PTG Podcast 12-16-20 with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Expert Data Privacy Attorney Lisa Shasteen discuss the latest breach with FireEye, breach of several government systems, HIPAA Compliance, CMMC, Cybersecurity, Policies, Procedures, Compliance Risks, Challenges, and more!
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
PTG Podcast 12-16-20 with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Expert Data Privacy Attorney Lisa Shasteen discuss the latest breach with FireEye, breach of several government systems, HIPAA Compliance, CMMC, Cybersecurity, Policies, Procedures, Compliance Risks, Challenges, and more!
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
You're listening to cybersecurity and compliance with Craig Petronella. Visit us online at Petronellatech.com.
Craig Petronella:Welcome, Lisa. Please, introduce yourself.
Lisa Shasteen:Sure. My name is Lisa Shasteen. I'm a cybersecurity and data privacy attorney.
Craig Petronella:Awesome. Welcome to have you. So, hot topics. Today we're talking about the solar winds hack. Some have coined it as one of the worst hacks in history for the United States government.
Lisa Shasteen:Yeah, and so many others.
Craig Petronella:What happened? Basically, from what I've read, it seems like it was tricking. In this case, solar winds to social engineering involved with a patch, or a bad malicious piece of code that got put into a patch from the Orion agent that solar winds are used by many federal defense contractors and other parts of the government. Is that from your stance, too?
Lisa Shasteen:That's what I hear. And the big scary thing is that they can get around here, multi-factor authentication, and they can get into your networks and go deep without any problem whatsoever.
Craig Petronella:Airy stuff. So, this goes back to assessing who you do business with, knowing your customer. In this context, I bet a lot of managed service providers are also using solar ins. We used to use them a long time ago. We don't use them anymore, thankfully. But the reality is that many folks put a lot of trust in our vendors. They give too much trust in the assumption that patches coming from our trusted vendors in our circle are legit. What could be done to mitigate that risk? I know a lot of companies used to use MD five hashing technologies and things like that. What happened to that?
Lisa Shasteen:Yeah, if you're still using MD five, please, don't call me. That's a frightening thing. I think the story here is you would think that if it's good enough for the federal government, it's good enough for me. And you think that the military uses it. It's pretty good, right? They, probably, better at this every which way from Sunday. And yet still, someone can do this. It's a very sophisticated someone, let's face it. There was a manual effort in each step of this hack, supposedly, so it was a nation-state's sophisticated and targeted effort. I mean, you're fighting a country, and some hackers are on staff. That's hard for any business in the United States to try to combat or even to foresee. And I think, at least from a legal standpoint, the dust has not settled on this. I have to believe that given the security level and some of the compromised systems and the government's compromised data, it will be hard for the government to tell people that they have done a poor job or find them or go after them when they have been insecure. It doesn't happen because even after OPM and OCR and all O words have been hacked, they are still running around finding people and regulating. The message from the legal end is reasonable, take reasonable precautions to be secure. Now we know more, we know that solar winds are, probably, not a good management platform. And if you as an MSP or someone are using that as your platform, probably, it's a good time to change because it'd be reasonable to think that you're looking at alternative solutions.
Craig Petronella:It's pretty scary. I mean, it just as easily could have, probably, happened to McAfee or trusted antivirus Symantec. We're all kind of especially. I've been preaching this forever. Antivirus is only 5% effective nowadays. And it was a former Symantec executive that stated that most folks think that antivirus is a basic security control layer. That's essential, but it only protects you against known threats. And going back to trusting your vendor, I would say that most of us are putting too much trust in our vendors. And when we get a pop up on our Microsoft desktop, for example, we, probably, unless you are trained, assume that's coming from Microsoft. I got this new balloon by my clock on my notification that says, Oh, I got this critical update from Microsoft. What do we do as consumers and business users of these products? We need to put more pressure on our vendors and put more supporting evidence to show that this is legit. It goes back to phishing emails to how people get tricked all the time with impersonations and emails coming from Apple and Microsoft and all the big names, especially around a hot product. The iPhone 12, for example. I'm sure there are phishing campaigns around that. But the point is that it's pretty sad. I think the new CMMC or Cybersecurity Maturity Model Certification process is needed now more than ever. And this proves the case once again. If the internal federal government systems were able to get breached by this, I agree that it's an advanced hack. That could have been what happened with Target and Michaels and Home Depot with the $100 keylogger, too. That could have been speculated. I don't know if it was ever proven, but it could have been a nation-state LED. The headlines are just endless on this stuff. But I think the fact remains that with the CMMC and the requirement of two forms of evidence for each of the 110 plus controls, it will only help many folks. I don't think that people know what they're getting into until they start the process. But this sheds more light on the fact that we're just woefully insecure as a country right now.
