CIS & Senteon: Unlocking Network Security
![](https://i0.wp.com/allprowebdesigns.com/wp-content/uploads/2023/11/1700951608_maxresdefault.jpg?resize=840%2C430&ssl=1)
Video Title: CIS & Senteon: Unlocking Network Security
The ction and CIS webinar series a deep dive into the CIS benchmarks you are only having me today as your host is that Kowski over from cenon our co-host Rich McGraw had other commitments this week but we are still joined by our special guest Chris Johnson of CompTIA
How you doing man hey good good to be here really excited for this conversation because everyone knows the brand CompTIA but who is CompTIA so excited to hear your point of view and what you’re working on but Chris um I know a little bit about your background we’ve been building our
Relationship the last few months you know you were an MSP at an MSP MSP owner I’m still very close with the space and work Hands-On with a lot of MSP friends and colleagues still today but um do you mind just introducing yourself a little bit and maybe how you got into the security
Space um I think like many I absolutely fell into the security space uh I can say it was so I you know care paths that we took if you maybe went to school for uh it or information systems or something in that vein you know who knows where you landed I landed
At U-Haul um because that like back then everybody was graduating with degrees in information system something and every was like I have no idea what we’re GNA do with you because no one needs that today so that was the early 2000s I ended up uh working for a company doing
Um prostate cancer research uh data aggregation so that’s a cool beginning like yeah so like I got thrust into the compliance space on the Privacy side like almost on day one in the digital space right so uh I did that for a while um like many that fell into it you
Started learning new things and developing your skills and so on and so forth like you had the 800 number from Microsoft those kind of things like I’m an expert on tech support watch this I’ll call Microsoft and they’ll answer the phone because back then they did uh
And it was part of their money right like that yeah it was included you didn’t have to pay what 33 an hour or whatever it is uh no it was $250 per incident um it wasn’t necessarily a guarantee that they could solve your problem but uh anyways so uh fast
Forward I got the uh itch to start an MSP and when I did that uh I think most msps early on you either have the opportunity with clients that you think you can serve that are in a specific vertical or you just decide like I’m going to do it better than the company
That I was at and and that’s your one of those is probably resonating with a lot of people right uh we found ourselves doing any it for anybody um whether it was a web app that needed to be reconfigured and hosted in a better environment or someone’s uh you
Know can’t get an Outlook to open on their Mac and that’s where their entire livelihood lives right everything right you started out it wasn’t just security it wasn’t it was there was yeah there was no I mean shoot if you were you could be a a web application support
Person and you were considered a system admin right like there was no um you just tile yeah there no line none none uh in fact I remember at one point being you know like wanting to shame people that built websites that didn’t understand how the hosting and DNS and
All that stuff worked like how how dare you send me you know a two gig image and say yeah it’s not loading fast enough on the on the homepage uh on my 56k modem connection uh but I got thrust into the healthc care space kind of as a
Byproduct um of of wanting to provide IT services and realizing that we needed to focus on something and at the time uh the majority however much it might have been by a percentage or two was health care and so we decided to just focus on
That and then in doing so uh you know 2013 came along with the Omnibus rule which then added all those security rules and that’s kind of how I got into cyber security like wanting to ensure that whatever we were building out wasn’t just best practices but we were
Confident in our ability to support it and educate our clients as to why we were building out configurations the way we did so yeah I might not sell you the $10,000 server because you know everybody’s selling $10,000 servers and if you’re getting money from the government why not put the biggest
Server in but we would not compromise on things like firewalls and you know VLAN segmentation um because we saw what the the repercussions would be right if they weren’t configured properly so so I want I want to pause right right here sorry to interrupt but no you’re fine that’s
That that’s it that’s the point of this um so cion you know we do OS hardening workstation servers all that um but I still run into conversations today with my MSP audience saying um you know I don’t want to harden my end users device for disruption I don’t know how
To sell this to them because they’re not going to know what hardening is they’re not asking for this it sounds like even in mid 2000s or that time frame of your story when you said configuring were you talking about workstations and servers or was that out of scope um so I
Wouldn’t say out of scope so I think um through era of omission we lik like many probably had some level of belief that the vendor who built the operating system for that server had some inkling of what it meant to build it out correctly so while we weren’t
Necessarily hardening OS images to the point that we could have necessarily we were doing things like making sure that um endpoint protection was on the machines which at that time obviously is not what it is today um but fill in the blank right like I would say basics of
Network and Os security were definitely present um and and I think to your point about you know how do you sell the hardening side of this to your end users I think it’s less about selling the hardening and selling like hey if you go and buy a computer at Best Buy there you
Go you know your expectations of that machine aren’t that oh I bet at night when the lights are off and no one’s here someone goes around and makes sure that they’ve all been patched they’re super secure right like there’s no mad is isn’t it that’s why they’re there
Operate after hours too that’s why you never see anybody at the counter like I think that is absolutely 100% the world we live in today and you know you go back five to 10 years and buying a computer at Best Buy was the only option really that you had versus
Buying through a solution provider or some sort of distribution model that most consumers probably weren’t that familiar with like if I can’t get it on Amazon and I can’t get it at my local box store then it probably doesn’t exist right like and so I think that today one the consumer
Space is far more educated than they’ve ever been um but they’re also bombarded with so many more options that aren’t necessarily uh any better than they were 10 years ago so to your point about hardening I I think it’s the conversation that says hey whatever it
Is that we have purchased to put in your environment there are no warm fuzzies or baselines that have been put in place for this machine we just have to accept that as a reality and and that’s where I would start with the education component is it it doesn’t come ready to go right
Like that’s why you called me in the first place right you’re not asking me to hey I can’t get on the internet yeah no kidding it’s not patched or it doesn’t have this or like right like remember when we used to have to go download drivers onto flash drives then
Plug them into the computer so we can get them on the Internet thankfully those days are gone I think I actually really like the way you put put that story because a lot of lot of the time I hear msps trying to educate on the importance of hardening and the security
Function of hardening itself we’re wanting to talk about direct settings but yeah exactly but what what you just said is almost taking a step back and saying hey when you buy this off the shelf it it doesn’t have any of those extra warming fuzzi it’s not going to
Operate perfectly out of the box so it’s almost selling them say hey let me set this up properly for you and then let you run with it and you never even have to use the word hardening is don’t buy cars that way think about buying a car
