|
Okay infosec, I need people to chime in. I NEED YOU (YES YOU) My new CISO is saying things are required due to the CFR (Code of Federal Regulations). We are a hospital. She says thing like "We need you to document this antivirus P&P due to CFR regulations. This has taken me off guard as I didn't even know what the gently caress the CFR was. Now after doing my googling, I am failing to understand why in the world she keeps blindly referencing the CFR and a requirement for any info security documentation. Did she make this up in her head? Is there something out there that I missed how this stuff might apply outside of DOD or SEC stuff?
|
#
?
Jan 12, 2022 04:58
|
|
|
|
| # ? Jun 9, 2024 22:50 |
|
|
Sickening posted:Did she make this up in her head? Is there something out there that I missed how this stuff might apply outside of DOD or SEC stuff? The only thing I can think of is that your hospital is a federal institution of some sort or is some sort of federal contractor? Otherwise not sure.
|
|
#
?
Jan 12, 2022 05:10
|
|
|
Defenestrategy posted:The only thing I can think of is that your hospital is a federal institution of some sort or is some sort of federal contractor? Otherwise not sure. Nope
|
|
#
?
Jan 12, 2022 05:11
|
|
|
CFRs are US federal regulations set by federal agencies. Most laws don't prescribe specific rules. Instead, they grant authority to an existing agency to accomplish some end, and task the agency with making rules to that end. Your CISO might be right, but saying "CFR" without any context is the equivalent of saying "federal law says so". Most laws and regulations define which entities the apply to ("Covered Entities"). It's important to know if a given CFR even applies to you before getting worked up about the rest of it.
|
|
#
?
Jan 12, 2022 05:18
|
|
|
They probably learned that in their CISSP certification or something and now they're using it everywhere.
|
|
#
?
Jan 12, 2022 06:37
|
|
|
spankmeister posted:They probably learned that in their CISSP certification or something and now they're using it everywhere. Lol "The CFR Triad"
|
|
#
?
Jan 12, 2022 06:41
|
|
|
Rust Martialis posted:Lol "The CFR Triad" Chips fries and a reuben? Sounds good to me.
|
|
#
?
Jan 12, 2022 07:00
|
|
|
Defenestrategy posted:Chips fries and a reuben? Sounds good to me. Confidentiality Fries Reuben
|
|
#
?
Jan 12, 2022 07:10
|
|
|
Sickening posted:Okay infosec, I need people to chime in. I NEED YOU (YES YOU)
|
|
#
?
Jan 12, 2022 09:03
|
|
|
As a compliance type guy: compliance has a few steps:
It sounds like you/the ciso needs to work at the first two steps, especially the first. Just citing "regulations" is not useful I'm phone posting at work, so I probably skipped some stuff. I guess remember to do audits too.
|
|
#
?
Jan 12, 2022 11:08
|
|
|
RichardA posted:Any reason not to ask for a copy of the regulations so you can judge compliance? Out of interest, would someone in a security role be expected to translate laws into company policy, or would they use a lawyer who specialised in that field to provide guidance?
|
|
#
?
Jan 12, 2022 11:42
|
|
|
Typically your corporate security team either sources relevant compliance laws themselves or have the legal team feed them what's required; the latter is usually the better option given the complexity of the context. It gets really hard to understand what's actually necessary if the company operates in a diverse set of territories (countries, states, etc etc) with differing laws, and since security is still so immature they tend to err on the side of caution. The security team's responsibility should be to convert that legal input, combined with other inputs (quality, industry requirements, business requirements, etc) into relevant and proportional policy.
|
|
#
?
Jan 12, 2022 12:57
|
|
|
Thanks Ants posted:Out of interest, would someone in a security role be expected to translate laws into company policy, or would they use a lawyer who specialised in that field to provide guidance? In a small company or startup, maybe. For a hospital that has Real Actual Legal requirements for poo poo, no, not on your own: InfoSec should be party to the meeting and all that, but you want Actual Lawyers looking at the laws and legal requirements and then working with them to determine how to address them. Another possible explanation for the CISO's comments is if your employer has some sort of cyber insurance policy which carries requirements that you meet certain specifications and due diligence, many of which stem from CISA guidance. CISA starts with a C like CFR does, and both are federal-space things, so they might be just confusing them in their heads. But yeah, I'd agree with the others here and ask to sit down with the CISO and hash out what it is they think you need to be doing and why, and have them point to the documents they believe they need to comply with. That should provide a lot of information for you on where you need to take the conversation from there.
|
|
#
?