Lisa Shasteen:I think it goes back to a couple of things. There's a fascinating paper that I ran, and there's a 2016 talk that Dr. Brewer did at besides on the inherent problem with security solutions. It's unfixable, it's undecidable basically, because of the way computers work. We are using a model of computers where data and code are in the same environment. And the computer has difficulty determining if this information, or is this just data you're feeding me. And if it's information, some people can use it like pieces of information that are already on your computer to assemble on the fly some malware that harms you. It's just the way it's set up, and the Internet was never really set up to be secure from the get-go.
Craig Petronella:Yeah, we're dealing with this duct tape, bandaid type thing with DARPA and the birth of the Internet, which was first used in defense and our military systems, and then it's spread out, built upon insecure protocols. It's all this bubblegum duct tape stuff. Who knows, maybe, we need to reinvent that and recreate that from a security aspect. You mentioned the insecurities that are baked into the technologies. We're also still dealing with passwords. Look at how bad people handle passwords. Passwords are on everything nowadays. You keep making them longer and longer; the latest ad is 22 characters complex. I don't even know what half my passwords are. I use an encrypted password manager, and then I use a hardware token. It all boils down to adding in as many layers as you possibly can to protect yourself.
Lisa Shasteen:I agree with you, and I think what you're saying is true, and it's just the le s desirable home. I saw a pi ture. It's a cartoon with a gu next to his neighbor's ouse, and the neighbor sa d, Go away with all guns, an his son said, We're armed here, so are our neighbors. It's n t like being a less desirable ta get.
Craig Petronella:You're right I use that analogy often. If y u have a home, and you want to be less desirable from a c iminal. Maybe, you get an ala m system or a sign. Maybe, you g t stickers on the window. I ca l all those things security l yers. And you never want to pro ect just your front door You want to protect all our entry points. And it's the same thing in cyber. I f el like it's all about how many layers you can afford to put in lace, and the more, the better.
Lisa Shasteen:And you made me get my ORG. I'm doing a lot of CMMC consu ting work with folks in the Fed ral Supply chain and the dip.
Craig Petronella:A lot of help consulting on getting folks up to speed was based on NIST 800-171 and 800-53 security controls. The CISO of the Department of Defense, Katie Arrington, has stated that Look, you, guys, are supposed to be doing this for five-plus years. It shouldn't be a revolution.
Lisa Shasteen:It shouldn't be a shock, right.
Craig Petronella:But it is because of so many in the supply chain. I don't think people understand the need for it and the supporting evidence trail required. So it's like this catch-up period. I was consulting with a company this morning around this. They can't believe all the stuff that I sent them. And I'm like, Yeah, and just the beginning.
Lisa Shasteen:Welcome, that's preliminary. I need that inf rmation first, right?
Craig Petronella:Right. But one of their questions was if we can handle this with policy. They say, Look, we're only going to store our controlled unclassified information or sensitive information in this other system. And I said that might be disruptive to your business workflow because there might be some change that you're going to have to train your employees. But when you are in doubt, use the maximum security that you can and the most layers. One thing that came up was, We have this nice end to end encrypted solution that we could put our data; we've got proof and logging and supporting evidence that it's protected. But do we still need the password on the individual document if it's sensitive? I thought about it, and I said, Sure, why not? It's an extra security layer. Now you have even more encryption on there and an extra layer for youthis is like with the Equifax breach. I look back at that, and I think, Had they just encrypted at the endpoint? One basic security control layer would have given the hackers scrambled information.
