SMT007 Magazine

SMT007-June2020

Issue link: https://iconnect007.uberflip.com/i/1253723

Contents of this Issue

Navigation

Page 38 of 91

JUNE 2020 I SMT007 MAGAZINE 39 and they talked to me about a patent that they were going to apply for. They said, "We have a nondisclosure agreement with you, so this is under that." But I thought, "How do they know that my setup is secure?" because we were talking through Zoom. Landeck: That's a great question. That's where the SOC audits come in. There's a concept in security called third vendors risk management. Nowadays, no one company is alone. Compa- nies depend on other companies for supply chains, maintenance, or staff augmentation— even janitorial. The question you're raising is, "How do I know that?" For the most part, it's your SOC audit. If you were to come to my company and say, "We want to do business with you," part of your contract may very well be that we're required to give you a SOC audit report each year. That's very common. There's a concept called a zero-day vulnera- bility. What that means is that it's a weakness in a device or piece of software that can be exploited that no one knows about yet. You can secure it in every way you know how, and the industry will come in and say, "You've done everything possible." There's still the concept of the zero-day that's exploited all the time; it's essentially a backdoor that can be hacked through. You may have passed your SOC audit. However, they may disclose to you on Zoom something that you're not comfortable know- ing because it's so valuable, and your com- puter may have a zero-day. Feinberg: You mentioned VPNs. One of the big weaknesses of a VPN that I've seen over the years is that they're slow. I understand that some companies have come out with a new VPN that's supposed to give about 95% of your normal speed. Have you heard anything about them, or do you have any information on what they've done that's different? Landeck: What you're talking about is a choke- point. With your network, there are two things. There's a number we call "hops away," which refers to distance. Nowadays, that's almost not an issue. Then, there's the bandwidth, which go back to my analogy, if I'm in your network as Mike Landeck, you know I live in Sacra- mento and am in the Pacific Time zone. I work Monday through Friday during regular busi- ness hours. If someone using Mike Landeck's account logs in from Eastern Europe on a Fri- day at 3:00 a.m. and accesses source code that I shouldn't see, that should trigger an event somewhere in your network. There's lots of logging going on, and in a solid program, there will be some kind of alert that says, "This looks suspicious and needs to be looked into." Now, you may look into it and find out I was in East- ern Europe on vacation, and the login event was legitimate because the CEO called me with an emergency. But the important thing is to have someone see it and respond. The last part of that cycle is if you have some- one in your network who's not Mike Landeck, how do you cut them off? How do you block me from being there? How do you see what I did to know what happened, and how do you make sure it doesn't happen again? How do you learn from it? Johnson: Is there an audit process that a com- pany should go through to make sure that they don't have any gaps? Landeck: Yes. Most companies are regulated by different organizations or different bodies. For example, if I'm processing credit cards, the payment card industry (PCI) requires a very specific type of audit to happen once a year. The people that do that audit are certi- fied in that area. If you work in healthcare, for example, you have your certain various HIPAA audits. In the manufacturing world, I'm not sure what that would be, but typically, you'd have what's called an SOC audit—a verifiable auditing report which is performed by a cer- tified public accountant. Most publicly-traded companies that do business with the govern- ment are required to do the SOC audit. The SOC audit will cover everything I mentioned. Dan Feinberg: Let's say your internal security is secure. I had a situation with a client where their internal security was totally locked down,

Articles in this issue

Archives of this issue

view archives of SMT007 Magazine - SMT007-June2020