Convocourses Podcast CCI on STIGs to RMF NIST 800 (2020 May)

Full video. May 2020 was crazy.

https://www.youtube.com/watch?v=WnB2rdxQpwI&t=3s

 

Imagine cyber security and all our career paths being expanded into space as the space industry begins to expand. Imagine us having more opportunities in that. Industry. That's what we talk about a little bit on this podcast. We also go into details about CCIS. STIGs which is security, technical implementation guides and how those. 

Interact with risk management framework, 800 and CIS controls. Now, this is an older podcast. Um, that I did in 2020, but a lot of it is still relevant. Hope you enjoy  Test test audio, test audio test. All right. This is gonna be a short one. I think, welcome to convo courses. My name is Bruce, and, um, wanna start off by, um, addressing, you know, what's going on right now, as far as the coronavirus and stuff. Uh, but we're gonna dive into, we're gonna keep it, uh, to combo courses and cybersecurity stuff.

I know there's a lot of stuff, negative stuff happening right now. As far as the protests and, um, coronavirus, we're looking at a hundred thousand people, um, reported it as having died from coronavirus. We're looking at around the world, 6 million people infected millions, uh, million, at least in the us and all this stuff's going.

And I want to, first of all, I'll send condolences to, to, uh, the people who have passed away from the coronavirus and people are suffering with it now. And if, and if you happen to be out there protesting or anything like that, I mean, just man, stay safe. Um, and, uh, That's all I'll say about that. You know, it's is a pretty heavy subject and, uh, I don't normally address that kind of stuff on this channel, but I just want to address it and make sure every everybody's being mindful, stay safe out there.

You know, this coronavirus, stuff's still going on, take it serious. Um, at the very least try to protect other people. You know what I mean? Um, the people who are most vulnerable to this, to this. So, and that goes for, uh, our justice system too. Like, let's try to protect those who are vulnerable to, to the injustices and stuff like that.

Listen, let's jump right into it. There is positive stuff happening right now. And I wanna, uh, talk about that stuff. That's that's occurring right now. Namely, I don't know if you've been watching it, but the recent. Astronauts coming from a commercial aircraft, uh, commercial space vehicle flying all the way up to the international space station and then linking up with it.

And then this right here is, is really awesome because it opens up the private industry to start doing things like going to the moon, uh, or without the government. So that that's incredible bull. Uh, the reason why it's incredible for us, for it people, information system security people, especially is because that really expands our industry, the better the techno the technological field, the industries and technology do the, be the more opportunities for people like us, who are it?

People, people who are are nerds, you know, people who are geeks, it people, uh, we get more job opportunities. Um, Um, an increase of salary and, and the whole nine yards. So this is a really positive thing. And just to give you an idea of how positive this is, is that of, of, since I've been outta the military and actually in the military, I did some, some stuff for, uh, operations that are, that had to do with space.

But when I got out of the military, most of my jobs had to do with aerospace. Most of my jobs were with aerospace companies. So. It's a huge industry. And, um, and it needs, especially, it needs, uh, security compliance. Like they have to follow a very strict methodology. Right. And that's exactly what I do. And, and, and that's the stuff that I teach mostly, you know, and I, and I'll branch out to other things like certifications or more technical in the weeds type stuff.

But I just wanted to address, like the reason why this is such a positive. Is that the more commercialized, the more accessible space and aerospace low or, or orbits, or even on the moon or Mars, the, the bigger and larger that industry gets. The more mark my words, don't take my word for it. Just watch history.

Watch what happens as that, that industry expands and we are on the moon or we're on Mars, or we are on the wherever low earth or. They're gonna there more and more of these organizations are gonna crop up and more of them are gonna have to hire people like you and I, it people and security compliance people.

So that's, it's a super positive thing. I know my, my daughter had been up all night watching all the news about the, the protests and the riots and how in some cities it's going pretty bad. Uh, and she says, why are you watching this live feed of NASA? You know,  instead of don't, you know, what's going on. I said, Hey, you know,  this might give us a way to get off earth  and she says, yeah, you know, you have a good point about that.

so, I mean, if you, if you wanna be pessimistic about it, then this is, this is an optimist spin. Is that this is a way eventually, well, just leave. Like you don't like it here. You can just go somewhere else.  so, yeah, I just want to bring that up. It's it's um, something positive and, and that's why I see any kind of.

