InSIGHT is a cybersecurity podcast from Arctic Wolf geared towards the cyber insurance, legal, and incident response communities.
Hosted by Joseph Perry, Director of Education and David Kruse, Director of Insurance Alliances, the pair draw upon their years of experience within their insurance, cybersecurity, and incident response worlds to share their perspective on the major issues, trends, and events impacting business leaders and practitioners in these industries.
In the second episode of InSIGHT, the duo discuss the importance of the Center for Internet Security’s (CIS) critical security controls and share thoughts on the impact ChatGPT will have on the cybersecurity landscape.
Joseph Perry 0:04
Hello, and welcome back to InSIGHT, the only cybersecurity podcast in the entire world. My name is Joseph Berry, Director of Education at Arctic Wolf, bringing you a new edition of our podcast under our new name, Arctic Wolf Incident Response.
David Kruse 0:17
And my name is David Kruse, Director of Insurance Alliances for the same. We’re here to talk about the topics most important for people making business decisions about security, dive into subjects you’ve probably heard mentioned, but never heard explained in general make the world of InfoSec a little bit more comprehensible. We’re still providing best in class security and making sure you stay informed. But now we howl during our meetings.
Joseph Perry 0:39
That’s right. And today, we’re going to be howling about a hugely important topic, the Center for Internet Security’s Critical Security Controls. These are, as you probably imagine, a set of controls published by the Center for Internet Security, generally called CIS. We’ll also be talking a little bit about one of the latest advances in publicly available AI and what that might mean for AI or for security in general.
David Kruse 0:59
Well, I, for one, welcome our robot overlords. But we’ll get into that a little bit later. Now there are a lot of organizations trying to standardize security, build frameworks, and generally make it all makes sense. We talked about some of them in the last episode, what makes CIS different from say, ISO what we talked about last time, Joseph?
Joseph Perry 1:15
That’s a great question. And as you say, in the last episode, we talked about a few different organizations and systems and the purposes of each of them. For CIS, the main thing to bear in mind is that CIS is a community driven rather than politically driven, like ISO it’s about standards and ensuring a minimum of minimum level of performance, whereas CIS is about these best practices that are captured by the community offering roadmaps and guidance.
David Kruse 1:38
So CIS is more about learning to do the thing, while ISO is more about validating that you actually did the thing correctly.
Okay. That makes sense. You know, there’s a lot of standards and a lot of competing solutions in cybersecurity. But the hardest part is often just knowing where to begin.
Joseph Perry 1:55
It absolutely is. And that’s precisely what the CIS controls came about to solve.
David Kruse 1:58
All right, well, hey, that’s enough preamble. Joseph, tell us about the CIS critical security controls.
What Are the CIS Critical Security Controls?
Joseph Perry 2:02
Sure. So the CIS critical security controls are currently in their eighth version, which is separated into 18 specific controls governing everything from asset management to penetration testing.
David Kruse 2:13
18 is certainly a decent list. But that honestly seems too short to cover every relevant topic. There are billions of dollars of damage inflicted every month and solving that problem with an 18 point program. It just doesn’t sound very realistic.
Joseph Perry 2:27
Yeah, that’s absolutely true. And that’s because the controls are not a paint by the numbers security program. And to be honest, there’s no such thing and anyone who says differently is selling something to you. Instead, the controls provide a starting point around which a healthy security program can grow. Each of these topics can be and very often is the focus of one person’s entire career.
David Kruse 2:45
No kidding. Well. So instead of a checklist, the CIS controls are a jumping off point?
Well, given that all these topics are so deep, how can we really know where to begin diving in? After all different organizations are going to have dramatically different needs. And those needs are going to change over time as their security programs get more mature, and as their organizations grow?
Joseph Perry 3:04
That is absolutely true. And say yes, took that factor into account when they were developing these controls. So instead of it just being a list without differentiation of just control, one, control two, etc. The controls are broken out into safeguards, which are then categorized based on the implementation groups IGS, one through three, and each of those implementation groups builds on the one that came before.
David Kruse 3:23
So when you say that each level builds on the last, what we mean is that people in implementation, group three or IG3, are still going to be doing all the things in groups one and two, right?
Joseph Perry 3:33
Exactly IG1 is describing controls for a small to medium organization with limited technical expertise. IG2 is for organizations with dedicated IP and cybersecurity staff, usually a department and then IG3 is for the folks with a significant cybersecurity program with specialized components. And so IG3 is going to be doing everything that IG1 and IG2 do, just usually at a much bigger scale.
David Kruse 3:54
So those categories are interesting because you sort of expect cybersecurity programs to be grouped based on maybe the size of the organization they protect or the budget or the industry. And while that all that obviously does matter. But that isn’t how this is structured. Why is that?
Joseph Perry 4:10
There are a couple of reasons. The first is that cybersecurity budgeting isn’t a problem with a one size fits all kind of solution. If an organization is really small, but has a very skilled technical staff, it can probably accomplish the same goals with a smaller overall budget than a major enterprise with no dedicated security practitioners.
David Kruse 4:26
So a company with a huge budget allocated could still be in that IG1 territory.
