Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

Navigating the Stormy Seas of Cybersecurity and Social Media Evolution

Craig Petronella

Are you prepared to navigate the rocky terrain of today's cybersecurity landscape? This episode is your compass, guiding you through the treacherous twists and turns of tech threats, from the OKTA breach to the leaking of NSA classified data to Russia and the sneaky Microsoft bug within Active Directory and Azure. We don't tiptoe around the controversy, diving headfirst into the lawsuit by 41 states against Meta - accused of crafting addictive features harmful to young users - and scrutinizing the unsettling reality that we, the users, often become mere data points in the world of free platforms and products.

Switching gears, we'll ferry you across the vast ocean of global supply chains, revealing the uncharted security risks lurking beneath the surface. As we set sail, we'll explore trustless manufacturing and vendor relationships, and how sourcing parts for a single iPhone from multiple countries can be a security siren's call. Equip yourself with our insights on the importance of third-party testing, vendor risk and the layers of security critical for survival in our increasingly interconnected world. This episode is more than a discussion - it's a lifeline in the stormy seas of cybersecurity and social media evolution. Tune in and join the conversation.

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Craig:

All right, welcome to another podcast. I'm going to Blake Ray. Hello, lots of exciting stuff happening today. Any particular topic you want to start with, or you want me to start off?

Blake:

Yeah, go ahead and kick it off. You do a pretty good job with that.

Craig:

Okay, no shortage of headlines. One of the ones I wanted to bring up was the OKTA breach. Did you see that? Where there are stolen access tokens from OKTA support unit? So I guess my comments there is that my first reaction is it's similar to SolarWinds, right, it's a vendor that's targeted, that has a lot of potential customers that hackers can gain access to, so it's one of those. Be careful with your vendors, but it's hard to protect yourself. I mean, if you've put OKTA in your practice and your business, I guess it goes back to our layered model, right, Blake? I mean you can't trust one layer. So if you had more than one layer and you've got multiple layers, then one layer fails and the rest of the system is still working. I guess that's the takeaway from this one. What about you?

Blake:

Yeah, I mean you definitely can't put all your eggs in one basket. I haven't read the news on that. I was kind of really interested in some of the former NSA employees that were leaking classified data to Russia.

Craig:

Yeah, so that's almost like a repeat of the whole Edward Snowden thing, right, and then there's so we could talk about that a second or another. There's also the Microsoft bug with the Active Directory.

Blake:

That one I heard about. I haven't formally read about it, but I heard about it.

Craig:

Yeah same, I haven't studied it either, I just saw it in the headlines. And then there was on a different topic. There was a I saw a news article where a coalition of 41 states are banding together to sue Meta / Facebook / and Instagram for harm to kids. Social media harm.

Blake:

Wow, what country, wha c? O ou sai state 41 states.

Craig:

In our country, yep and including the District of Columbia, are filing lawsuits alleging Meta Metta has intentionally built its products with addictive features that harm young users of its Facebook and Instagram services.

Blake:

Wow, I think in the next like anywhere from six to 10 years, like, social media is going to change. It's kind of this revolving like revolving door, I guess is the proper analogy. But here in Vegas is a good example of like, when a new hotel opens up, people just flock to the new app. And so if you look at Twitter with their rebrand, you know, x kind of brought a lot, a lot of new users back to the platform. Obviously, when MySpace was around and then Facebook came out, right, people jumped ship. So what is the next ship? You know, the fact is Facebook is it's not a great platform, it's not a great platform for the users, it's not a great platform for privacy. So what's the next ship, you know? So I'm just a big proponent of something next will come in, you know yeah.

Craig:

I think, as more people start to realize that with a free product and platform, you're the data point right, so it's free for a reason, the old adage you get what you pay for right. So I mean, what was the last analytics from what was a Cambridge Analytica back several years ago now at the election? What was that like five, six years ago now?

Blake:

Yeah, 2018,. I think yeah.

Craig:

So I mean, at that point, over 5000 data points exist on all of us, and that was five years ago, right. So, okay, just think of all of the tracking that's happening since then. I mean your phone location services everything wants to have that turned on to know where you are right. And then Facebook. In my opinion, Meta is particularly intrusive with always listening. I'll have a conversation with my wife and then all of a sudden she's got ads about the conversation that we had.

Craig:

I try to avoid social wherever I can, but I could only imagine how kids are brought up on it and I think it's challenging. I don't know the grounds for the lawsuit, but I don't support social media for children, that's for sure. I do think that it's, in my opinion, more harmful than good. I understand that there may be some I read this a long time ago where the founders never kind of intended for it to kind of spiral this way. I think there may be some truth in that, but I also feel like, if that was entirely true, then why are they putting all this privacy leakage in place and surveillance in place, right? So I mean, I do think that there might be strength, and I guess the defenders are going to say well, it's easy for me to keep in touch with my friends, and things like that. Yeah, I mean, I think there's debate around that too. I think I mean, do you really need 10,000 friends and are they really your friends?