Of stuff about the, the expansion of us in the space humans and the space is a positive thing, cuz the industry is gonna grow and uh, the more the industry grows, the more opportunities there are for, for us, especially because it's, it's private, that's even more opportunities for us. All right. So somebody asking me a question and I wanna address that.

I don't wanna make this one too long, but one of the things I wanted to address.  and I'll get to questions after this. I got somebody who just jumped on Alice. How you doing? She says, uh, hi. Um, can I send you my resume and for you to look at, please, may I have your email? So here's my email address. Um, let me see if I can find my contact information.

Let's just, oh, I see what happened. All right. Gimme. There it is right there. There is my email address. That's the best way to contact me. Let, just move this down a little bit, move it, move it down. Boom. Best way to contact me is right here. If you happen to be, have, uh, purchased one of my courses, then, um, I will definitely help you directly.

That's one of the perks of Purchas purchasing it directly from combo courses.com is that I will help.  um, I don't have any kind of consulting or side things going on right now. I'm pretty new to this thing. So I, I haven't gotten into paid consulting or anything like that. So you have the benefit of catching me early when I'm doing it a lot, some stuff for free.

So yeah, you can send me your, your resume, particularly if you've bought one of my, uh, courses, uh, on combo courses.com. If you've done that, please send me your resume. I will check it. I sometimes I'll even rearrange it for you. I'll just make suggestions on the resume to say, here's what you should do. You know, here's some key words you should consider and things like that.

But if you're interested here, let me, let me just show you guys something real quick. I think this is a really good course, um, that I'm, that I made a while ago and I was super excited about it, cuz this concept is something that's really helped me out over the years. Here's my here's combo courses right here and I've, I've got many D.

stuff like how to get in from scratch from cybersecurity, um, and how to do risk management framework. I've got free stuff here. Uh, but the one that, that Alice is asking me about is this one right here, resume marketing. This one I'm excited about because this, the techniques that I use here is exactly what has made me, uh, be able to constantly.

Position, uh, positions and constantly get opportunities. And I still, even during the pandemic, even during an economic downturn, such as the one we're in now, and even in 2008, I was still continuously getting opportunities because of this, these techniques that I use here. So if you're considering getting into this and you want me to directly look at your resume, go ahead and check out the resume marketing for cyber security.

And it, I don't just talk about cyber security. And it can also apply to you if you're in, in different industry, really, it can apply to anyone cuz the techniques absolutely work. And if you want an idea of what I'm talking about, it's building a profile it's researching, it's finding key, creating the resume.

I walk you through all this stuff. And then I walk you through how, what tools I use online from career jet monster. And I also have something on interviewing and also. Uh, I will be adding more stuff to there that just like with all my courses, I add continuously add as, uh, as I find new things out or something comes up and I, and this is a, it is a really good thing for the course.

I'll add it to, to that course or, or, or any relevant course that I'm talking about. So go ahead and check that out. And, uh, let's get into control correlation identifier. Somebody's been asking me about. , this is the reason I have not talked about it because this is kind of, uh, this one is a bit of a, this one's very specific to D department of defense and dissa.

So, um, that's why it's kind of it's it's, it's it's out there. So, I mean, it's very specific, but what is it? Let's just talk about what this is real quick. Let me just get rid of this information here.  give me a second and now we'll be addressing questions after this, by the way. So just keep the questions coming in the, in the, um, chat and I will I'll get, get to that.

All right. So a CCI or a control correlation identifier provides a standard identifier and description for each of the singular actionable statements. That comprise and information assurance, IA control or IA practice. IA is just another word for security control. That's what the department of defense calls it.

CCI or control. Correlation identifier bridges the gap between high level policy expression and low level technical implementation. All right. I can explain this and there's, there's a lot more here that it talks about here, but I can explain it in clear terms of what it means, what the CCI does is a code that identifies specific tasks that you have to do on Lennox systems on windows systems on servers, on database.

Very specific things you do on each one of these operating systems and it links these specific actions that you have to do to a risk management framework control, uh, to a security control. So I'll give you a specific, I'm gonna show you first off. Let me tell you what it is. And then I'm gonna show you, uh, in greater detail what it is.