If you went and bought a brand new car today what else are they going to sell you before you leave that place we’re going to put a ceramic coating on it we’re going to put the like oh how much extra did I spend oh that was an extra
$2,500 but today and only today we took half of that off price goes up on Monday we’ve all heard that line right right right it’s the same thing though right and and no consumer of a car is questioning the Integrity or the value of the vehicle that they’re purchasing
Because they just added five other things I can put on it m i for hardening yep so you you said one other thing um you know Solutions maybe haven’t changed that much in the last 10 years some of them right obviously we have new technology and
Whatnot but um a big topic that um I’ve talked to Matt Lee about I’ve talked to you about is how vendors are needing to mature and potentially start to integrate the CIS controls or mapping to a reg or not regulated but mapping to a framework to help msps and help business
Owners understand where that security solution fits sure do you want to talk towards this is this something you believe vendors should be doing absolutely so uh without giving away too much I can tell you that um over the past year past six months I’d say um Matt Lee does these workshops
Everywhere I’ve done been privileged enough to do some of the workshops with them and basically what we do is we go in and sit with solution providers and talk through you know what is this Safeguard asking of me right like what is it what’s the intentionality behind the Safeguard and
What would evidence look like if I was successful in satisfying Safeguard and one of the things that happened at one of the workshops that we were doing I think this was actually at pax8 uh momentum um here just a few weeks back and I heard that went really great it
Was awesome I was very it was very cool and I was privileged to be a part of that conversation it was interesting because someone asked this question after Matt and I had kind of emphasized like hey this is not the tools right like this is we’re talking about the the
How and the what here and someone piped up with but can I use tools to help me get to the evidence and I said wow I’ve never had anybody phrase it that way but 100% absolutely in some cases there’s no way to get to the evidence or the proof
Or or outcome with without using tools to get you there and I think that’s one of the biggest differences we have today versus 10 plus years ago where the sophistication of tools that we have in any number of categories that msps use to reduce overhead to reduce the noise
Those kind of things that exist so I I think that’s a big change um but I think where to your point about where vendors need help with these tools is marketing departments want to sell on the all the above right like my product helps solve for these many things and to what you
Said before about hardening I think there’s two sides to this coin one is a vendor being able to show solution providers how they’ve hardened internally their own environment um we don’t want to talk about the shoe cobbler children’s shoes right like that’s not like why are his kids
Barefoot everybody else has shoes right like that’s not what we want with our vendors but then the second part of that is to to to articulate where their product either helps solve for a safeguard um and and to avoid saying we 100% solve this Safeguard I I don’t
Necessarily care if it does I’m I’m not looking for you to like I think at the end of the day solution providers don’t need a vendor to say we solve 100% X whether it does or not I don’t know that I’d ever want to say that marketing or
Otherwise but like show me how the prop implementation of your product or service helps me solve that problem I I like that a lot and we have a comment if we can highlight that on the screen here um Felicia popped in and I think she very much agrees with you right it’s a
Lot of these vendor marketing teams they want to be this end all solution right but marketing people don’t really have have a say right they can’t claim to map to the Safeguard without some type of attestation process is this something you’ve considered or what advice would
You give vendor who want to do the right thing and and and say yes we do assist with this control you know it’s not 100% I agree with you 100% there but how how can they what first steps could they take maybe I so just getting into the
Specifics of how does my product help satisfy a safeguard I I think would be to to look at like some of them we see all the time like uh if your rmm tool collects asset information right we know that that is a tool that can help um provide information around asset
Inventory I don’t think an rmm tool is the inventory destination itself so if I was thinking about one that comes to mind that’s open source is uh I think it’s called snipe it um if you remember like sending your friends out to go hunt for Snipes like it’s it’s a great I love
The naming convention because you know it’s like this imaginary thing and we’re calling it where we store our inventory um but that product for what it is as a destination to store inventory if I was the vendor selling that product I could arguably say this this meet the requirement for storing your asset
Inventory now does that meet the entire control no does it meet all of the safeguards in that control no but if I were to say we meet control one of CIS use our product I’ve misled the solution provider I’ve I’ve confused at the very least I’ve confused the solution
Provider so I think it’s showing not just like hey we map to these safeguards but how does a solution Pro provider leverage that product or service in meeting the Safeguard not well if you configured it correctly what’s correct yep absolutely I think Felicia definitely agrees with the sentiment you
Shared there right it there there needs to be some type of process in place especially um with the topic we were talking about before here with solar wind and FTC coming up um cesos are are taking a lot of this um weight of responsibility when they attest to these
Certain things so if let’s say they to take a vendor at their word hey vendor X I mapped these controls This Is How We Do It the ceso says yeah that’s correct signs off on it now they’re liable for taking that vendor’s word I mean can have you been following the solar winds
And new FTC yeah the the whole uh thanks ceso and you know you’re you’re now being charged with committing fraud and for misleading on your security posture so I I think there’s two things there that that are not the product right so one is what what are the internal
Security best practices as a company um because I think at the end of the day no matter how good a product is no matter it let’s just say hypothetically someone does release the perfect product it’s perfectly secure it perfectly does the things we want it to it completely
Satisfies the control well who’s putting that product in are are they perfect too and I think we’re always going to have that problem is even if the the product was created in a vacuum and it’s perfect it’s going to leave the vacuum in order to be implemented and then now all of
Those that are involved with implementing we know are already flawed so something is very likely to not be done correctly so I think it’s the the precursor to that is yeah that’s the perfect question to not take the vendors at the word have they need to start showing third-party validation that they
Have been checked by somebody or an organization that is recognized as knowing what to look for and to ensure that it’s properly being vetted so I I don’t want to over overstep or ask anything I shouldn’t but you know we have CIS we have CompTIA and I think
There’s some rumors of stuff Matt’s doing with Pax eight I mean is there ever going to be a place where vendors could you know apply for attestation and there’s an a body that to approve or agree is that possible or is that just impossible I don’t think that’s
Impossible um I think that’s a a very realistic uh hypothetical uh at this point um I think that there are those out there that uh are recognizing that vendors want to prove where they help meet safeguards I mean if you think about it the CIS framework uh if I can call it that
