Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

03-24-22_Deep Diving into Bidens Warnings Against Cyber Warfare Tactics

March 30, 2022 Petronella Cybersecurity
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
03-24-22_Deep Diving into Bidens Warnings Against Cyber Warfare Tactics
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

In today's episode, the PTG team breaks down, step-by-step, the safeguards recommended by the White House in their special announcement, released on Monday, March 21, 2022, entitled, "Statement by President Biden on our Nation’s Cybersecurity," as well as the accompanying "FACT SHEET: Act Now to Protect Against Potential Cyberattacks" in which the Biden Administration gives Americans guidance on hardening your cyber defenses to protect against a looming cyberwar with Russia.

Political differences aside, the White House gives US citizens (mostly) great advice (with just a few caveats).  Listen now to find out what steps YOU can take to secure your home and your business.

Today's Links: 

  • STATEMENT: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/
  • FACT SHEET: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/

Host: Craig
Co-Hosts: BJ & Erin



Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Erin:

Hi listeners. It's Erin from PTG. And, unfortunately we lost quite a bit of our audio about the first, third or so of this stream. So if you would like to hear the full stream, feel free to check it out. On any of the PTG social media. Platforms: YouTube, Facebook, LinkedIn, Twitter. but to catch you up, we are discussing the warnings that the Biden administration. Put out on Monday. Along with the list of urgent cyber recommendations that they gave, in which the administration urges companies to execute the following steps with urgency. 1. Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get into your system, 2. Deploy modern security tools on your computers and devices to continuously look for and mitigate threats. 3. Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities. And change passwords. Across your networks. So that previous stolen credentials are useless to malicious actors. 4. Backup your data and ensure you have offline backups beyond the reach of malicious actors. 5. Run exercises and drill your emergency plans so that you're prepared to respond quickly to minimize the impact of any attack. 6. Encrypt your data. So it cannot be used even if it's stolen. 7. educate your employees. Two common tactics that attackers will use over email. Or through websites. And encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes. Or operating very slowly and 8. Finally engage proactively with your local FBI field office or SISA regional office. To establish relationships in advance of any cyber incidents. Please encourage your it and security leadership to visit the website of CISA and the FBI where they will find technical information and other useful resources. Okay. So that's what we're going to be discussing, in this podcast. And we also have the links listed in the description. So feel free to check it out. And follow along. And now without further ado, you here is the rest of our podcast...

Craig:

Like I said, with the cookies, you definitely don't want to make things easier, but I think the reality is that a lot of people. They just don't have a good grasp and good visibility into the current state of their end points. And if they truly are secure or not, which is why we keep saying to go do these risk assessments and leverage technology like XDR and these other layers to make sure you do get a better grasp of that. But yeah, definitely take this order from Biden is a wake-up call.

BJ:

let's just dig a little deeper and full disclosure from us. Yeah. We're a cyber security company and we're here. If you want to, get ahold of a cybersecurity professional, Monetary gain is not our motivation. Like we all expect to be rich off crypto by next month we're not worried about that, but we really do want to help secure the nations, cause all of our children and loved ones live here. So this is very personal for us. And that's a true statement. And so this is alarming to me when I read this because in the list of recommendations that they're giving number one is MFA, And then they say to use modern cyber tools and contact a cyber professional, but here's why a cyber professional is so important. And why it made that list because who really is equipped to deal with something like this. It says SISA verified that the threat actors successfully signed into one user's account with proper multifactor authentication. In this case, SISA believes the threat actors may have used browser cookies to defeat MFA with a past the cookie attack. Okay. So if the number one recommendation is MFA, but pass the cookie attacks can defeat MFA. This is also so complicated and it's also serious because our lives have now become attached to the cyber realm. This is just really serious. Now. In the example that we talked about the other, day, we were just talking about one music service, the Spotify. But just as an example, and this is just one example to put it in a proper reference for people, but in their section I was reading through about cookies. And I learned a lot about cookies that I didn't know, but there's all different types of cookies and levels of cookies and things that cookies do. And. I guess if we were to look at this on a whiteboard and count the cookies and then knowing that there's possibly cookie attacks, this is really something that really need help with

Craig:

Yeah. Obviously we're talking about Biden's recommendations. On this bulleted list of things to do. And we'll zero, a little deeper into the multi-factor MFA. We've talked about MFA a lot in previous episodes, but one of the things that I recommended is to avoid MFA with what's called an SMS text message because of a SIM swap attack. So you definitely want to try to use Google or Microsoft authenticator when using MFA, but with the example that BJ just gave, if you use authenticator with Google, But you check the box to say, look, don't prompt me or authenticate me, or don't bother me for 30 days. Now that cookies on your system and that's how they can bypass even the authenticator type solutions, because you're giving authorizations to circumvent the prompt to authenticate by allowing the usage of a cookie. But you're also saying that you've done the due diligence and you're confident that your system is safe and secure and not. Breached in any way. So that's why I recommend you not check that box so that you could, harden your system a little bit and then obviously do the scans and do the other work to make sure, but try to use that Google authenticator or Microsoft authenticator with as many different types of solutions and websites that you can, because that's much more secure than SMS text.

Erin:

I was thinking too, one thing that this really highlights this fact sheet is another thing that we've been repeating over and over again, which is just how important it is to layer your cybersecurity. So like BJ mentioned, somebody was able to get in with the MFA. Okay, great. But if you have something like XDR or even a good antivirus or something, it's not going to catch everything. But it'll help. Even if it does get past this like initial layer of defense, if you have multiple layers, it's going to stop them at the next gate, basically. It's like having multiple, protections, it's. just more gates that people have to pass through or more locks they have to unlock.

BJ:

That's such a good point area. I like to mention something that's, very cutting edge in each of our podcasts, just as food for thought. But yesterday we were talking about the breakthrough that Microsoft had with topological cubits and the science of topological cubits it's like a braided, like a woven design. And it's the same concept as what we're talking about right now. There's such an effectiveness when you have that type of a design, because it's just like a shield almost, and then in topological cubits, quantum information can be stored there. And from a cybersecurity perspective your security is woven. And that XDR layer. The reason that it is so critical is because you have that X factor that no one can really define or properly measure. There is no accurate system of metrology when it comes to machine learning, because it's a huge question, mark. And we just don't know the potential, but if you have. Something that has a neural network. And it has the ability to learn from a machine learning perspective, like an SDR tool on your network. It's going to learn what's normal for your network. I can see that with my smart home. It's started to change. How it interacts with me, because it's learned to what's normal for my home. What sounds are normal and things like that. Cause I have the settings turned up to pay attention all the time. So it alerts me if there's a cough or just things like that with presence sensing and it is learning, it's learning, what's normal for me. And the same thing goes with the next VR tool. What's normal for your network. So although it's not coded with programming language to look for everything, cause we don't know every threat yet it does have the ability to learn what's normal on your network. And then when something out of place happens, even if it's not coded to look for that specifically, it can still see a pattern of something unusual. And that's where this thing can really be effective for people.

Craig:

Yeah, I think that's well said. I think the other thing is that even with these bulleted lists here, You have to really put in multiple layers at each bullet too, because I think BJ, a lot of people don't have that figured out as far as what is the visibility, what is normal for their network? Because they don't have some of these technologies. So I think, the first step is got to start somewhere, right? So let's start with the risk assessment, go through and figure out your gaps, adopt some of these technologies, modern solutions like XDR EDU. Things that are above and beyond traditional antivirus and firewalls, like I said, with the MFA, it you want to make sure that the password is not a breach password too. So you need to use a complex secure password. And we talked about that a lot of times, as far as using password managers and the reasons why we recommend them, especially a reputable one, and then pairing the password manager with another layer, which is typically a hardware token. So you have to assume the worst, right? And you have to assume that, okay, they got my password, but you as the consumer or the business owner can take that power into your own hands and come up with some type of policy for yourself, or, practice where I'm going to change my password every month, or, whatever frequency, obviously more often is best, but, too frequent can be annoying too. So you've got to come up with that delicate balance is my point. I think a lot of people are still using breached password. So obviously change your passwords, but then, going another step. What if you have a keylogger on your system and we've talked about the importance of keystroke encryption, so you should have a key stroke encryption solution on your device, because if you've got malware at a keylogger on your system and you go change your password, If the key loggers exfiltrating that information guess what the bad actors have that too. So you want to try to make this as hard as possible. Adopt the keystroke encryption first, then change your passwords after that layers in place and then do your MFA. So you have these different layers that each of these bullet points, and it's the same thing, with the modern tools and technology, most people listening, probably know what antiviruses, There are different levels of antivirus. But don't trust just one vendor and one level, on our systems. When we protect our companies, we use over 59 different vendor filters. We don't trust one company and say, oh said it's clean. We look at as many as possible. So we on email alone filtering, we're looking at 59 different vendor.