Jan 12, 2022 19:10
|
|
|
One problem is that if you get lawyers to write policies/rules/whatever for technical things, they'll be out of their depth pretty fast (unless you have an actual tech savvy lawyer in which case you should bend over backwards to keep them). That leads to them writing nonsense, vague useless crap and/or ridiculously strict requirements that are completely unproportional. So you somehow need to work with them to get something that actually makes sense for both tech guys and legal. Otherwise you get a policy requiring logging every time anyone views anything in any system, which "IT" has to implement. It's a fun area. We have a lot of finance backend customers who are under pretty strict government regulation, and trying to implement the regulations in a meaningful way is an ongoing process with a lot of head scratching and workshopping. And that's in businesses where it's their main thing to provide secure data processing, not in a hospital where infosec is secondary at best.
|
|
#
?
Jan 12, 2022 19:28
|
|
|
Sickening posted:Okay infosec, I need people to chime in. I NEED YOU (YES YOU) Do you have a Governance and Policy office attached to Security or the Hospital? They may be able to help you with the compliance stuff. Are they just seeking technical compliance?
|
|
#
?
Jan 12, 2022 20:23
|
|
|
It's possible that they're just trying to pull any lever they can to get documentation done. I've definitely been in organizations where nobody gives a gently caress what I said about documenting process but as soon as a contractor said it would be necessary for compliance it was an all-hands-on-deck emergency deliverable. Though I don't know much about regulatory requirements in healthcare because I would have guessed that was already some kind of requirement a hospital would need to hold to. Definitely a governance question though.
|
|
#
?
Jan 13, 2022 16:11
|
|
|
This seems pretty drat bad. At least it got patched quickly and before it was disclosed? https://twitter.com/0xdabbad00/status/1481655942303281154
|
|
#
?
Jan 13, 2022 18:07
|
|
|
Internet Explorer posted:This seems pretty drat bad. At least it got patched quickly and before it was disclosed? "at least" is cold comfort. All major vendors have had major vulnerabilities like this. ChaosDB, GSuite allowing random people to add themselves as superadmins on any enterprise, and now AWS with something similar. It's only a matter of time before one of these gets discovered by Russian or Chinese actors first.
|
|
#
?
Jan 13, 2022 18:18
|
|
|
I can't wait for some sort of security issue with the backend of the AWS/Azure/GCP hosting itself and gets heavily exploited. Its going to happen.
|
|
#
?
Jan 13, 2022 18:22
|
|
|
Fart Amplifier posted:"at least" is cold comfort. All major vendors have had major vulnerabilities like this. ChaosDB, GSuite allowing random people to add themselves as superadmins on any enterprise, and now AWS with something similar. It's only a matter of time before one of these gets discovered by Russian or Chinese actors first.
|
|
#
?
Jan 13, 2022 18:25
|
|
|
CommieGIR posted:I can't wait for some sort of security issue with the backend of the AWS/Azure/GCP hosting itself and gets heavily exploited. Its going to happen. Its only a matter of time, and it will suck so very much.
|
|
#
?
Jan 13, 2022 18:25
|
|
|
Sickening posted:Okay infosec, I need people to chime in. I NEED YOU (YES YOU) When I worked for a pharma company there was a bunch of stuff I had to do mandated by CFR, but for every requirement given there was a number attached (21 CFR Part 11 is the one that I specifically remember, this was over a decade ago so I forgot the others). Just saying "it's in CFR" is kind of pointless since there is no way for you to actually establish what you're required to do.
|
|
#
?
Jan 13, 2022 18:32
|
|
|
Fart Amplifier posted:"at least" is cold comfort. All major vendors have had major vulnerabilities like this. ChaosDB, GSuite allowing random people to add themselves as superadmins on any enterprise, and now AWS with something similar. It's only a matter of time before one of these gets discovered by Russian or Chinese actors first. They definitely have at least once, but state actors are going to show some restraint in actually using it, so it's unlikely we would know. Ensign Expendable posted:When I worked for a pharma company there was a bunch of stuff I had to do mandated by CFR, but for every requirement given there was a number attached (21 CFR Part 11 is the one that I specifically remember, this was over a decade ago so I forgot the others). Just saying "it's in CFR" is kind of pointless since there is no way for you to actually establish what you're required to do. This is the point. The CISO wants people to do whatever she says without question. KillHour fucked around with this message at 18:42 on Jan 13, 2022 |
|
#
?
Jan 13, 2022 18:37
|
|
|
BlankSystemDaemon posted:Bold of you to assume that hasn't already happened. KillHour posted:They definitely have at least once, but state actors are going to show some restraint in actually using it, so it's unlikely we would know.
|
|
#
?