And the safeguards they’re in if you’re a vendor today deciding what product to create next and you could pick a safeguard on there that would be extremely valuable in in security and hardening like I don’t know like maybe a sention like not to like you know paint
And you know the elephant in the room here but like that’s huge right because now a solution provider that’s aligning with a security set of safy set of safeguards can go through and say wait there’s a vendor that can help me meet that Safeguard help help their product helps
Me solve for and oh by the way this has been looked at by a third party to say yeah uh originally they had said we meet completely the Safeguard but after going to the third party review um it partially meets and here’s what else needs to be included in for in in order
For this Safeguard to be fully satisfied yeah I think the coolest thing um and I can talk about the vendor point of view I and I agree with you you know as as an early stage vendor it was no longer hey ction says we need to set these settings
To this state it was senon is telling you that CIS we did the hard work of reading and documenting is telling you to do this not not us right so having that but um expanding this as as a as a future feature request which would be
Really cool is as a vendor to go there not only a test to hey I want to submit for these safeguards or submit for these having someone on the other end say hey you’re actually kind of close to helping out with this Safeguard yeah this is how
You could build out your solution to meet more almost having like a consultant with your road map to align to CIS or another framework yeah it’s funny you say that so cart before the horse um the the SAS advisory Council uh for ktia in Channel Con in August they released their uh
Factors to consider when selecting a SAS vendor and it’s got like I forget like 20 or 25 questions and they’re not questions around like what safeguards do you help us solve for right because I mean good grief there are vendors out there that don’t necessarily focus on
The cyber security space right um but it was questions that you know for the trust Mark that we have out today for solution providers when they get into the CIS for uh third-party service provider management like what’s the questions that I should ask and if I had a thousand trust Mark holders all
Satisfying that question all asking ction please answer the following 25 questions at some point you’re like dude I’ve already answered these questions and I’m not going to keep answering them anymore so where can a solution provider go to see that so I think that to your to your statement about in the future
Going broader than that is an absolute must and I think it’s and and quite honestly any vendor out there listening I hope you’re selfish enough to recognize this is in your best interest to have that so that we stop bombarding you with the same questions over and
Over again I think we need to elaborate on that one um here in a second but first I want to highlight this comment from Felicia um she she was the guest last week incredible guest big champion of the importance of security configuration management um she she goes
Here to say it it is the key between success and failure of any technology do you agree with that like how how how detrimental can it be from a security point of view for a end client to be using just a default out of the box Windows Windows machine like is that
Actually a risk we should take seriously or it’s not just it’s not just a computer or a desktop by wall I mean this is this is what has plagued our industry for decades and it’s the I didn’t know I needed that until I saw it
At the show I bought it on the show special I installed it my client is mad at me because we didn’t install it correctly and it’s not working and now I’m on the Reddit boards bashing on this vendor who may or may not ever come back from this because there it was more
Important to get it sold and out there than it was to make sure that people that were going to implement it knew what they were doing I can’t Echo that statement enough um especially with more premium Solutions like for example in our case we’re we’re doing 900 of the CIS
Recommendations it’s it’s a beast right if you don’t have the right person managing our tool it it could break something it could cause that D disruption and going to those Reddit boards if you just have that one angry person who bought the shiny new widget and set it up without reading the
Documentation without taking their time it can leave a bad taste to that now promising company’s trajectory right that’s that’s a very real scenario well one could argue today in today’s world one does not have to be very technical to be a successful MSP like you don’t necessarily have to
Have technical staff strong technical to be successful because so many of these things uh like for example you know to what ction does if previously I did all of my windows OS hardening by hand and now I’m competing with the MSP who has incorporated sention into their environment and they’re not hiring you
Know good 10 years experienced engineer that’s been working with gpos and [Laughter] so so I think that’s extremely valid today is that there’s there’s a lot of illusional um maybe delusional is the the right word of believing that you can do the level of depth from a security standpoint or even just general
Technology infrastructure because the tools have become so sophisticated that you can make even the worst Tech look like a rockar the tools configured correctly I love that statement and I think ease of use is critical for the vendors as well um you know we we talked
We we talked about the vendor point of view of needing to align to CIS um let’s let’s kind of switch the tables a little bit I think this is almost a topic that’s um almost growing too popular to talk about but why should msps choose a framework to follow obviously we just
Talked about the vendor side but what benefit does the MSP have to to following CIS or another framework well I think it’s I think it’s kind of I don’t even want to use the words that are coming to my brain right now I would say the number one reason is
Because if you have a set of standards safeguards that have been defined by an industry or uh an independent group in order to you know to establish one in goal which is to protect the data and and I think CIS is a great example of all data has unique and potentially
Differing degrees of necessity depending on the lens that you’re looking at it through right what’s important to you might not be important to me versus the other Frameworks that are out there that are very focused on like obviously PCI DSS you know that’s very much credit card you know Hippa obviously Epi
Records and so on and so forth right like they have targeted a very specific data type where CIS is saying we’re not going to decide what is or isn’t important uh obviously that’s why they map so well to so many of the other Frameworks with their approach and I
Think it’s interesting because if you have a conversation with any solution provider that suddenly says oh no we’re going to do cmmc or 800 171 or fill in the blank not CIS I I’m not going to discourage that but at the end of the day one of the
Things I I find interesting is in many cases they are picking a heavier lift to satisfy what they haven’t really started on any program yet and if they were to look more closely at CIS and the way it provides some prescription and direction to getting these safeguards satisfied
That they would be actually setting themselves up for success with those other Frameworks so that they’re not trying to you know climb a mountain and they haven’t you know gotten their you know legs underneath them yet now that they’re 15,000 fet above sea level so it
It sounds like the way you you view CIS is is as a strong found to make moreit requirements of of HIPPA and PCI easier to meet absolutely and and I think it’s one of those things where fill in the blank framework that provides uh linear and logical Direction
In the approach to getting that accomplished and so I mean I’ll tell you that’s why coma when we built the cyber security trust Mark for for msps for solution providers CIS was the foundation I mean I think everybody that was in that working group was like this