And, uh, I don't know how deep we'll go, but it'll, it should be very. What a CCI is when we're done. All right. So first off a specific example would be audit controls, like let's say on you're on a windows 2010 workstation, and you have been tasked to turn, turn on auditing on that system. Meaning event logs.

It's gonna collect event logs for whenever somebody MIS authenticates, they, they type in their password wrong and it pops up as a Nope. This is not your. It will send an event, it'll record an event on the system and that's the control that we have to turn on. Right? Well, CCI would be assigned a specific number, like say CCI 0, 0 6 dash 5 53 or whatever that specific tag.

Uh, we'll be identifying a, a re a specific action, which is turning on audit logs and that specific action ties to AU control one and AU control dash two. So now that might not make any sense if you've never done this before, but I'm going to show you, uh, a more specific example, couple examples.  um, let me, let me see if I can bring something up here.

Got a couple of examples that I was just looking at. So bear with me. So this is stuff I downloaded from the site. If you wanna learn more, I just, I am on cyber dot mill slash STIGs slash CCI. That's where I'm at right here. So if you wanna just Google it, you can just Google. CCI STS. And you'll, you'll find this, right?

So this is I'm on the dis is one of diss sites. That's why I'm I am. And I downloaded some of the stuff from here, which is, is not very helpful, to be honest with you. It's not very helpful. Um, uh, right now I'm looking for some examples that I actually had prepped. So just bear with me, give me a second and I will show you what I am talking about.

Okay. Here's one of them. So this is, this is.  um, this is

a system that, uh, had a STIG viewer ran on it. And what I wanna show you here, the relevant portion is this right here. This is a CCI. This right here. Can you, can you guys see that? Let me make sure you can see that. Okay. Yeah, you can see it. I made it bigger. CCI 0 0 1 8 1 2. And what is that? Right? What's the re the reference tells us here, it's referring to a specific event that the STIG viewer and okay.

Context, a STIG is a security, technical implementation guide. What it does is it walks you through all the individual things that you have to do to secure a system. The department of defense, along with some other departments within the federal government and even some state organizations, they have this breakdown of everything that you need for best practice to secure a system, whether it's turn on audit logs, making sure you have multifactor authentication, making sure it's in a secure area and physical has certain physical security making sure it has a policy making sure, uh, you have GPOs turned on and you.

You have control over your shared files, networking file protocols, making sure you have certain encryption turned on and or updated though. Each one of those things and there's that mil, thousands and thousands of others, maybe millions of others that are individual tasks on windows, on red hat, on every operating system.

You can think. It has security controls. Right? And so what this department of defense does is they create these STIGs security, technical implementation guides that breaks down all the task and they made it so that it's, they made it easier for you to make like a, you can make a script that automatically goes through and fixes all that stuff for you.

And they actually have some scripts that you can use to actually fix that stuff automatically. But this is a you're looking. Some stuff from an actual STIG. And it's the rule title. The thing that it's trying to fix is on a windows, 10 guy, uh, system, and it's for a windows installer will always install with elevated privileges.

This must be disabled. So by default, a window system will automatically elevate privilege.  to, uh, to, they're trying to make it easier, more user friendly whenever you, uh, install something. So it just automatically gives elevated privileges. But the problem is that's an that's something that can be exploited.

So the rule that the stick came up with best practice is to turn this off. So when you turn, when you turn the system on you installing it, it, you gotta go in there and turn it off. Okay. So discussion standard user accounts must not be granted elevated privileges. Because, and the reason for that is you want least privilege that what that means is, um, AC I'm not gonna remember C five.

I think it is it's either AC five or C six. And I don't, I don't remember which one it is, but it's the standard of least privilege. Meaning you, you only give users. Standard users, privileged users, operational users. You only give users what they need to do their job. You don't give them anymore. So windows by default and even Lennox does this will give extra privileges that you don't necessarily need for this specific environment.

Now, there may be instances where you, you can give more privileges. It just depends on the environment, but let's dive back into this. It says the standard user. Must not be granted elevated privileges, enable windows installer to elevate privileges. When installing applications can allow malicious persons or threat actors and applications to gain full control of the system.