Jan 13, 2022 18:55
|
|
|
Sickening posted:Okay infosec, I need people to chime in. I NEED YOU (YES YOU) CFRs are vehicles by which various security frameworks may become contractually necessary for your org to adopt. Your ciso needs to ask the business unit that brought this need up for the specific contractual clause that was signed that created this need. If I had to guess based on this "can u document our AV lol" your latest MTA/DUA renewal with any one of various federal health and research agencies is requiring CUI Basic Safeguarding for some health info or Federal Contact Info, possibly intersecting with new vehicles encompassing the hodgepodge of HIPAA at a higher level, based on my experience with one of my clients. You may also just be meeting new requirements through your continuity insurer, interestingly.
|
|
#
?
Jan 13, 2022 19:19
|
|
|
You are going to increasingly see entry-level requirements that generally only applied to the defense industrial base apply to you between now and 2025 my first piece of advice would be to depart healthcare IT
|
|
#
?
Jan 13, 2022 19:23
|
|
|
Potato Salad posted:my first piece of advice would be to depart healthcare IT
|
|
#
?
Jan 13, 2022 19:28
|
|
|
Potato Salad posted:You are going to increasingly see entry-level requirements that generally only applied to the defense industrial base apply to you between now and 2025 Honestly the worst part of defense requirements is that you have to be constantly looking ahead to the next set of requirements being developed so you can basically be in compliance once all that stuff gets written into your new set of contracts. and then weep quietly when two years of working towards a set of requirements gets tossed down the drain because the military can't get it's brand new infosec frame work together and decides to nix it for awhile. *crys in cmmc*
|
|
#
?
Jan 13, 2022 20:02
|
|
|
This Week in AWS may have to eat some crow if it's accurate, given the latest blog was him dishing on Azure for control plane vulnerabilities.
|
|
#
?
Jan 13, 2022 21:27
|
|
|
Friendly reminder that NSO Group made their own operating system that runs inside a loving image decoder.
|
|
#
?
Jan 13, 2022 21:42
|
|
|
Elaborate as that exploit was, that is a pretty misleading way to describe it
|
|
#
?
Jan 14, 2022 00:48
|
|
|
It really isn't though. They used the fact that the image decoding instructions are Turing complete to build enough of an instruction set to load and run the exploit.
|
|
#
?
Jan 14, 2022 03:59
|
|
|
Defenestrategy posted:*crys in cmmc* CFR 32 and 48 are still going to contain CMMC 2.0 by rule changes to be implemented by late 2023. Did you fall out of scope or something?
|
|
#
?
Jan 14, 2022 04:40
|
|
|
typically people distinguish the operating system from the processor. what they constructed was a virtual CPU much more than an OS, which latter would typically manage resources and provide services to programs
|
|
#
?
Jan 14, 2022 04:40
|
|
|
They made the equivalent of a limited service processor ISA using the primitives that're employed for image decoding - which is an impressive feat, but has little to nothing to do with an OS or general compute processors that most of us use day-to-day. We've yet to see how they managed to escape the sandbox that all of this runs in, which itself is likely to be just as - if not more - interesting.
|
|
#
?
Jan 14, 2022 05:33
|
|
|
If anyone uses DoorDash, I'd recommend not saving any payment methods, at least for now; it seems to be showing (if not fully making available) saved payment methods to people they do not belong to. edit: If you've got one of those CC-promo dashpass subscriptions, I'm not sure how removing that works w.r.t. the promo; you might want to check that before removing it, if that matters to you.
|
|
#
?
Jan 16, 2022 00:38
|
|
|
astral posted:If anyone uses DoorDash, I'd recommend not saving any payment methods, at least for now; it seems to be showing (if not fully making available) saved payment methods to people they do not belong to. Any other details ?
|
|
#
?
Jan 16, 2022 00:40
|
|
|
astral posted:If anyone uses DoorDash, I'd recommend not saving any payment methods, at least for now; it seems to be showing (if not fully making available) saved payment methods to people they do not belong to. Well poo poo lol
|
|
#
?
Jan 16, 2022 00:41
|
|
|
The app literally prevents you from deleting your saved default payment method. You must have 1 credit card saved on it. Massive lol and lmao
|
|
#
?
Jan 16, 2022 00:42
|
|
|
|
| # ? Jun 9, 2024 22:50 |
|
|
CLAM DOWN posted:The app literally prevents you from deleting your saved default payment method. You must have 1 credit card saved on it. Massive lol and lmao i don't know about the app but i just went to the actual site and deleted my only card attached (it was expired anyway)
|
|
#
?
Jan 16, 2022 00:59
|
|