Is the best case scenario because while it says for everyone let’s be honest it looks like it was written to solution providers I I like that a lot and can you can you introduce that a little bit more you know again this is high level a
Lot of our audience may be first hearing about CIS for the first time but CompTIA CIS competitors friends who who’s comp TOA to CIS I would like to think that we’re kind of a pretty big Champion so for for CIS so we we have an agreement with CIS
To to leverage CIS safeguards inside the trust Mark so um almost two-thirds of the trust Mark is built around CIS we don’t quite use all 153 safeguards but it is upwards of more than 2third so I can definitively say I think it’s around 133 safeguards so well over two3 yeah
And so I’ll just give you a couple examples of of a safe like one of the safe we took out uh 1.5 safe passive scanning I don’t want a solution provider to go out and spend somewhere between 10 and 30 grand on a solid passive scanning tool I’m not saying
That passive scanning is not important I’m not saying any of those things but I’m saying like for the trust Mark we wanted the barrier of Entry to be as low as possible okay I like that a lot that sounds really cool and um yeah that that was
Really the good stuff um any anything else you want to add before we start um going into today’s configuration topics man I just want everybody to know that um I’m soft and and Squishy so if you have barbs to throw because my technical prowess isn’t up to the level
That Zach thinks it should be um just know that I I can talk at I can talk about these things at a high level your your hand hands on keyboard it’s it’s been a few years that’s right all right let let’s hop into some of these slides
So today’s topic is one of the more advanced ones um Chris thought he would um challenge himself at the time of me asking him so we do have a variety of topics in the um configure um in the network section of CIS so we’ll be doing um network connection settings tcpip
Settings Windows connect now so we have quite quite the array but what we’re looking at here is we did list out about six um miter attack techniques that can be better mitigated by hardening the settings we’re talking about today so Chris um do you mind just kind of
Calling out a few of these and just introducing to the audience what these are and and why they’re bad I guess well I mean I got this one hands down un unauthorized or risky network connections I I know that one definitively is just you should not do that um but but man in-the-middle
Attacks uh that’s a big one um and I think unauthorized network sharing in configuration I mean really these all kind of you need all six of them right like if I if I take them any one by itself it does it becomes less and less um relevant or in
The understanding of what our goal is if I start taking these away it becomes a little bit less well why would I do that but then you put these all together on the slide like you did and you’re like oh yeah that’s I I should definitely you
Know Harden these things and I think I think if I were’re just thinking about this completely non-technical for a second we were talking about this at the beginning if I’m talking to the end user about hardening oh my word like yeah their is eyes might glaze over at some
Of this but if you were to explain why it’s bad to connect to the wireless uh connect you know public Wi-Fi at the airport uh you know it’s it’s bad I I think it’s less bad today than it was years ago but if I put all six of these together in the same
Presentation to that same end user now the perspective on why I should consider seriously before I connect what the potential repercussions are changes that hygiene for that user I I think I could completely revamp the order of my presentation just say take one of these attacks and then list out the configs to
Talk about when relating to this right right I mean that that’s what CIS is ultimately getting to to everyone Tuning In For the First Time right these are proactive steps that we can take to to mitigate the risk of possible lwh hanging attack chains which is or attack
Techniques which is what we’re looking at here um well so the so unauthorized network sharing sure what are the so obviously this is something we do all the time with our cellones as hotspots right so uh do you see this being a significant challenge within users sharing the Wi-Fi say of their laptop
I’ve come across it one time where they had a proper use case built out the exception for the individual machine and moved on but you don’t normally see them doing this out of intent right like it’s the fact that it’s there and it could be exploited because it hasn’t been
Hardened and I think that’s that’s the part that is missing in a lot of the conversations we have with our clients is it’s not that it’s going to happen with you like that you are going to go do this because you didn’t know anything about it before I started telling you
That it was possible right like so so then so it raises the question like why do we need to tell them about this versus just hard in the machine I think that’s one of the challenge um because you’ve put it in great perspective right it’s not selling hardening directly it’s selling the risk
Mitigation the amount of risk that is lessened by doing hardening right the output of hardening um a lot of my conversations is wanting to sell the technical aspect and Felicia talked about last week the technical control aspect of hardening because we in the it space we find it interesting we want to
Learn about it but our clients don’t care no um I’d be worried if they did yeah they probably wouldn’t need the MSP I say why did they hire us again so that’s really cool and and I guess when you’re talking about hardening to your end clients um who who
Do you think would listen um are you are these like an executive conversation is this a conversation with a specific department or person who who do you need to talk to as an MSP well so I’m not an MSP anymore so at CompTIA this is not
Part of my daily uh vocabulary but when when I was an MSP I think this is this is an interesting area so msps largely serve the SMB space right like the larger the company that’s being served the higher the probability that they have resources internally to solve for if not all
Things that are say in this six um but some of them right so I I think that if I’m talking about this withb level it’s just the decision maker to say that these are things that need to happen within your organization to mitigate toer Point reduce the risk reduce the
Probability of of things being exploited that actually at the end of the day bear little to to no impact on their day-to-day right like if you remove the ability for me to do network sharing from my laptop I would no idea that you did that um I mean if I went and looked
I might and if I knew where assume I know where to look why would I go look right um but if you’re getting into the bigger uh clients which I know msps out there that have them it it really requires a Buy in from the internal it
Department if you don’t have buyin with them I don’t care what you get from the leadership team you still have to get the implementation to happen and that’s going to be that it department and if they don’t agree with you or they don’t want to do it they’ll they’ll make it
Pretty stinking difficult for that to happen y oh spot on I I like that so let’s um with that let’s let’s go into some of these CIS recommendations so as we talked about these are all preventative proactive things they may not apply to everyone but um this first
Set um first setting here um prohibit installation and configuration of network bridge on your DNS domain Network so you know I I imagine these these Bridges could be used by attackers to move traffic or do whatever they need to could could you talk a little bit
More about this at a high level yeah a little bit at a high level so this made me think about things like when you might run a virtual machine on your laptop uh what how how is it getting to the Internet so I think what’s interesting about this is you’re often