So if this thing is turned on, somebody with mal with malicious intent might exploit it by, by granting, elevating their own privilege. Right. So we have to disable this thing. That's what they're telling us. And then they tell us specifically how to do it, where to go in the actual system to disable, always install elevated privileges.

And it's telling us to go to computer configuration, administrative F uh, template, windows, component, windows, installer, and then disable, always install with elevated privileges. And I hope that makes sense this right here, what everything I just read is a CCI. All right now, let's talk about how CCIS this specific task on a specific system links to N um, N uh, 800, uh, security compliance controls.

All right, here it is right here. This reference explains it. So at first of all, it has a, it's a, has a, a unique identifier. Every single CCI has a unique identifier. In this case, a CCI 0 0 1 8 1. And what is it telling like in one sentences explains what it is. The information system, prohibits user installation of software without explicit privileges, uh, privileged status.

That's what it does. And it links to, and the references, it tells you it links to this nest 853 rev four is going to rev five soon, cm, 11.  so cm is, is dealing with configuration management. Configuration management is dealing with, does our organization control? Does the security posture of our, of our or environment in layman's terms, in layman's terms?

What I'm saying is a cm control is having a inventory of everything that's on your network. Like for example, in your own.  you know, you already know you got three computers, right? Your kid has a computer. Everybody has a cell phone and you have a router down in the basement. That's it? Right. If you suddenly were doing a scan on your network and you saw 15 other systems on your network, that would give you grounds to freak the hell out.

Right.  cause that you don't know what's going on. So in the same way, an organization needs to know everything that's going on on their environment. They need to know what networking devices are on their network, all the nodes, what their IPS are, what systems they have, what vulnerabilities they have. They need to know all the software that's in their environment.

Right. They need to know if there's wireless, if there's other connections coming into their. They need to know everything that's going on with their network. And that's where a cm control comes in. So cm is controlling your environment. That's all it is configuration management, managing my configuration of my organization's systems because we have very important stuff going on.

That's that's cm. And so they're saying that this CCI links to this cm 11. So if we go down the. Let me see if there's anything I else I can show. Okay. Here's here's what I'm gonna do. I'm gonna actually bring up a STIG. This is a STIG viewer right here. This is an application you can download for free. Go to DISA a DISA dot mail, uh, or just Google a St.

Viewer. And this is a automated it, it's basically a little app that will grab all of the security, uh, CCI. Everything you're supposed to do on a window system or on a Linnux system or a red hat, whatever system and says, okay, have you done these things? Right? So that's what we're looking at here. So I've already taken Liberty to downloading a windows 10, uh, security St.

And one of these days I'm gonna make a whole course outta how to, how to do this. This is something I've been doing a long time, so I know, I definitely know how to do it. So here we. Um, and I can explain, break all this stuff down. It's it's pretty involved, um, special if you're going through all these. So this right here, what you're looking at is windows.

Um, okay. This is not showing me, us everything. So I'm gonna make this a little smaller so you can see everything going on here. There you go. Hopefully that's clear to you. That's okay. There we go. Right there. So right here, we're looking at window. The last one I showed to you was an, was a screenshot. This is an actual STIG that I pulled down.

Um, not from a client of mine or anything like that.  would not show that. So here's, so we're clear. This is just a random STIG that I downloaded from this dot mail. And then that's what we're looking at. This is generic. So, uh, what I wanna show you is. This first CCI, this is CCI 0 0 0. Here's where I'm getting the number from right here.

If you could see my cursor where my curse was pointing, right, right there.  is CCI 0 0 0 360 6. Organization implements the security configuration. And what is it linked to? There's a few of them cm, six cm, uh, six do one, uh, and, uh, cm, six B what are we doing? What we're doing is looking at the domain. Joined systems.

Must use windows 10, uh, enterprise edition, 64 version.  and it goes in a deeper discussion on what, what they're wanting want, what they're wanting as far as how to meet this particular, uh, STIG control and each one of these, the way they break it down. So, okay. Let's, let's do a little bit of a tour here.

There's a couple of numbers here that, that I think you should know. So let's look at this one right here. This vulnerability, I. Vulnerability ID identifies each individual potential weakness of a system. It's saying that specifically the weakness, uh, on this system is this is X, right? And, and the rule name is attached to a w N windows 10 dash.

right. And each, each one of these vulnerability IDs attached to a specific weakness that has been detect that, um, that needs to be addressed. Right. And so you can manually go through each one of these. So one of the things that you can do as an information system, security officer, one great tool you can use better than nothing is to run this stool, this run, this STIG viewer and have your system.