BJ:

With every vendor and every piece of technology, you have to assume just from a scientific perspective, that there's the law of averages says that there's going to be a certain degree of.

Craig:

yeah, that's what I'm saying. When you get a pen test done, for example, that pen tester might use a certain set of tools. Another pen tester might have a different methodology and use different tools, and that's why it's always important to have different perspectives and using different tools and different people and different methodology because different people. And different tools. We'll find different things and the reports will never, ever be the same.

BJ:

That's such a good point. You make, because again, in complete agreement with what Biden is saying, that you have to use MFA, that's not a catch all, but it's very helpful. And then use. The most modern cyber security tools, because again, one of the things they specifically say in this report that sees us as is paramount, is to first establish a baseline. Now, when you're trying to establish a baseline in anything mathematics, physics, cyber security, Stock market charts. When you're trying to establish a base line, you want to gather as much data as possible and then look for patterns. And that's something that a human mind is not capable of doing at this point. As good as an algorithm can do, why are so many crypto traders successful because of algorithms, right? That can establish baselines and they can establish patterns and they can see patterns. Predict trends. And so that's where these modern tools he's talking about while he's not naming the tool specifically. That's where these tools really shine because you may not be able to establish a baseline. How can you gather enough data and know what patterns to look for at such a bass level of telemetry going so deep into the network and to all the IOT connected devices, good luck establishing an accurate baseline with the help of modern tools.

Craig:

Yeah, that's good, but I think that the water of these bullets is a little bit off as well. For example, if you do the MFA first and then you deploy these tools and then you check with your cyber professional and then you back up your data, that's not necessarily the best order. So obviously backup your data first. And then when you backup your data, don't rely on one vendor, use multiple vendors and maybe take the data into your own hands and buy an external hard drive and backup yourself. So you have the data tangibly in your hands, and then after you back up, then patch your systems because patches guess what? They crash things sometimes, and they don't work. You don't want to back up at layer five of this bulleted list or number four of this list. And then you're screwed after you just passionate and people will say I followed the Biden tool. You know what I mean?

BJ:

Craig, are you saying that when for an example, if you're trying to build a pyramid, don't put the capstone at the bottom

Craig:

But what I'm saying is while these are great recommendations and I agree with them, the order of them is important. And I don't agree with the order is my point. And that's why really, if you want to get this done in the right way, you should read. Call a cyber professional first and then come up with a game plan. And your next thing to do would probably be back up everything, get that foundation. But I wouldn't do it necessarily in the order that's given here on this website.

BJ:

And that makes a big difference if you build this cyber structure based off the order listed versus the order that you're suggesting, you're going to have two different end results,

Erin:

yeah. And one thing to think about too, is that if you contact a cybersecurity expert, people are probably afraid they're going to spend a lot of money, but you're actually probably going to have. Saving money by calling a cybersecurity expert because, us, for example, we vet all of the solutions that we give. You don't want to waste your time, throwing spaghetti at the wall, waiting for something to stick. You're just wasting money.

Craig:

you're absolutely right. And that conversation or that process could be priceless, because if you hire that expert uncovers issues maybe you say why already backed up? I've talked about this many times too. People think that. And they might've bought software, they might've done something, but they never thought to test the backup. And we always recommend drills and testing. And you may discover, oh, why backed up some stuff, but I didn't back up everything that I need. Or maybe you forgot about your website and you didn't back up your website there's all these different things that are part of your company. If you're a business owner or even at home, people forget to back up their kids' photos or they thought they had them backed up, but they did. Or they assume that Dropbox or whatever program they were using was doing the backup, then guess what, maybe an update came out and it broke that and they didn't think to check it. And then before you know it, this is a true story. This has happened many times before we were hired to redo data. And data recovery folks is super expensive and people will often say to me, I just need that one folder or that one file. It doesn't work that way it's all or nothing. With data recovery, you have to literally bring that hard drive. You have to, take everything apart, bring that hard drive in a clean room. You have to assess the situation, see why the hard drive failed or crashed. Then you have to repair it all assessments. In a clean room environment, because if one little dust, bunny gets on there, then the whole thing goes south. My point is that you can't just get that one file. So avoid that whole costly process and back up the right way

BJ:

And look, here's something for people to consider this announcement by Biden is relevant to the situation because of the Ukraine crisis. Putting us at elevated risk of cyber attack by foreign threats. But as we know, as Erin says, a pound of prevention or an ounce of prevention is worth a pound of cure right now, listen to. I don't think people understand the degree that quantum computing is taking off at. This is one of the most explosive industries right now. And there's literally$21 billion being funneled into it by all these assortments of companies. Here's the problem, right? quantum computers are going to be available and they already are to a certain extent they're not ready to just be fully functional yet. For set purposes, they can be used already. And they're advancing so quickly. Now when it comes to cybersecurity, if you have bad actors with a quantum computer in their hand, that they try to use just for the sole purpose of doing certain things on your network, visit layers are critical now. And here's why. I was watching a video last night from this company called D-Wave and they merged classical computers with quantum computers to perform certain functions. And I was talking to my lovely chat bot about this and her comment was, oh, I love quantum tunneling. And I'm like, what does she mean by that? So I look up quantum Tony, just for the official definition to try to, decide what is this. And it's, basically about wavelengths getting through barriers, right? And these systems are already happening. You can use these systems already. You can pay the companies and you can use their quantum systems, that people can get these in their hands. And then when you have them trying to do very sophisticated. Attacks against you, right? At a layered approach to cyber security is going to be your only shield, put your seals up. Now this quantum computing thing is taking off. Put your shields up now. Don't wait. Don't wait until it's too.

Craig:

Yeah, I definitely do the drills too. One of the bullets says to run exercises and drill your emergency plan. So you're repaired to respond quickly. But it's just the same thing with the backups. You got to drill your backup. You got to drill. What happens in a ransomware attack? Have you done a ransomware simulation to see what happens? How does that impact you? How does that impact your work? How does that impact your employees? Have you ever done what's called an incident response, tabletop exercise, and go through your incident response plan and your disaster recovery plan. All of these things go back to policies and if you don't have policies for all these things, Guess what you need to start somewhere, right? So you need to start writing the policies and then you need to adapt the policy to the controls and tailor them to your environment this will happen to you one day. This will happen. Have to do the preparation now, because if you don't do anything and you just ignore it. The pain level is going to be so high. And I've talked about this before. Sadly for businesses that go through. The stats are millions of dollars and the damages, most small businesses can't afford. So they just go out of business. And I'm not saying that to be a fearmonger I'm saying that's the reality of the world that we live in right

BJ:

These threats are escalating guys. They're not getting any less or they're escalating. And as the equipment and the technology and the science behind computing gets more advanced, the threat level increases. In tandem and sometime even exponentially. And before we close Craig, maybe you can give tidbit of advice to people because one of the things I'm seeing as a theme here in this CSR report is a major problem with hackers exploiting mail forwarding rules. And you don't hear much about that, but SISA seems to be really drilling this as a problem. And they're saying that sometimes they even recommend. Gordy and rules off because they're getting access and they're forwarding your emails, on their own. So what advice would you give people in that room?

Craig:

Maybe you remember an incident where we were hired to do forensics for what's called business email compromise, BEC so what happened was the victim? It was a business and they were breached by a phishing email. And what the attacker did was they tricked the user into providing their login critical. And this case, it was to Google G suite and they set up a page that looked like it came from Google. They trick the user into locking in. it was not real. So they gave their credentials to the bad actor. It did not throw any red alarms or anything. The bad actors came in. They set up forwarding rules in the Gmail account and the G suite. So forward all the communications to their email. So they were reading all the emails for months. And that's what they're talking about. So there's forwarding rules that are on all different systems. Microsoft office 365, Google G suite, et cetera. So you have to number one, obviously make sure MFA is enabled so that people can't. If they trick you to give over your credentials, at least you have the MFA layer. But it goes back to training, obviously train and test yourself and your staff and go through the drills of training and access station and certificates of completion. But the forwarding rules. We'll allow anyone that successfully authenticates to send inspire on all your email communications. And this could be done on just your email or whoever, can spider out into the rest of the company. that's how these bad actors gather all this information and treasure trove of intellectual property. And, it becomes a nightmare.

Erin:

Out of curiosity when that happens is that going to be in a sin receive folder or in the sent folder?

Craig:

Not necessarily, so rules could be set to cover tracks. And in this case they were set to cover their tracks. No, it wouldn't be in the scent. It basically was at a higher level where any males that were coming in were immediately forwarded to another address, but they weren't in the sent folder. Cause it wasn't really a sent email from that user.