Allowing for a device if this stuff if this type of sharing is happening is that they don’t have the security protocols installed on them so now you’re introducing all of the it’s like it’s like a raw connection to the internet because it’s not being seen by the infrastructure that you put in place
To protect it is that is that pretty close I I think that’s that’s a good explanation and and it’s just always important to note that this stuff is not enabled by default right this is something that needs to be explicitly set so that the attackers can’t change it um Felicia
Mentioned this in the comments you need to make sure these are monitored reviewed staying hardened after it because you know you you go do a power shell script I mean Chris you were an MSP at one point I mean before technology caught up like ction and the
Other providers in the space how how did you harden these settings was it just a script a little bit of InTune can you can you elaborate I mean I’ll be honest I think at the endpoint level we focused heavily on is the Windows machine you know current on patches and and you know
Application that was what you needed to get done that was pretty much the main thing and then I mean we’ve talked about this before I care who you are and listening to this right now how many did a good job of of managing securing and protecting on the browser side like no
You can’t install that extension that’s a proxy it’s doing exactly what you’re talking about right here um the other one that comes to mind too that you know you said going back in time how about today when I can choose the flavor of Linux that I have running as my
Subsystem in Windows 11 or Windows 10 even like whoops I think that’s one of the interesting things because when when you do get into it the if you do have a Linux subsystem installed or IIs or FTP whatever that is I loaded C Linux by the way on my
Subsystem so depending what is on that workstation right by default none of it is but if it is there it’s not inherently bad but it should be documented and if it is there without approval there’s a different CIS recommendation on how to harden it if it is already present versus absent well
That also goes to it’s not inherently good either so if it’s if it’s left to its own devices it will become it will likely become bad and you would never know that it was bad I like that have to cut that one out for the commercials
Right all right let’s get to this next setting so prohibit use of network connection sharing on your don’t um DNS domain Network so you talked about this a little bit with connection sharing I mean sharing anything always gives gives me um a little chills can’t imagine it’s
Typically a good thing but can you talk a little bit why this is explicitly called out well you mean specifically internet sharing well so I think one example and and we I think I said this earlier this is the this is the example of hot spotting with my cell phone right but
I’ve suddenly changed all of the potential protections because now I’m going through what is likely an added security layer that’s not security for me and my company but more of the traffic has just become encrypted so being able to manage Monitor and maintain where I’m going has
Been lost as it’s gone through that second layer of encryption so if you are doing this and the attacker does get a foothold right they can use this to then get into that domain level and cause even more damage um another favorite terminology I like to mention on this as
Much as possible is is that blast radius right right one compromised machine is bad but a hundred machines a thousand machines right it it’s about eliminating that initial foothold and if they grasp it mitigating the damage keeping them there well and you see this with insurance Zach right so like they now
Actually ask questions around VPN and the question may say something to the effect of do you allow split tunneling so One path to the internet and one this came up on an insurance questionnaire like whoa who wrote this questionnaire they must have been on this show at some point in time they
Know what they’re talking I’ll have to um plug a webinar coming up in December um I will be talking with Will from fifth wall about cyber insurance and Os configs so stay tuned for that have to bring up that form probably soting talks about it are you seeing
Anything else on Cyber insurance forms I know personally I’ve seen do you have a hardened Baseline yes or no but it doesn’t ask for the extent of right because a hardened Baseline could be 20 settings while senan’s offering 500 100 I don’t think they have enough actuary
Data yet in the insurance space to really ask those questions at at high at a well at a more granular level I think one example of where we’re going to start seeing better questions was The Travelers Insurance where they didn’t pay out because the uh MFA was not on
All systems and the question was written in such a way that answering yes was implying that it was on all systems even though the question didn’t say is it on all systems so I think that’s a and I and I don’t know that that’s necessarily a good question in the first place
Because if if the data that is to be protected is not valued uh do I really need to have MFA in place in getting to that destination so I think we’re going to see more questions that are more accurate in the ask that don’t necessarily group answer safe guards in
CCIS that’ll be fun to see how this all plays out man msps are in for it you’re at the forfront yeah so all right let’s let’s hop into this next one so require domain users to elevate when setting a Network’s location so th this makes this makes
Sense intuitively to me right if you’re sharing um um if you’re sharing a Network’s location you’re going to want to make sure you’re an admin you’re you have the proper authority to do this um but talk to us a little bit about this setting
Well I I can talk about what I think is problematic with this is the flip side which is removing networks afterwards so uh you see a lot of yes they should require elevation to connect but what I see a lot of is they don’t require that but in
Order to remove a network that you’ve connected to I have to have elevated privileges so to this one it’s this kind of goes hand in hand with like allowing me to connect to say public Wi-Fi uh you know if if it’s if it’s requires authentication obviously that creates a
Pause even if I have the credentials to do it right it it’s an added step of is this the right Network that I should be connecting to what potential harm I we’ve already talked about it all the way up to this point basically solving for the same thing um networks
Location’s a big deal too right so if I’m remote connecting in the office and my location is now now y say questionable or the timetable since the last time I connected to now has there’s no humanly possible way I could have uh you know you know light speeded to that
Part of the world um you know California seconds right things will get really complicated once that type travel is feasible yeah then then we would suddenly say that the technology that we use today is way behind what it needs to be y i I think that’s a good explanation
On that one um anything else to add or should we hop over to the next setting I I would just say to this one I think this is really interesting when we look at SAS applications when we’re connecting you know when we’re we’re you know being very careful of what
Applications you we hear this all the time so like if you’re in the hotel don’t decide to do Banking and reconcile your books while you’re there like right like be smart about those things and I think this is an area where it’s really hard we talk about hardening of the
System this is a good example of having conversations with the client around what do you allow the device to be used for and where based on sensitive information and I would say most probably have no idea and don’t discourage any of it and I think that’s a good conversation just to approach the
Topic of hardening even right just bringing up he what is this used for okay if I can make this more secure while allowing that function would you be interested in that I mean who who who would say no in that situation like I want fishing simulation and actual um
Bad mail to show up in my inbox and and have it be like I I know that’s bad because these environmental variables have been violated not because the email itself is or isn’t bad I like that awesome all right let’s go to this next setting and it literally has hardened in