Joseph Perry 4:32
Exactly. If they’re just starting out their cybersecurity journey, it doesn’t really matter how much money they have agreed to spend or plan to spend.
What really matters is understanding what the most important actions they can take are, as you want safeguards are going to focus on protecting business operations and employee data, things basically any organization needs IG2 begins to address issues that are going to come up and regulation and compliance and things that are going to need more of a specialized staff to manage.
And then IG3 is all about handling sophisticated attacks mitigating impact from unforeseen events and dealing with security automation, all of which can require significant technical skill on the part of your staff.
The Security Journey
David Kruse 5:06
So if an organization is just starting their security journey, but they also have regulatory obligations, that means they need to be pretty quick about moving through IG1 and IG2, hiring, training infrastructure. All those things take pretty significant amounts of time and money. How do they pull that off?
Joseph Perry 5:23
Well, as we mentioned, at the top of our show, we’re not just two buds making a podcast in our spare time, we are that but we’re also here on behalf of Arctic Wolf Networks on a mission to end cyber risk, which gives us the support and the resources we use to make the show in much the same way that it helps people answer the question you just asked, finding their way through this first steps of the security journey.
Everything from understanding your current security posture and vulnerabilities through building your program up to finding and neutralizing threats both before and after they materialize, all the while working with cyber insurance and privacy law to make sure everyone is protected.
David Kruse 5:53
That was a pretty slick ad break you managed to work in there, Joseph.
Joseph Perry 5:56
Thanks. It only took me four tries to write it.
David Kruse 6:00
Well, all right, leaving that aside, we’ve talked a bit today about the Center for Internet Security Critical Security Controls. In our next episode, we’ll dive into the first CIS control: inventory and control of enterprise assets. We’ll talk about the associated safeguards and break down how each implementation group should approach those safeguards. But for today, it’s time to get on to the news.
Joseph Perry 6:21
Oh, and what news it is. Those of you who follow AI news are probably aware that open AI fairly recently made their chat GPT model available to the public. This is the most sophisticated chatbot ever released for popular consumption. And it’s basically all the internet has been talking about in the weeks since it came out now
David Kruse 6:37
Now, as excited as I am to have a conversation with Skynet before we all get sent to work in the lithium mines. Why is this relevant to a security podcast?
Joseph Perry 6:46
Well, unlike a lot of chat bots, chat GPT has access to a truly massive amount of data. Open AI train the model using human feedback, a process known as RL HF, which allows us to better imitate human responses and produce more useful information. This is plugged into their proprietary training pipelines, which aren’t public knowledge, the details of them.
So as a result of that, GPT is able to do things like write and debug code, provide technical guidance and answer complex questions. It can even write stories and a lot of cases. So it’s not always right. Sometimes it’s even a little bit nonsensical, but it’s a tremendously powerful tool.
David Kruse 7:21
So if chat GPT can write a debug code, and we know that malware is computer code can chat GBT write malware?
Joseph Perry 7:29
There are some security measures in place that are designed to prevent that from happening. But the answer is just yes. In fact, Dr. Seyfried Rastoffer a German security researcher posted screenshots to LinkedIn a little while back, a week ago, I think now displaying basically how he had manipulated chat GPT into writing ransomware, despite that being a specifically disallowed task.
David Kruse 7:50
So if it’s not allowed, how did he do it?
Joseph Perry 7:54
Yeah, so the thing to remember about these massive models is these AI models are just black boxes, very few people understand the technology and a tiny fraction of those people can actually follow the math. So as a result of that, it’s not really possible to say that any given model is definitely safe, or any given action is definitely not allowed.
So while the actual word ransomware was flagged, but that doctor Rastoffer did was just asked GPT to do each of the individual ransomware tasks, find all the files on a directory, exfiltrate all the files on a directory, and encrypt all the files on a directory. Without the greater context. This was ransomware? The bot was very happy to oblige.
David Kruse 8:29
So this is kind of simultaneously a problem with AI being too smart. It can write functional malicious code, and also not smart enough, it can’t recognize when a request is trying to bypass its internal restrictions.
Joseph Perry 8:41
Yeah, and so attackers might be able to use chat GPT or models like it, to scan large code bases for vulnerabilities to productize those vulnerabilities and then to publish exploits all without any real technical knowledge of their own.
Well, that sounds pretty apocalyptic.
It is and it isn’t at the moment the model is proprietary, so it’s it’s also tremendously expensive. And so it’s probably too expensive for most cyber criminals to try and build their own. And as security researchers keep issuing reports about the problems that they’re finding like Dr. Rastoffer did, as long as that’s being ethically disclosed, open AI has the opportunity to build better safeguards. But yeah, it is only a matter of time before AI vulnerability discovery bots are just the norm in cybersecurity and cybercrime.
David Kruse 9:22
Well on that not at all terrifying note, Joseph, we’ve reached the end of today’s episode. Next time we’ll dive into the first CIS control set and learn about asset inventory. So until then, I’ve been David Kruse,
And I’ve been Joseph Perry.
And this has been Insight from Arctic Wolf.