BJ:

CSO is saying here, too, that they're using mail forward rule creation to send your emails, especially with certain keywords, like financial keywords and stuff. It says here that they're forwarding messages received by the users specifically messages with certain fishing related keywords to the legitimate users, really simple syndication, RSS feeds or RSS subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.

Craig:

And this is why it's important to use encrypted email too. If you've got vendors that you do business with, and maybe you have to do wire transfers or, move money and stuff like that, you can set what's called trusted circles. That's another layer of security, right? another force field, so to speak, but they're not going to get in through that with a phishing email. So you have a trusted circle of only your vendors and then only those communications go back and forth. And then you also have the encryption layer that further protects you. It's all about the layers.

BJ:

Yup. It's about the layers and knowing like that old saying that Socrates said know thyself, and it really relates to cybersecurity know by network. And establish your baseline because unless you can measure something. Improve upon it. If I want to lose weight, I need to know where I'm at today so that I can set my goals, so know your network, just know your network and then start to improve upon it, but establish your baseline.

Erin:

Yeah. Knowledge is power.

BJ:

It truly is. Yeah. It's actionable intelligence. Knowledge is actionable intelligence and that's where you can actually create change with it,

Erin:

Going back to the layers. I keep thinking of a fortress, a castle, one thing to think about, if you only have one layer, let's say you have a moat around your castle. But you don't have. Military or army, to back it up. If somebody gets past that mode, they're going to be able to get in. Right. But if you Have that moat and you have a tall wall and you have an army and you have canons, all these extra layers, even if they do get past the first layer or whatever, you're going to have backups. So it's important to think about what could happen, and then find a solution to whatever could happen.

Craig:

why those drills and exercises are so important that I was saying, with the incident response and disaster recovery, the tabletop exercises, because you have to think about it and you don't just do it one time. You do it from different perspectives and scenarios. Okay, so let's say you're using. Microsoft and using Microsoft one drive, for example, and maybe you use that for business. And that comes with office 365. Okay. That's great. But did you know that they're not responsible for data? Did you know that one drive is not backing you up? A lot of people don't know that, it's not just Microsoft. All the big providers typically hold themselves harmless in their terms and conditions where they say, look, we're not responsible for your data. That's on you. How many listeners out there are using Microsoft or Google or Amazon or different products that are out there off the shelf, but then assuming in their brain, oh, that big companies backing up. No, you have to take that upon yourself. And if you're not taking those layers upon you. When they get hacked because they do the big ones get hacked too. the big myth was only the big ones get hacked. That's not true, but my point is that assume the worst and go through that exercise assume that Microsoft's hacked assumes you can't log in. What do you do? How do you get your data? What other redundancies do you have in place? And then you have to assume that, okay I have this extra redundancy I'm going to use, this system to backup. Then you have to, keep doing that in your company and keep checking all these different layers like Aaron was saying with the moat and the cannons and all these different layers. Try to find those single points of failure and eliminate them

Erin:

Yeah. Another thing that I thought was really noteworthy about that, people are doing that for CMMC nasty, far as all that, but they don't even encrypt anything. Do they

Craig:

GCC high does have encryption. It's not the most strong end to end encryption, but it does leverage encryption, but there's limitations to the GCC high platform where if you're not part of the ecosystem, it's doesn't work. Both sides have to be part of the ecosystem and the usability or the workflow. May or may not work for certain companies because that's a pretty tight loop there. There's always the right tool for the job, so to speak. In my opinion, GCC high is an inexpensive solution for most companies for really large companies. Maybe it's a good fit, but, for anybody dealing with sensitive information, you cannot use any kind of commercial product, unless it's been security hardened specifically. Amazon's world and Google's world everything. Amazon has gov cloud, you have to use gov cloud. If you're dealing with sensitive in this case, sea of CMMC CUI information get used to just regular Amazon. You have to use the gov cloud platform. And it's the same with Microsoft. GCC high is their hardened more secure offering the commercial products like Microsoft teams and Microsoft office 365 commercial. Those are not competing. So a lot of people don't know that either. And then guess what, there's no migration path. So you got to build an architect, a whole new solution in that more secure environment.