Lisa Shasteen:That's a theme, a d regulatory systems world
Craig Petronella:That's right. ide are encryption tends to g t out of jail free card from a regulatory standpoint. Let's istinguish between complianc and actual security. And whe e you get tripped up is the pr vacy laws. They may not have ny laws about security, per se, there. I tell you how to do it, but you got to keep the informat on private. How do you do it? W got to secure it. We'r back to this circle. And that s why you and I are working t gether on these things. Becaus it takes a team effort. Right?
Lisa Shasteen:My role is more policy-based and making sure that the things that people are doing are knitted to the laws that exist. But technology can assist us so much in these areas. However, I think the lesson of this, this solar winds hack, is that if it is on the Internet, there is a hack. Everything is hackable. Everything can go down. Your job is to have reasonable controls based on common knowledge. Is this hack common knowledge? Absolutely. I would expect that within six months for regulators and other people to be saying. You're still using that. Crazy. We've had all this press it, killed the entire world and the Defense Department and everything, and you're still doing this? That's not reasonable. So changes necessary. Just as humans, we would like to stay the same. We don't want to change. But my world is changed. I change all the time. I change areas of law that I look at because current events warrant it, and you can't get comfortable ever. The biggest message in this is it's somebody's job. Somebody like you, Craig, someone who is a technical professional, looking at these things all the time, evaluating, re-evaluating, taking in new information, advising clients saying. We need to address this, and we can work together, but the thing is, it is somebody's job. It's way too big for people to be doing by themselves. It's just getting worse, and ou need a specialized team that dedicates their time to a ertain activity, so the can be proficient and d it well. The other thing is, I think there's going to be a little bi of aggregation in this fi ld because of necessity. The e is a dire shortage of qua ified security professionals in he world. It would take a 60% increase in the graduation rat this year to keep up with dem nd. There's not going to be 60% of the market graduating. There s only 1.01% enrolled in schoo in cybersecurity, it's the c aziest thing, and it's the bigge t thing on the planet. I think there's going to be not only ere, but in space as well. I mea, there's the whole space force and the security of space that e're going to be looking at, a d building some structures in sp ce to assist us in compu ing, which we do now. It's a mat er of keeping track of Air and S ace Law and things like that a d trying to see and commerci
Craig Petronella:It's a good segue into some new technology. lize space, etc. But we can't ven securely maintain our passwo ds, people are still ready to egister keys on their desk, an I want to go, Oh, please don't do that. I've been vetting a solution that will prevail. And it's a password list technology. And I love that it's a password list. Because I don't have to remember this long, complex password anymore, and it's bound to my device. There's no way to get into it unless you get into my device, my endpoint. And then I have protections. Again, we talked about these layers. I've got multiple layers of security for you to be able to get into my endpoint. Had they used something like that in this context with the hack? The hackers could escalate their privileges to sis admin, which is your own at that point. Anyway, if the hackers have got sis admin or administrative privileges to your network, you're palling you're done. But they didn't say I'm sure that it will take some time to complete their investigation. They didn't say how they did that. My assumption is, it was a phishing email, business email compromised type campaign that tricked folks into clicking on something and forking over their credentials. And they just got the credentials that way or were targeted phishing or social engineering.
Lisa Shasteen:I think it was probably even a whaling attempt. It can happen on your phone as well. Be aware of all the different avenues where you can be fished. You can be fished on your telephone. You can be fished anywhere. Don't think it's just on your desktop. As you point out, that's the single most effective way of penetrating a network to attack humans; they're the weakest thing in it. It is because if you open the door and say, Yeah, come on in, we have good stuff over here, and then you can go over there. But if you are not doing cybersecurity training, and refreshing that training and having someone like Petronella come in and do some testing or efficiency in a simulated phishing test and feeding that information back to your employees, you're vulnerable. 85% of the hacks come from business email compromises. That's crazy. And that's from the FBI. I used to be president just stepped down because of the term limits, but of the Tampa InfraGard chapter, a partnership with the FBI. I still get a lot of information from them. These are real numbers. It is happening. We need to take action, now is the time. If you've been sitting around waiting for this to get serious or come to your back door, it has. Take note and prevail. It's a great opportunity, and people should talk to you about that. It's a really interesting technology. I installed it and thought it's great. I think the people that you correspond with also have to have it. It was not simple for me to put more than one instance on one instance of Outlook. But it's possible because I have different email addresses. I'm greedy about email addresses. There's another thing that I became aware of, a thing called packet Viper, fascinating for larger enterprises. They do active defense within a network, send out decoys, lure things out, find them, and lure them out. When it starts scanning a network, which is always supposed to do, always test find out where it is, who it is, where it's. And we're coupling that with threat warrior, which is an unsupervised neural network defense product. It's employed by people who have security operation centers, or MSPs, that have those kinds of things, monitor networks, and be agentless. You don't have to install anything, but you've got to have these different layers. You've got to have something like a threat or with a packet Viper, and then you've got the prevail that also helps you with your documents storage. I think it is very brilliant. I've got that setup. It's a straightforward solution for people passwordless, like you say. There are probably 300,000 people that breathe a sigh of relief that they don't have to remember another password.
