WEBVTT 00:00:00.844 --> 00:00:04.844 Can I run an argument that was put to me when I was looking at this? 00:00:04.844 --> 00:00:08.844 Someone said, look, when people remote in, they fire up the VPN. 00:00:08.844 --> 00:00:12.844 So they have a local VPN client on their workstation. 00:00:12.844 --> 00:00:15.544 That VPN client then means that all IP traffic 00:00:15.544 --> 00:00:17.644 travels through our corporate network, and therefore, 00:00:17.644 --> 00:00:20.844 they're basically firewalls on our corporate network. 00:00:20.844 --> 00:00:23.844 And I was saying, yeah, but when they're off the VPN, 00:00:23.844 --> 00:00:26.844 they're on whatever network they're on. 00:00:26.844 --> 00:00:28.844 Can you turn it on without the VPN on? 00:00:28.844 --> 00:00:29.844 And the answer is yes. 00:00:29.844 --> 00:00:31.844 So do they still need a personal firewall then? 00:00:31.844 --> 00:00:38.844 So if they, when they're disconnected from that VPN are, 00:00:38.844 --> 00:00:42.844 for lack of a better term, unprotected, right, 00:00:42.844 --> 00:00:47.177 such that they may be exposed to malware or keystroke capture, 00:00:47.177 --> 00:00:48.066 or attacks, 00:00:48.066 --> 00:00:51.094 or things like that that then would be effective 00:00:51.094 --> 00:00:54.844 when they are connected to the VPN, then I would say, 00:00:54.844 --> 00:00:56.844 no, that's not sufficient. 00:00:56.844 --> 00:01:02.344 If there's some sort of tool that then maybe checks for 00:01:02.344 --> 00:01:06.415 that kind of malware or does some sort of posture 00:01:06.415 --> 00:01:10.844 evaluation and then flags any concerns, 00:01:10.844 --> 00:01:12.844 that could potentially be a compensating control. 00:01:12.844 --> 00:01:14.844 You evaluate it on its merits, right, 00:01:14.844 --> 00:01:19.129 on the rigor of that examination to say okay, 00:01:19.129 --> 00:01:23.844 when it does connect, we make sure that the machine is --- The posture is good. 00:01:23.844 --> 00:01:24.844 Yeah, is clean, right? 00:01:24.844 --> 00:01:28.844 And then if that's sufficient, that's got merit. 00:01:28.844 --> 00:01:29.844 So you could use Mac basically. 00:01:29.844 --> 00:01:30.844 Conceivably. 00:01:30.844 --> 00:01:31.844 So network access control. 00:01:31.844 --> 00:01:34.844 Checks the posture, make sure the firewall is set, 00:01:34.844 --> 00:01:36.844 make sure the firewall is not disabled, 00:01:36.844 --> 00:01:38.844 make sure that traffic can only go down the VPN, 00:01:38.844 --> 00:01:43.558 and you've got the same functional requirement of that box can't be 00:01:43.558 --> 00:01:44.844 attacked when it's plugged into any old network. 00:01:44.844 --> 00:01:45.844 Right. 00:01:45.844 --> 00:01:49.844 Yeah, I mean I know my work laptop, when I plug it in, it does nothing. 00:01:49.844 --> 00:01:51.844 The first thing it does is it fires up the VPN, 00:01:51.844 --> 00:01:54.558 and it connects me to the corporate network because it's never on my local 00:01:54.558 --> 00:01:57.844 network apart from a few seconds to pick up the Wi-Fi basically. 00:01:57.844 --> 00:01:58.844 Right. 00:01:58.844 --> 00:02:02.844 I've not tried attacking it obviously because my life is too short to do that, 00:02:02.844 --> 00:02:03.677 but that type of thing, 00:02:03.677 --> 00:02:06.844 and now I know it's reporting back that it's configured properly. 00:02:06.844 --> 00:02:07.177 Sure. 00:02:07.177 --> 00:02:10.844 And that brings up the point that maybe that's an interesting 00:02:10.844 --> 00:02:15.094 sort of candidate for a scenario in the penetration test is not 00:02:15.094 --> 00:02:18.510 just testing the sort of endpoint with all the servers and the 00:02:18.510 --> 00:02:19.844 card data and whatnot, 00:02:19.844 --> 00:02:25.177 but can you attack one of these administrator or workstations, 00:02:25.177 --> 00:02:25.844 right? 00:02:25.844 --> 00:02:27.844 Particularly if there's some sort of situation like that, 00:02:27.844 --> 00:02:31.844 is that effective against an attacker? 00:02:31.844 --> 00:02:32.219 Yeah. 00:02:32.219 --> 00:02:35.844 So, and this is something where DSS gets really interesting. 00:02:35.844 --> 00:02:38.844 Because if you look at the intent of the standard, it's to keep you secure. 00:02:38.844 --> 00:02:39.844 Right. 00:02:39.844 --> 00:02:43.844 But I would imagine the, you know, if you said to an organization, 00:02:43.844 --> 00:02:48.844 oh, in segmentation scoping I want you to pen test my admin workstations, 00:02:48.844 --> 00:02:51.844 you and I would agree that was a great security thing to do, 00:02:51.844 --> 00:02:55.844 but does someone want to pay for that as part of their assessment? 00:02:55.844 --> 00:02:58.677 Well, I mean nobody wants to pay for any part of this, 00:02:58.677 --> 00:03:03.844 right, and so at the risk of maybe jumping ahead, 00:03:03.844 --> 00:03:06.844 when we talk about segmentation testing, 00:03:06.844 --> 00:03:12.344 I think it's important to work with the pen tester and the organization to 00:03:12.344 --> 00:03:15.844 devise what the appropriate segmentation testing scenarios are. 00:03:15.844 --> 00:03:19.844 So let's put personal firewalls and segmentation testing on 00:03:19.844 --> 00:03:22.844 our requirement 11 things to talk about. 00:03:22.844 --> 00:03:24.344 Agreed. 00:03:24.344 --> 00:03:25.844 Great.