The name so hardened UNC paths so know a little bit about this setting um but this has to do with the network paths and making sure you protect the net log on and cisv shares um kind of prevents that man in the middle um type of attack
Anything additional to add on this so I’m terrible with this one in fact if if my uh my former senior engineer was on here he’d be like Chris says stuff and he obviously understands what he’s talking about but the person he’s talking to may have no idea what he’s
Trying to articulate because he’s used words that are definitely not meant for this space um the thing that I would say that comes to mind for this one though is and it was available in in Windows 10 and I think it started I don’t remember what server Edition it started with um
Where it was natively off but the uh SMB path being just available so you could just start typing and all of a sudden it’s like autocomplete showing you whatever is available across the network I think this is a good example of that and why UNCC paths are so
Important that’s a great example good good cross reference there so makes sense um definitely want to mitigate that and we have about four four or five more settings here so we’re making pretty good time we’ll go a little bit faster through these but let’s look at
The next one um talking about IPv6 um this is something I hear about all the time could you kind of just tell us at a high level you know IPv6 and and why we’d want to make sure um this is followed well I mean to reduce
Complexity for one I mean that would be where I would start y I think this is a it’s funny it’s 2023 and I would argue that there’s not very many uh organizations actually taking advantage of IPv6 so so disabling IPv6 is interesting because it feels like we’re going in the opposite direction
Like I don’t know this again this is one that I I’m not more technical to it possibly one of the L2 configurations here um sure yeah there’s there’s definitely some complexity here um you know if you don’t use it I believe there’s you know just it’s more refined
There’s less to to add Clarity and I think this is where I I might show that I might know a little bit is that don’t don’t enable protocols that you’re not using I mean that’s let’s just make it that that would be to sum up this whole
Conversation is if it’s not being used why is it on I we might want to do FTP we might want to have our own mail relay on our our host server so like yeah let’s go ahead and leave that open I think we had a a guest a few weeks ago
Marty um who said he really likes Linux CU they come locked down and you have to proactively enable things as you can’t do them um you know that would be a different me mentality for Microsoft to ever Implement that and it would eliminate businesses in my space but it
Would probably get a lot more hardened machines and and someone just posted there’s no use case for IPv6 in private networks for the vast majority of organizations I couldn’t agree with you more because for the number of networks I’ve configured over the years I still to this day like it’s just not being
Used nice oh you can highlight that it’s all good all right let’s hop over to this next setting um appreciate the comments in today this is awesome so looking at this next one here um configuration of wireless settings using Windows connect now um you know Windows
Connect Now isn’t this it’s one of the innate um settings so Microsoft can remote in is that is that right do I that was my understanding but I have not not ever found a good reason to have this enabled so I think that’s fair disabled by default there’s no reason to give
Microsoft more access um than they need and to take this one a little bit further and it’s not just windows and maybe not so much in the in the configs but like turn off on your phone Auto join networks when like if it’s an open network don’t Auto join that Network
Turn that stuff off I like it all right we got another Windows connect now um setting so again it’s just prohibit access of the windows Connect Now wizard so same type of mentality anything else you want to add on this no and I think this is kind of part for the course we
Saw this back in the day in the consumer world where you know you have the W what is it WCS like you get the modem little button on the front like to make it easy to connect just push the button and Magic I think the icon on this slide uh
Does well yeah yes absolutely the Wizardry I think that’s perfect um all right this next setting here um is one of um the fan favorites um whenever we do on board um minimize the number of simultaneous connections so what this is saying here um making sure you can’t use
Wi-Fi while you’re already plugged into the ethernet um is there ever a use case where you would need both or is that just a risk not needing to approach so I’m not going to say that there’s not a SC area where that would make sense security space man everything depends
Right and well so I would say this like if you’re if you’re doing Network management type stuff and your wireless connection is on one VLAN to get out to the internet like whether you’re downloading firmware that kind of thing and then the other one is you plugged in
So that you could update configs on switches those kind of things I could see that but we’re talking about a very unique specific use case not the general like and I think it’s the the person doing that would be very intentional I think this goes hand inhand with the uh
Say VPN like why would you want to split tunnel I don’t get the protections that I get when I go through that VPN nor do I get the logging or the ability to do any sort of you know log correlation so yeah this goes hand in hand with that
You don’t get this I mean how much log correlation do you want to do with traffic if I have I’m split tunneling you’ve just made the person who’s got to solve the problem that much more difficult yep AB absolutely and and that’s one thing I also want to
Highlight here with CIS right by hardening these settings you’re you’re reducing the amount of noise you’re you’re making those logs or post breach um morms easier to sift through easier to find that um breach Source or or however you want um it’s like you said
It’s not just WR a boom this is about reducing the blast radius yep yep oops sorry little cool so let’s see what this um next setting oh we got a comment um yep not for end users I I think I think that’s spot on right love that and that’s the conversation we
Should be having with with clients I mean obviously don’t tell them stuff that they really don’t need to know which was kind ofir yeah like if they wouldn’t know that they were split tunneling why does it matter right Y and and and I’m curious and and maybe
Felicia has a comment on this one too but but Chris one of the coolest things I’ve noticed since onboarding senson is you know we’re doing 500 configuration changes it’s it’s it’s no small feat right it’s quite a bit but what I’m noticing is the majority of msps who are
Using cian out there in their Fleet is they don’t have that many exceptions and from what I’ve understood they don’t even tell the end client it’s going on because there’s such limited I know so we do log on warning text make sure they have to type in the
Username maybe control out Delete so they let them know of the few things like five different things but then the other 450 they don’t they don’t know they don’t need to know right why why educate to that extent is it worth the msp’s time to go that in depth I mean I
Quite honestly would argue that most msps leveraging cinon aren’t necessarily educating their own staff on all 455 plus scarios yep I love that um all right let’s get into um the next couple here two more so prohibit connection to non-domain networks when connected to domain authenticated Network that one
Makes sense as I’m reading it but anything else you want to add to it no I mean do it have this enabled so so one that comes to mind and you see this a lot um you see this a lot in environments where they’re trying to
Save money um remember log 4J oh so so we all do right like so I remember thinking like sonology Q app the different ways in which we’d create non-domain joint storage uh this would be would be a perfect example of what we see in environments where allowing my device to