Craig Petronella:Oh, yeah. Now, we're taking that a step further. And we're working on a system security plan that assumes that you're using certain layers, and in this case, prevail. It's very easy to check certain boxes. Then you're able to go back and map your policies and say, Look, if you're dealing with anything sensitive, if it's questionable, stick it in the prevail encrypted end to end the encrypted drive; it will be CMMC compliant. When in doubt, put it there and then delete it.
Lisa Shasteen:Hello, encrypted, you know.
Craig Petronella:So one of the things that I wanted to talk about is the CMMC and how I feel. Overall, I've been a huge fan of it, and I still am. There are some problems around the current CMMC-AB, and I don't want to throw anybody under the bus specifically. I tried to apply as a C3PAO for we're a registered provider organization or an RPO. And we have five registered practitioners on hand now on staff, which I think is one of the highest and great. We were able to help with all the consulting and the readiness for all these folks, which is fantastic. But I wanted to apply as a C3PAO because I wanted to see what the formal assessment looks like from them. I didn't necessarily want to change my focus to help folks with the assessment process, but I wanted to see. You can't work with the same client on both sides, which is perfectly fine. I tried to go on their website, and I couldn't even get past the credit card thing. So then I opened it to take it out. And I still haven't got a response from that. So I'm thinking to myself, Oh my gosh, we're going to have this huge shortage of C3PAO's and lead assessors and certified assessors. And how are these folks after I help them going to get their certifications? They can't.
Lisa Shasteen:Yeah, we're grinding to a halt because of the solar winds hack right in the DoD space. And then you've got the CMMC requirements coming to the fore, and they're going to start issuing your piece in 2021. Right?
Craig Petronella:Right.
Lisa Shasteen:And then everybody must be qualified by 2026every company. If you don t know that anybody is doing bus ness with the Department of Def nse, if you're a contractor, a s bcontractor, a supplier, herever you are in that chain, you're going to have t have some form of CMMC certific tion. There are five leve s, one through five. People are saying that anybody who's re ularly interacting is probably oing to need to be a level t ree. And this is something that etronella has qualified to he p people prepare for t e formal assessment. What Craig' organization can do right no is help you prepare for t ose formal assessments to g t all your evidence together nd do all these things. It's li e a practice assessment. It's he body that is sponsored by, it's not paid for by th Department of Defense, but it s in cooperation with the gove nment, just like InfraGa d cooperates with the FBI. They re at the beginning. An they're still learning how to alk. And they haven't fi ured out how to qualify all the e people yet, or they have, nd they're not rolling it out ery quickly. There's going to be a shortage. So if you need this kind of qualification the message is Hurry up, get y ur call, and get scheduled for hat pre-assessment. At leas they know what you're doing, and you know where your gaps are You can start wor ing on them.
Craig Petronella:Yeah, absolutely. I think that now is the time to work on this. Drop what you're doing and work on this. Because we just passed November 30. That was the DoD Interim Rule that they put out on October 1. They want to see our system security plan; y ur self-assessment score is base on NIST 800-1 71. And what ver score you got, they want to see your plan of actions and ilestones, your poems, how you' e going to get to a 110 score.
