WEBVTT 00:00:00.892 --> 00:00:02.892 So that's personal firewalls. 00:00:02.892 --> 00:00:04.226 In my view, 00:00:04.226 --> 00:00:07.892 personal firewalls are in requirement 1 because it has the word firewall in it, 00:00:07.892 --> 00:00:11.178 because it feels to me like it's actually something about operating system 00:00:11.178 --> 00:00:15.892 configuration and would sit better in requirement 2. 00:00:15.892 --> 00:00:16.892 But look, gosh, 00:00:16.892 --> 00:00:20.892 they also strike me as a throwback to when if you plugged 00:00:20.892 --> 00:00:23.892 something into like even your home network, 00:00:23.892 --> 00:00:24.892 there was no firewall. 00:00:24.892 --> 00:00:27.226 Remember the days when we plugged everything straight into the internet, 00:00:27.226 --> 00:00:30.892 and we all got worms, which is why this requirement really came out, 00:00:30.892 --> 00:00:32.892 because of worming type of behaviors. 00:00:32.892 --> 00:00:36.892 So is this something I worry about, 00:00:36.892 --> 00:00:38.892 or can I just use what's in my operating system? 00:00:38.892 --> 00:00:43.074 You can use what's in the operating system or at the Windows 00:00:43.074 --> 00:00:46.892 or the macOS sort of provided firewall. 00:00:46.892 --> 00:00:50.892 The place I typically see this applied are for the administrators, 00:00:50.892 --> 00:00:54.892 the IT people that are remoting into the in-scope environment to do their jobs, 00:00:54.892 --> 00:00:56.892 the managing environment. 00:00:56.892 --> 00:01:00.226 And so this is protecting the environment from those 00:01:00.226 --> 00:01:04.892 workstations as maybe an attack entry point. 00:01:04.892 --> 00:01:08.892 And the particulars of the requirement say, 00:01:08.892 --> 00:01:09.178 one, 00:01:09.178 --> 00:01:12.092 that you configure the firewall rules according to some 00:01:12.092 --> 00:01:15.559 company-defined standards and that the employee is not able to 00:01:15.559 --> 00:01:17.892 alter or disable the functionality. 00:01:17.892 --> 00:01:21.792 And so if you can do that with the Windows firewall or with the 00:01:21.792 --> 00:01:24.267 macOS firewall or whatever the operating system is, 00:01:24.267 --> 00:01:26.892 then sure, you can absolutely use that. 00:01:26.892 --> 00:01:28.892 I just think we hit a non sequitur there. 00:01:28.892 --> 00:01:31.620 So if one of the real targets is the system 00:01:31.620 --> 00:01:33.892 administrator who might be remoting in, 00:01:33.892 --> 00:01:35.464 the system administrator is usually the person who could 00:01:35.464 --> 00:01:36.892 change the personal firewall settings. 00:01:36.892 --> 00:01:37.892 There is that. 00:01:37.892 --> 00:01:39.892 I'm glad you brought that up. 00:01:39.892 --> 00:01:46.392 What I've seen in that case is that sometimes you have these kind of 00:01:46.392 --> 00:01:47.892 non-overlapping administrative responsibilities. 00:01:47.892 --> 00:01:48.892 Yeah. 00:01:48.892 --> 00:01:49.892 But sometimes you don't, 00:01:49.892 --> 00:01:52.892 and the administrator is the administrator for everything, 00:01:52.892 --> 00:01:56.892 particularly in smaller organizations with fewer IT people. 00:01:56.892 --> 00:02:04.292 What we go for there is some sort of written policy saying as the 00:02:04.292 --> 00:02:07.892 administrator using your workstation to access this environment, 00:02:07.892 --> 00:02:10.892 you will insert these controls here. 00:02:10.892 --> 00:02:12.692 You will not monkey with them. 00:02:12.692 --> 00:02:13.892 Keep them in place. 00:02:13.892 --> 00:02:14.142 Obviously, 00:02:14.142 --> 00:02:18.892 you have the rights to do that because that's part of your job function, 00:02:18.892 --> 00:02:21.178 but don't kind of undo that while you're protecting your 00:02:21.178 --> 00:02:22.892 workstation in the course of this. 00:02:22.892 --> 00:02:25.892 And when you're assessing this, is this a sample control? 00:02:25.892 --> 00:02:29.892 Do you just pick random workstations and walk up to them? 00:02:29.892 --> 00:02:34.892 We pick workstations that are relevant, 00:02:34.892 --> 00:02:37.892 that have remote access into the environment. 00:02:37.892 --> 00:02:41.892 Or if there are workstations that are in the environment, 00:02:41.892 --> 00:02:43.892 like in a contact center or something like that, 00:02:43.892 --> 00:02:46.892 then we might grab those workstations. 00:02:46.892 --> 00:02:49.892 And yeah, we will sample them. 00:02:49.892 --> 00:02:51.892 Rather than kind of physically walking up to them, 00:02:51.892 --> 00:02:56.607 at least in most cases, we're looking at some sort of tool that, 00:02:56.607 --> 00:03:03.292 like the Active Directory domain policy application to individual 00:03:03.292 --> 00:03:06.892 computers house as a means of gathering that sample. 00:03:06.892 --> 00:03:07.892 But yes, we do sample it. 00:03:07.892 --> 00:03:08.292 So architecturally, 00:03:08.292 --> 00:03:12.392 I mean one of my questions always is architecturally can is something an 00:03:12.392 --> 00:03:14.892 organization can do to make this requirement easier to fulfill. 00:03:14.892 --> 00:03:15.892 Right. 00:03:15.892 --> 00:03:17.892 So some sort of central management over this. 00:03:17.892 --> 00:03:18.559 Yes, absolutely. 00:03:18.559 --> 00:03:18.892 Right. 00:03:18.892 --> 00:03:20.892 I think without the central management, 00:03:20.892 --> 00:03:24.892 you have a much harder time where the employee cannot 00:03:24.892 --> 00:03:25.892 disable or modify the function. 00:03:25.892 --> 00:03:29.892 So I suppose it's possible to do it without it, 00:03:29.892 --> 00:03:31.892 but it's much, much more challenging. 00:03:31.892 --> 00:03:35.892 And what barriers do organizations have to implementing this? 00:03:35.892 --> 00:03:42.892 It's usually just a question of kind of the effort and the setup of doing so. 00:03:42.892 --> 00:03:43.092 Again, 00:03:43.092 --> 00:03:45.392 particularly if you're relying on the operating system 00:03:45.392 --> 00:03:48.892 sort of brass tacks for the firewall, 00:03:48.892 --> 00:03:52.892 it's not like you have software infrastructure costs. 00:03:52.892 --> 00:03:57.392 So if you don't have this in place, it's, 00:03:57.392 --> 00:03:58.892 I'd say, again, 00:03:58.892 --> 00:04:04.892 relatively easy to deploy compared to some of the other requirements, 00:04:04.892 --> 00:04:13.892 but there are all kinds of organizations that have all kinds of challenges.