Connect to that which now is connecting to something that I I pretty confident is not being managed right because it’s not on the domain it’s not even likely visible with my rmm tools so identifying you know vulnerability scanning those kind of things I mean hopefully it’s on
A different VLAN if you do have one but but like it’s probably not even being in many cases all of the potential risk is so high when you connect to a non-domain network yeah I like that all right and we got the last setting of the day and
We are making time beautifully so allow Windows to automatically connect to suggested I did thiss we’ve talked about this one a little bit over as you can tell these are categorized by CIS for us sure but it is worth noting so many of these coincide right there’s not just
One setting about hotspot there’s three there’s four right so making sure you go through all these settings to make sure it’s actually disabled right you might have three of the four disabled but what about that fourth well so it’s interesting that we talk about this
Again because one of the things I I had said before was like you know the the privilege Network you got to raise privileges to authenticate to a new new wireless network or you know whatever network but what about removing them so so let’s use the the example here of you
Know connecting to an open network so your Starbucks your uh Boingo your airports your hotels so if I’ve ever stayed at a Marriot let’s just say I’ve stayed at it 10 times or two times right like I’m gonna go back to a Marat Hotel potentially a different hotel that has
The same SSID and my computer is already gonna have that stored it is not privileged for me to remove it and now I’m going and connecting doing exactly what this says but because it’s already been AU authenticated it’s allowing me in y don’t need that you can type in the
Credentials the next time you’re there that’s right now that’s perfect and I’m looking at my interactive Q&A questions um that I had preempt um you actually answered a lot of them throughout so if there are any questions from the audience please drop them into the comments otherwise
Chris I’m gonna let you just kind of talk towards a little bit more um feel free to talk more about the topic but also if you’re noticing any Trends just with conf configuration management or msps you want to highlight while we have the time I think that one of the biggest
Things whether it’s you know ction or other products that help you reduce the amount of FTE to solve some of this I mean you and I talked about this before uh there’s examples out there trying to meet the you know CIS security uh baselines and you know I I remember I
Think I shared with you one project where I think it was tied to an exchange server it took him 11 months to get it completely to meet that criteria and it’s like one time that one server that’s not a whole Fleet yeah and can you imagine
All the other things that we should be focused on like I really think we’re at a at a place in the threat landscape where it’s unfortunate the amount of energy that msps spend at the actual device level when there are so many tools and resources out there to help
You automate that so you can focus on really is out there trying to attack so one thing um me and you have talked offline about but this concept of browsers needing to be hardened and there’s not enough hardening going on today at the browser it’s becoming the
Container of all your SAS apps have you noticed any any Trends um on the browser level and then we’ll get to this question here yeah so I think this is a perfect example of a browser is an application is almost an operating system right everybody knows of Chrome OS the Chrome browser
Running a Chromebook right like it’s basically just a browser right or is it uh so I’d say the the biggest challenge we have in the browser space aside from making sure that it maintains patching and and all of that is is ensuring that you’re not just having a wide openen uh
Extensions store so like I mean we even seen now that there’s extensions there’s widgets and there’s apps that all live inside the browser ecosystem and I think if you’re not managing that it is which is way more difficult I think than managing operating system absolutely um
Is is that’s where I think we’re going to see the energy Focus come I mean like I I mean I don’t know if we’ve talked about this but like for each browser it ranges between 150 and 200 plus pages and fortunately it’s Illustrated or it would be even worse right but but it’s
It’s 200 Pages get to a secure Baseline configuration for One browser yep and that that’s exactly from CIS is what he’s referencing I can drop the download link in the comments but and that that’s that’s that’s one of the trends senon C’s as well right that’s where we want
To build our solution to map more to CIS and that is one of the things cention will be offering here soon um we actually had a question in the comments I want to highlight for you Chris um yeah any any thoughts on this one or is this beyond your your your disconnect
From technical World little yes and no so I think that nonam non-domain join is not the same as hybrid ad so if you’re truly running uh hybrid ad then then the the rules apply right so uh if it’s functioning properly hybrid ad for sure would be in fact I think it’s brilliant
When anybody’s moved stuff in the cloud would still have on Prem you should Implement hybrid ad because then you benefit from a lot of the security controls that doesn’t live locally on a domain controller but it’s only available through the through the Microsoft offerings out there but it
Does get then trickled down to on Prime environment but the aad I assume they’re talking about Azure ad um so that would get into a couple things one are you using a machine that is not authenticated to that Azure ad environment um or are we talking about a
Device just connecting to a like an Azure Server Like A you know a VM that lives inside an Azure ad ecosystem um that’s a little bit different because of the way in which you’re connecting so I don’t get too far down in the Weeds on this but I I would argue that we’re
We’re talking about more what we’re referring to more specifically is on your local network with this particular config we’re talking about non-domain devices that are accessible and preventing that from happening like that and and on those Azure boxes or anything um whether it’s ad domain joined you still need bias but
You should still be hardening those local policies because that’s the only way to assure they’re actually implemented successfully didn’t drift after you deployed that script after you deployed that change making sure it stays in place um the only way to do it is at the local level but for clarity
This I think that was the control safeguard that we were talking about was tied to local network got it all right awesome um Chris we’re right at the hour any other closing remarks um I think you did a really good wrap up there with the last couple minutes cool yeah all right
Well very cool everyone thank you for joining us today thanks for the Q&A um since Chris answered all of my preempt questions throughout the webinar but we are here every single week we aim for every Wednesday and you’re GNA notice a couple tbds on there might have Felicia back to talk about
Printers next week but um printers is not the hottest Topic in the MSP space no one was jumping at the opportunity um and we do have Rody coming back on for um part two he’s gonna go into some of the next gen um configuration recommendations through CIS those are
Super highly impact but good for security if you can handle it um I do have the CIS unlocked um Benchmark series newsletter we do dive into these um benchmarks every single week in a more documented format um and as always um in this last slide we do offer cion
As a free um NFR for NF msps do a risk assessment see where you sit with CIS I’m inclined to think everyone here um will likely be at the default state so it’s what we usually see it’s not inherently bad but get after it awesome thank thank you everyone for the time um
Appreciate you being here Chris thanks guys
Video Keywords: Network & Security, [vid_tags]
-
Sale!