Lisa Shasteen:Let me interject; self-assessment is not an option under CMMC. That may not be something that people are aware of, used to be under all these different systems. You could say, Yeah, I'm good. You sign a little piece of paper and, Yeah, got no problems. I have all these things in place, whether you did or didn't. I'm not so fast. Now, they are making you have a third-party assessor come in to assess you and tell the government that they agree.
Craig Petronella:Absolutely. I think for a good reason, too. It does many things and makes sure that whoever you've worked with, whether it's yourself or another organization and MSP and IT person, whoever is a checks and balances approach. You have to show the two forms of supporting evidence for each of the 110 plus security controls. And it's a pass-fail. If you don't get all this right, you fail. And if you fail, you cannot get a new contract from the DoD.
Lisa Shasteen:Even if you're in a contract, you have to prove your CMMC qualification before you can get the next contract once it expires.
Craig Petronella:Correct. So we've looked at all the tools out there that are freely available to do the self-assessment process. We evaluated them. We interviewed some clients. We found that even though these tools are free, clients don't even know how to answer the questions. They need help, they need us, they need other registered practitioners certified to help them. What we did was we took the free information that was freely available out there. We looked at what the DoD scoring methodology was, and we custom coded a new tool with some built-in help. If you become a customer of ours, we give you that tool as part of our gap analysis. And then we help you with consulting to hold your hand and go through this whole thing together. And this is how we get your self-assessment score. And then, whatever your score is, we work together. We will continuously get that score higher and higher and higher. And it takes time, you know, and then there might be things that folks don't have. So we act as fiduciary. And we vet different technologies and solutions. We make recommendations so that you can fill those gaps. And then we keep working on getting that score higher and higher, and we help you resubmit it. And all this work that we're talking about doing benefits your organization immediately. It benefits you now and then as the CMMC becomes more mature, and you become more ready for that formal assessment; you've gone through a lot of these drills, and you're going to be that much more likely to pass. Then, if you try to do all this on your own, or try to skip that step, and then try to go straight to CMMC, I don't think that that's a good idea. Most folks should start right now. Whatever business you're in, even if you're not in defense, but you're dealing with anything sensitive, I feel like it's a good exercise to go through that tool because it's going to help show your gaps.
Lisa Shasteen:I think the important thing is it's not you. It's not friendly Craig and his wonderful tool that is going to decide whether you're compliant or not. There's still yet another two layers. There's then the C3PAO organization that has to come in with people that you don't know. Craig may know them, but he cannot influence them. You are kind of on your own with those people. So, hopefully, you've run through something like a preparation stage with credit, then you've got the C3PAO, who comes in and assesses your readiness. The C3PAO takes that assessment and submits it to the cmmcab.org organization to see whether they examine t e assessment and see if it was conducted with integrity and whether it meets the stand rds that they are trying to enforce. There are two, pote tially three layers of examinati n that you have to go through t get a CMMC certifica ion. If anybody has a contract hat's expiring, I will urge you o put this on the top of your l st for January one, I realize i's the holidays, but you are o the road to CMMC land in Januar.
Craig Petronella:We've created some packages that are affordable for a lot of businesses. Start with that package. The package that I'm eferencing gives you the poli y templates you need, the risk anagement framework. All the p licy templates are there in ord and Excel format. They're ed table. You can put your compa y name on it and things like th t. That's the easy part. The har er part is drilling down into those policies and custo izing them based on security ontrol layers like we were talk ng about. So the mapping of those two together, that's an ex rcise that could take you mon hs, depending on your organi ation's size or how many resourc s you have. Even if you get s arted on that now, even before hristmas, that would be a goo thing.
Lisa Shasteen:The other thing that I wanted to stress about CMMC is what people don't understand. They need to get these controls in place now. Do you know why? Because it is a cybersecurity maturity model. If you just implemented something last week, ain't going to pass I don't care. If you have it, ou might have that in y ur environment, and you are do ng it, and you and your staff re completely on board with it, ut you just did it. And that d es not indicate security for th m. They want to see the longev ty of all the different contr ls that you have in place. That is a very time-sensitive thing. nd I will say to get to level four, or five, where you'r hunting, proactively hunti g APTs, you're going to need ools, like threat warrior, pack fiber. You're going to need hings like that in place in yo r environment. Those are gener lly the very high levels that ou can't do without them. That' the story. They have to be imp emented before you get to your a sessment and show some integrati n with your operation.