By your side, right? You have your system right here. You have your system here and you're looking at each individual item manually going through one by one by one to fix everything on your system. Another thing you can do is, is run a, a script that fixes all these things automatically. Right. And, and I believe there's tools.

I, I wanna say that there's, there's something called, um, uh, SCC or. Checker software that, that, uh, you can get from department of defense, that, that has something that will fix it. It'll scan your system. You, you load it on your, the affected system. Uh, and then you scan it'll scan and, and see what STS, what individual CCIS, what vulnerability IDs are not being met on your system.

And then you would go through manually and fix every, all those items. Now. There's a couple of different things here. How does this help you? Um, as an information system, security officer, if you don't happen to be actually installing these things, how it helps you is that if you have the report from this thing, you'll be able to know, okay.

When they did a scan, they found, let me just find that whole different CCI here, that we can talk about something that.

So let's say you're only doing documentation. You can take something like this, this scan, and you could, uh, this would be like an artifact or a bit of evidence stating that this rule has been met. And how's the rule been met, you could say, right, right in here. It says, uh, that first of all, it is a windows ink workspace.

Consider. Uh, uh, sorry. Uh, workstation ink works, windows, ink, workspace configured, but disallowed access, uh, above the lock. And it tells us how to secure it. Securing windows ink with, uh, which contains application and features oriented towards, uh, the pin towards pin comput. I, I have no idea what this is.  I have no idea.

I have no idea what this is. This is some oh, pin, like the pin you E enter into the system. Okay. Okay. Okay. I'm just making more sense to me. So this is showing us how the scan, how, where it would be scanned at, like, what value is would you be looking for? So it's saying that you would go into the registry back into the system and then.

If this was turned on, and if you're doing a scan, it would check for this item in the registry keys. That's what it's saying. That's how I'm understanding it. And it's saying the fix action is disable the convenience pin, uh, sign in. So we don't want you to be able to sign in with a pin because that's too easy to exploit.

So here's how we fix that. That's that's what they're saying here. And it breaks it down exactly how you actually fix it. So. If you were doing the documentation for this, there's a couple things you could do. You could use this to explain what the weakness is. Let's say your organization didn't do it. You could use this to break down where we are not meeting specifically how, uh, what's going on.

Or if you wanted to prove that it, that it's been fixed, you could go through and do a screenshot of what, of, of this feature, or if you were doing a.  you could run a scan and say, look, here it is right here. The windows 10 CC 0 0 0 3, 8 85 has been met. And that covers, uh, cm seven right there, CCM seven. So, and you could do that on many of these different items here that we have here and.

go from, they run the gamut from going this one, C, C uh, S I 16, you got some AC IA controls, you got different controls. So it's telling you here in the CC, uh, in this reference where these map to each one of the security controls, and that's why super helpful you as an information security officer. If you happen to be one you're looking for, how can I.

These security controls. How can, how does our organization meet this particular security control? So this is just one way. If you happen to have a window system or a Linux or whatever it is, right? Cause they have, they have these for every kind of system. All the main systems are, are, are covered by the STS.

You can use this information to figure out if you guys are meeting this particular control or if you're not meeting control and how to. So I hope that that makes sense. Um, I kind of, I feel like we, we kind of went overboard with it, but at, at some point, what I would like to do is actually take a system and secure the system, using the STIGs using the SCC tools and everything, but that'll be a whole course cuz that, that all that stuff takes a bit of time and set up and all that kind of stuff.

I'm actually setting up some stuff on the back end here, but um, it's gonna take me a while to set all that stuff up.  if there's any questions we can address those, but while you guys are coming up with questions, I would like to show you something else real quick. Uh, another very useful thing with ma with having a matrix or having these individual vulnerability IDs and CC eyes and all these things, or how they all come together is beautiful because there's something else where these same control.

Map to, um, a more commercialized version of controls, which is CIS benchmark controls. These controls are used by a lot of private industry stuff, private industries, some banks, and some other industries actually use these controls rather than the nest controls.