget. You know, once you have all of your systems configured into a hardened state it's really important that it stay that way. For instance, if a hardened system that was hardened say about a month ago is in a strong, securely configured baseline, and a month later, it is altered in some way say that allows unsafe passwords to be used or reduce or opening up additional ports. That system would no longer be in a hardened state and would be vulnerable to new potential risks.
So if you didn't know about that, that's a real problem. So it's important to—and critical actually —to monitor all of your hardened systems to ensure that there has not been any drift from that hardened and trusted state
So yes, what I'm saying is that you must trust, but verify. And it doesn't have to be a very difficult process. For instance, our tool the CimTrak Integrity Suite can automate much of the process. It can help ensure that your systems are in a state of integrity, it can help ensure that you can continuously monitor these systems and monitor if they're in a hardened state. And if there is any type of unexpected deviation from the state of integrity or state or deviation from the hardened state, our software can automatically notify your security engineer. So we make it easy for enterprises — for any enterprise —to trust but verify all the important assets on their network.
Q: Excellent well, as always, Robert, thank you for coming on to the show, thank you for a really important history lesson, or a refresher for anyone who may have forgotten and such great solutions.
A: Great being with you and I appreciate always being invited to show.
May 18, 2021