Craig Petronella:Yeah, very good information. And also to note, there's no whiz-bang, silver bullet, and all this. Yo can't just go by these tools and then think that nothing needs to be done. You have to have continuous ongoing management and effort with these tools. It usually takes a team to manage these tools. These are tough, technical complex, they take time to roll out properly. There's testing involved in phases that need to be rolled out. You need to have this long trail of evidence as long as possible, which is why we're saying to do this now, rather than wait because the more stuff that you can do now you start that path, you start that evidence trail right away. It's so important. A lot of getting
this number one question is:Ho much will it cost me, and how ong will it take? I can't answe that. All I can tell you ar the variables that I can contr l and that I know I can put bra kets around. I came out with video the other day, and I sked six questions. And my first question is, Does your orga ization have a system ecurity plan or an SSP? If you don't have an SSP, you fail I'm sorry to be the bearer of b d news. You fail on the SPRS ystem on the DoD Interim Rule. That's the number one thing rig t there. So you have to hav a system security plan. The oth r questions I asked are aro nd CUI are controlled uncla sified information. Do yo know what that is? There's a lo of debate over what is the CUI? There's also the question aroun, are you creating or edi ing it or managing the CUI r organization? Generally no.
Lisa Shasteen:It's very important at level three and above, whereas below that, you're talking about FCI. There' still controls required if y u get a pass. If you're not r quired to be level three or ab ve and level three, you should already be doing 800-1 71, which should be in place for years now But okay. If not in January, hen you're going to be on the oad to CMMC land?
Craig Petronella:See, that's why I think that one in two levels of CMMC doesn't need to be there. I think it should be just three, four, and five, to be honest. The reality of the situation is if DFARS 7012, in the contract award, you're supposed to be NIST 800-1 71 compliant. So the equivalency of NIST 800-171 in CMMC land is level three. So plus, you have some additional, I think it's 20 different extras. My point is, why go backward? Do it right the first time. My belief is trying to get to level three or higher if you can afford to do so.
Lisa Shasteen:I would say so. Level five is going to be pretty difficult to attain for most people. I think most people are going to be looking at level three. But I mean, if you're baking croissants for the officers' mess or something, you know, you might get away with level one where you might even have policies, but they're not written down. I would recommend you do it. You have policies, you have procedures that are not written, but they are in place. I had a very interesting discussion with a prime federal contractor the other day, and they were very kind and understanding about my client, and my client is good. He's got an organization. They have policies and procedures in place; they're buttoned-up. A lot of people say I'm too busy, write everything down. I know what we do. And everybody here knows what we do. We're very secure. And I'm like, Yeah, but it doesn't count if you don't have it in writing in court. So if you want me to prove it, how may I do that? You want me to film you for a month? That's going to be expensive. Let's write it down.
Craig Petronella:I don't think it hurts anyone to customize written policies around this stuff. Yeah, it's going to take time. And it's not going to have happened overnight. But it's a great exercise to be more mature in your company. If you have that structure and have a policy, procedures, written protocols, everything's written out data flow diagrams; you have all that maturity, it's going to allow your organization to grow and increase your profits.
Lisa Shasteen:Yeah, it's kind of like how many people have been irritated when they get some product and from some foreign land, and they have the worst instructions on the planet.
Craig Petronella:Right.
Lisa Shasteen:Return, right? So it's like you're trying to grow an organization, and you bring in new people, and you're trying to explain to them what you do. And it sounds like gibberish to them. Give them a stepwise understanding of what you do, how you do it, what the policy is, what the thinking is behind it, and how you're going to secure it. Then they understand. If they don't understand that, they can quietly go away and not be embarrassed and read it. It's a good idea.