BJ:

Yeah. And if you're out there and you feel lost in a sea of all this, cause it's a lot of stuff, a good starting point just might be a pen test, because then when you do a pen test, that's invaluable information because. Literally engaging people that have the same level of expertise, if not higher than the bad guys that can poke around in your network and your devices and see what they uncover, because it's just a lot more fruitful if you know your vulnerabilities and you can patch them before someone else finds them

Erin:

Yeah. And I think maybe we can get more into that tomorrow. I think that would be a great topic because I think a lot of people don't necessarily see the value in a pen test or an assessment,

BJ:

We've done pen test against we won't name any names obviously, but very large financial institutions that have a big presence in a certain geographical area. And, pages and pages and pages of vulnerabilities that we discovered. This is high tech equipment, huge it department, a whole cyber department, and pages of vulnerabilities, we deliver it to them. So this is the state of. there's no price tag that you can put on proper preparation, but to end on a good note this is a lot of stuff and it's a lot to worry about, the bright fight is that anything you go through, it's difficult to yield. Really good, positive outcomes. You hear lots of people talking about the rise of AI and this metaverse in virtual reality. And if you really think about it along those lines, we're heading in that direction. The cyber realm is there space, right? And so doing your due diligence to, take your area of cyberspace seriously and secure it, I would assume that, when you form that shield, if you tighten that shield enough and Harding your security enough, eventually that shield might look more like a spark from the distance, and you might position yourself in a very good way. So it's just a really good idea to take cyber security seriously. Not because it's not just you, that depends on the security of your net.

Erin:

And speaking to of the pin test and the assessment and things like that. You're saying that you can't put a price tag on it, but also going back to what I was saying before, if you do a pin test, contacting a cyber security specialist before you implement a whole bunch of things that are incorrect. This, the same thing with an assessment it's just like going to the doctor, and getting a physical before. Come up with a solution, right? Because you don't necessarily know what's wrong until you get an overview of everything and, knowing where your vulnerabilities are. that's a great place to start. What's the first step in the scientific processes identifying. The problem, right? So you have to do some discovery to identify where exactly you need to harden your security. And I think that's also important and that's something that people miss a lot.

BJ:

And I think even before step one of that scientific process of identifying the problem, I'd say there's a step zero, and that's just observe, for how many years have we been using the internet? And we've really not painted any attention from a perspective of hygiene and, keeping it, in a good state, in a pristine state. So now it's time to really observe, turn around and look into your network and the background of your network and observe it. I start to pay attention to it and establish your baseline and have a starting point, but we really need to start paying attention to these topics. They've been under the rug and on the back burner for too long. And it's part of the reason why we're in this situation.

Craig:

Yeah, one of the last things I'll say before we and for the day is, sometimes I'll get customers or potential prospects that tell me, Craig, I've been running my business for 25 years and I've never been. That's the biggest myth in the book too. The reality is you probably were hacked. You just don't know that you've been hacked because listen, not all hackers do damage or reveal themselves, they don't always throw a red flag and show you, oh, look, you've been hacked. we dropped ransomware. Some hackers are looking to steal data. They could have stole the data years ago. You could have been breached several times over, or you can still be. And if you don't have the technology and the expertise in place at the human layer around people, process and technology, you've already been pawned. You've already been hacked.

BJ:

Hackers are layered as well. Depending on the group or the individual you're dealing with, they have different priorities and different goals. And some of them want notoriety and want to do destruction. And some of them just want to be stealthy. They want to never be found out. They want you to never know what they did so they can come back again. And again. And where you say you've never been hacked. You would just may be hacked so consistently that it just seems normal to you. You don't know what's going on, so you have to observe your background and, establish your baseline.

Craig:

if you've been hacked and you have been a victim of ransomware, there is a high probability that you'll get hacked again, because hackers do go back and see if there's been a change in security. And we've been hired several times from customers that they called us for incident response, to help them. They don't listen to the recommendations and do nothing. And they just go about their business because they think it's too expensive or too intense for them. And they get hacked.

BJ:

Yeah. Hey, with power comes responsibility, right? And the internet is a sea of potential, but if you're not paying attention to it and taking care of it, it can, you quickly become assessable.

Craig:

Yup.

Erin:

And I'll leave on this. This is one of my all time favorite quotes. I think it's a good one. It's actually, by Robert Mueller, the old head of the FBI, he says there are only two types of companies. And this is years ago that he said this, there's only two of types of companies. Those that have been hacked. And those that will be even that is merging into one category. Those that have been hacked and will be again.

BJ:

it's the state of things, but it's okay. It doesn't have to be a bad thing. We just know that now we have to increase our level of diligence and responsibility in regards to being users of the internet.

Craig:

Yep.

Erin:

Exactly.

Craig:

All right, guys. Thank you. Tune in tomorrow for another episode.

Erin:

All right See you

Craig:

All right. Take care.