Wireless WIFI Repeater Extender Amplifier Booster 300Mbps
$29.99$14.99 Add to cartWireless WIFI Repeater Extender Amplifier Booster 300Mbps
Categories: Electronics, Wi-Fi Router, Wireless Wi-Fi Extender Tags: 300Mbps, 802.11N, Amplifier, Booster, Extender, mobile wi-fi booster, Remote, WIFI, Wireless, Wireless WIFI, Wireless WIFI Repeater, Wireless WIFI Repeater Extender, Wireless WIFI Repeater Extender Amplifier, Wireless WIFI Repeater Extender Amplifier Booster, Wireless WIFI Repeater Extender Amplifier Booster 300Mbps$29.99$14.99 -
Sale!
Full RGB Light Design Gaming Headset Headphones with Mic
$24.99$14.99 Add to cartFull RGB Light Design Gaming Headset Headphones with Mic
Categories: Electronics, Gaming, Gaming Headsets Tags: Design, Full, Full RGB Light Design Gaming Headset, Full RGB Light Design Gaming Headset Headphones, Full RGB Light Design Gaming Headset Headphones with Mic, Gamer, Gaming, Gaming Headset Headphones, gaming headset wireless, Headphone, Headphones, Headset, Light, Mic, Package, RGB$24.99$14.99 -
Sale!
Wireless BlueTooth Multi-Device Keyboard Mouse Combo
$39.99$19.99 Add to cartWireless BlueTooth Multi-Device Keyboard Mouse Combo
Categories: Electronics, Gaming, Gaming Keyboards, Keyboard Mouse Combos Tags: Combo, Keyboard, keyboard mouse combos, Mouse, MultiDevice, Set, WireKeyboard Mouse Combo, Wireless, Wireless BlueTooth Keyboard Mouse Combo, Wireless BlueTooth Keyboard Mouse Combos, Wireless BlueTooth Multi-Device Keyboard Mouse Combo, Wireless BlueTooth Multi-Device Keyboard Mouse Combos$39.99$19.99 -
Sale!
High Back Leather Executive Adjustable Swivel Gaming Chair with Headrest and Lumbar
$199.99$139.99 Add to cartHigh Back Leather Executive Adjustable Swivel Gaming Chair with Headrest and Lumbar
Categories: Gaming, Gaming Chairs Tags: Adjustable, Chair, computer chairs, Desk, Executive, Gaming, Girl, Headrest, High, High Back Leather Executive Adjustable Swivel Gaming Chair, High Back Leather Executive Adjustable Swivel Gaming Chair with Headrest, High Back Leather Executive Adjustable Swivel Gaming Chair with Headrest and Lumbar, High Back Leather Executive Adjustable Swivel Gaming Chairs, Leather, Lumbar, Office, Racing, Swivel$199.99$139.99 -
Sale!
Professional LED Light Wired Gaming Headphones with Noise Cancelling Microphone
$29.99$19.99 Select optionsProfessional LED Light Wired Gaming Headphones with Noise Cancelling Microphone
SKU: N/A Categories: Electronics, Gaming, Gaming Headsets Tags: Cancelling, Gaming, Gaming Headphones with Noise Cancelling Microphone, gaming headset, Headphones, Headset, LED, Light, Mic, Microphone, Noise, Professional, Professional LED Light Wired Gaming Headphones, Professional LED Light Wired Gaming Headphones with Noise Cancelling Microphone, Wired, Wired Gaming Headphones, Wired Gaming Headphones with Noise Cancelling Microphone$29.99$19.99 -
Sale!
Gaming Desk with LED Lights USB Power Outlets and Charging Ports
$349.99$249.99 Select optionsGaming Desk with LED Lights USB Power Outlets and Charging Ports
SKU: N/A Categories: Computer Desk, Gaming, Gaming Desk Tags: and Charging Ports, Charging, Desk, Desks, Gaming, gaming desk with led lights, Gaming Desks with LED Lights, Home, LED, Lights, Monitor, Office, Outlets, Port, Power, Room, Stand, USB, USB Power Outlets, White, Workstation$349.99$249.99 -
Sale!
Wired Mixed Backlit Anti-Ghosting Gaming Keyboard
$99.99$79.99 Add to cartWired Mixed Backlit Anti-Ghosting Gaming Keyboard
Categories: Electronics, Gaming, Gaming Keyboards Tags: Antighosting, Backlit, Blue, brown, Gaming, Gaming Keyboard, gaming keyboards, gaming keyboards and mouse, Keyboard, Laptop, Switch, Wired, Wired Mixed Backlit Anti-Ghosting Gaming Keyboard, Wired Mixed Backlit Anti-Ghosting Gaming Keyboards, Wired Mixed Backlit Gaming Keyboard$99.99$79.99 -
Sale!
Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset
$119.99$59.99 Add to cartWireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset
Categories: Electronics, Gaming, Gaming Headsets Tags: 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset, ANC, Audio, Bluetooth, Cancellation, Ear, Earphone, gaming headset, Headphones, Headset, Hi-Res Over the Ear Headphones Headset, HiRes, Noise, Wireless, Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Headphones, Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset, Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headsets$119.99$59.99 -
Sale!
Wired Sports Gaming Headset Earbuds with Microphone
$19.99$9.99 Select optionsWired Sports Gaming Headset Earbuds with Microphone
SKU: N/A Categories: Gaming, Gaming Headsets Tags: Accessories, Earbud, Earphone, Earphones, Gaming, gaming headset with microphone, Headphones, Headset, IOS, Microphone, Sports, Wired, Wired Sports Gaming Headset Earbuds, Wired Sports Gaming Headset Earbuds with Microphone, Wired Sports Headset Earbuds$19.99$9.99 -
Sale!
150W Universal Multi USB Fast Charger 16 Port MAX Charging Station
$49.99$29.99 Add to cart150W Universal Multi USB Fast Charger 16 Port MAX Charging Station
Categories: Charging Stations, Electronics Tags: 150W, 150W Charging Station, 150W Universal Multi USB Charging Station, 150W Universal Multi USB Fast Charger 16 Port MAX Charging Station, 150W Universal Multi USB Fast Charger 16 Port MAX Charging Stations, 150W Universal Multi USB MAX Charging Station, 16 Port MAX Charging Station, 3.5A, Charger, Charging, Fast, laptop charging stations, Max, Multi, Port, Stand, Station, Universal, USB$49.99$29.99