Craig Petronella:Absolutely. And a lot of folks with the whole CMMC don't understand enclaves. I didn't understand it very well. I knew about it in architecting systems configurations, but I never heard that word used the Enclave word until I went through the CMMC training. And it make sense. An enclave is a slice o the pie where you're going t put all of your sensiti e information. You build a moat nd a castle, and you have al these layers to protect your pr vate, sensitive informa ion. And you put the securit controls in place there, nd you map your policies based o that. The big question, though, say, your organization's 100 peo le and only ten people are dea ing with CUI, you could do a te-user enclave and signifi antly save your organiz tion on cost. However, the big question that remains that's till kind of muddy and unclear from the Department of Defense is what do you do with the res of the organization? Because some of the CMMC applies to the hole organization. And then so e of it you can enclave?
Lisa Shasteen:That's the rule of reason. I think where your technical systems are integrated, whatever is integrated with that enclave, even to me, looking at that, right, that's it?
Craig Petronella:Yeah. Don't use an enclave and do everything. CMMC level three or higher, I think that's a perfect world. But for larger organizations, that might cost-prohibitive. So until we get further direction, I've been recommending at least CMMC level one for the whole company, and then do three or higher for your enclave. And I think that methodology is probably a good one unless you could do the whole organization at three or higher.
Lisa Shasteen:That's good advice. And remember, folks, it's not just the technical stuff that's going to be in he questionnaire. You've got to look at your polici s, procedures, and actu l practices. The assessors will eview these things and look at them. By the way, CMMC does not xist in a little silo, as eve ything did in high school, where they give you a math problem, a d it only pertains to that one ittle situation where the c r is driving down the road These things exist, and the impact HR. They impact your suite, speeches, your public company disclosures. And so b aware that these things have o be integrated. As an internat onal company's former g neral counsel, I am aware tha one change can be like the butterfly effect.
Craig Petronella:Right, it spirals out. Domino effect. And another point to bring up on around that is this exerc se in going through the CMMC nd preparing your company polic
Lisa Shasteen:I have a Christmas gift you can give es, procedures, security contr ls, etc. It's also a good exerc se to take a bird's eye view f what applications and vendo s are in your circle, who are y u using, and why. If there's a chance to simmer some f that down and not have your data with three-third parties. T at's only going to help you in he end anyway. yourself, right? Here's our Christmas project. I apologize to people that don't celebrate Christmas. So what we need to do is look at our phones. And we need to delete every single app that we don't use. And we need to, probably, delete every app that our child uses, and get your kid one of those little simple, crazy phones, that they can have whatever toys they want on there. It's not going to impact your data because I'm not going to be naive enough to think that you, guys, are always going to use VPN as you should. And you're always going to have secure layers and stuff on your computing and getting into your documents, just going to be realistic. People are going to be emailing themselves. It happens.
Craig Petronella:That's great advice.
Lisa Shasteen:Delete the apps, just delete.
Craig Petronella:Yeah, go through your desktop, your Mac, or your Windows PC and delete.
Lisa Shasteen:Let's do something that we can do. That will take, maybe, 45 minutes or something to look at your phone and decide.
Craig Petronella:That's great advice that significantly reduces your risk level. Because now, if you've got 50 apps on your phone, you're trusting 50 different potential vendors to misrepresent themselves. And this has happened many times over again. We did a test with a vendor. I think it was four or five years ago now. And they were able to get the app approved in the app store, and it was malicious. It happens all the time on the Apple side and the Google Play side as well. So the fact of the matter is that this is another tool or another way adversaries exploit us, want our data, and want to know. They want to use the GPS in your film. They want to steal that information, anything they can grab their hands on, and they want to try to build a profile and sell it.
Lisa Shasteen:The power of stealing your biometrics cannot be underestimated. Because if you lose your biometrics, you lose your face, you lose your fingerprint, you lose your voice, and how are you going to prove that you're you? It would be difficult. That is why some states in the United States have become very draconian about their biometrics laws. Watch those apps because you've got all that stuff on your phone. Most everybody does.
Craig Petronella:Absolutely. Have you heard anything about the health ID or health passport technology?
Lisa Shasteen:No, except for just about every security professional that I know is freaking out over at night. I find it to be amazing. My brother is not in cybersecurity; he's in construction. He says, never in a million years, what I predicted 30 years ago, that people would be standing in line waiting to buy the most sophisticated surveillance instrument on the planet. And then given all of our information, and because now we want our health information to be there too. Very dangerous, right?
Craig Petronella:Yeah. I think there's also some work being done around helping. I was talking to a personal injury attorney, and he was saying that he works with representing people that get in car accidents and that are hurt mostly at no fault of their own. And he tries to help them get their records and things like that. He said it takes weeks just for the hospitals. They put them in this separate bucket of, Oh, this is the compliance bucket. We need to make sure that the patient is who they say they are, and you know.
Lisa Shasteen:Thirty days under HIPAA, that's what they have. So if you want something, ask for it early.
Craig Petronella:Yeah. So there's talk about storing patient health information or PII on a blockchain at the consumer level.
Lisa Shasteen:I have my thoughts about blockchain. If it exists, there can be hacked. Somebody is my vector, wasn't there, just a blockchain hacking incident that was published in the summer. The blockchain got hacked on blood, my coin base thing wasn't, but I'm just saying. There is a potential even to infiltrate the blockchain now; how you could do it would take a whole lot of sophistication. You've got to be a math genius to figure out what you're doing and where to go with it. But given time, I had the solar winds situation. There could be multiple actors working in concert funded by the nation-state and taking down a good amount of, you know, health data or financial information or even money, just stealing bitcoins or whateverkind of the point.
Craig Petronella:I think the number one in all the rogue nation-states is trying to figure out how we break the blockchain of Bitcoin. We can manipulate that. I don't know if I agree with you. If it's online, it can be hacked. It's just a matter of how most of those Bitcoin cryptography algorithms are in today's computing power. I don't know what the answer is, as far as yours, but it's lightyears ahead of what we have now. But who knows if there's a breakthrough in quantum computing or something that might significantly reduce that timeframe and maybe require more advanced strengths on the chains for that to be an effective solution.
Lisa Shasteen:The other thing is we live in an odd world. May you live in interesting times, as they say? We've been forced since 1996. We thought it was a fantastic idea to have health Insurance Portability and all that, so we wanted to make sure that all of our stuff could be portable. We forced all of the health care providers online; they didn't want to go there. We had to give them money to go there.
Craig Petronella:Grants are given.
Lisa Shasteen:You're a doctor. God knows you don't make enough money. Here, though, you have some money so you can go online, and now, everything's online. It's valuable and also horrible. It's like, You forced us online. It is kind of unfair. It is unfair that we have to do everything online, and we're forced to do it. And we can't, like doctors cannot keep; they can, but it'd be different. The physical copies. They're all supposed to be paperless, and all that kind of stuff. And it's just so vulnerable now.
Craig Petronella:There's this delicate balance with technology. It's the advances in the technology of having that stuff online and at our fingertips. And in a perfect world is fantastic. Doctors can view images and X-rays and all sorts of stuff because of the technology. But then the double edge of that sort is how do we secure this technology. Security is now more important than ever and requires just intense continuous security control layers. Continuous eyes on it to make sure that only those are supposed to be looking at it or looking at it.
Lisa Shasteen:Amazingly, security has become such a thing. I was one of the clowns that had one of those big phone books of IP addresses. And I was looking him up when websites were like a brochure; it's become just unbelievably important. It's the security stuff. I wish we had a situation where it was simpler, but it's not. So we need to get with the program. And stop whining and do it.
Craig Petronella:Well said, I think we should stop there. Thank you. I appreciate all your time and insights. It has been fantastic.
Lisa Shasteen:Sure, always fun to talk to you, Craig. Thanks.
Craig Petronella:Thank you. Once again, tell folks how to reach you. How do they get in touch with you if they need help with the legal aspects of the data privacy attorney world?
Lisa Shasteen:Sure. Now you can go to our website at Shasteenpercy.com. And my number is 813-220-3000. Feel free to reach out to me anytime if you got any questions.
Craig Petronella:Awesome. Thanks, Lisa. I appreciate it.
Lisa Shasteen:All right. Thanks.
Announcer:Thanks for listening to yet another episode of cybersecurity and compliance with Craig Petronella. Listen to all of our podcasts on Apple, Google, and Spotify. Visit us online at Petronellatech.com to book a meeting with Craig about your business.