Blake:

I think it pushes people further away, because now, instead of having those direct communications where, like, somebody will text you and say, hey, I was at the beach, like here's the fish I caught, right, boom Text message, you post it on Facebook and then that text never happens, right? So it's like, oh yeah, I saw it. And then it's also really weird when you have a conversation with somebody and you're trying to fill them in. I don't know if you've probably had this happen. Maybe not, since you're not active on social media very much.

Craig:

No, I try to avoid it like a ten-foot-pole pole pole 10 10 10 pole all.

Blake:

Yeah Well, I thought conversations with people and some people out there probably listening same thing. But I'm like oh yeah, this is what I did. And they're like oh yeah, I knew, I know, I saw it on social media.

Craig:

So it's like if you post it all on social media then it's like nothing to talk about when your face to face or on the phone.

Blake:

And then I guess the minimum age requirement I wasn't quite sure about how to look it up, but for Facebook is 13 years old, like, I don't even know if, like, I even agree with that, like having, like what I mean? Obviously you have children. What age are you going to let them get on social media? Hopefully, never.

Craig:

I mean, I'm already. My wife and I are discussing the importance of a phone, so we chose to give them. We have some lockdown. They're called their watches and they're locked down, for they can only receive phone calls from who we put in their contact list and they can only receive text messages from who we put in the contact list, and it's a pretty restrictive platform. But it works and it's good for, like, if they want to go to their friend's house and have a bit of freedom, we can text them and say hey, look, come home for dinner or whatever.

Craig:

But the challenge is that you know peer pressure. Their other friends don't have that. They have the real deal. They have the iPhone or they have the Apple or they have both, and there are apps and there are ways to restrict some of those platforms, but they're still best effort and they're not perfect, right. So it's. It's challenging. I don't know what we're going to do. It's hard because you can only shield them for so long. Then it's like well, I don't know, we haven't made a final decision on it, but the watch works okay for the moment.

Craig:

It's challenging in social situations, though, because some of the kids will start like a group chat or something like that, and then they're left out of it. So it's a little socially awkward that way. So they might have to resort to email or their school email, but then they're like the one-off and then nobody really wants to follow that one-off thing because it's an extra step. It's not as easy. I haven't heard of particular a request for a certain social app. I've heard a request, obviously, for a phone, a full-featured phone, but I don't know. I feel for parents, I don't know. We have some friends that have chosen to do the iPhone or whatever, and then they do these surveillance apps where it's just like constant police of where are they, what are they putting on the phone, what are they allowed to install, what do they mean? So it's like. But then at that point it's like what's the point?

Craig:

I mean if you're going to lock it down anyway. I mean, so I don't know, I don't know, I'm undecided on it. When I was growing up, technology social didn't really exist very much. Technology was pretty embraced, so it was the support of technology and the tinkering of technology and new stuff. But now it's so broad stroke and there's so much stuff out there and now this kind of is a good segue to it. Did you see the DJI headline?

Blake:

No, but I have DJI products now I'm curious.

Craig:

Yeah, so DJI is obviously manufactured in China, and now they are at the front headlines of bills in the White House about banning it.

Blake:

Yeah, they've been talking about that for a while because, obviously, like when you're flying a drone, like you have location services turned on and essentially what happens is there's like a recording that happens of each flight and so it records like a temporary preview of the flight and uploads it to the DJI server, right? So like you're flying aerials over these locations, right, and nobody knows what they're filming, you know, like you could be filming. I mean it's hard, you know. But they've been talking about that for a really long time and I'm surprised to see that it's finally finally happening now.

Craig:

Well, I don't know if it's definitely going to get passed. I just know I saw it in the headlines again and it just got me thinking about and we talked about this before. You know where do you? How do you really know what's in your? You know we've got laptops, we've got desktops. You know parts come from China in different countries. How do you know for sure that there's no surveillance in those? How do we know that? You know iPhone is in their partner Foxconn.

Blake:

I think they or they switch Well it used to be.

Craig:

But my point is I think it's still made and manufactured. It's designed in California, but it's made and manufactured in China, right?

Blake:

Uh, I think it's. Is it Taiwan?

Craig:

No, I think it's China. I don't know, unless they changed it. Let's see. Hello, quick Google search.

Blake:

Yeah, Taiwan, Taiwan semiconductor.

Craig:

OK, but it says the iPhone is assembled in China, Vietnam and India.

Blake:

Yeah, I mean there's still no good Like. This is the type of manufacturing that is probably too dirty to happen in US soil, right? Maybe not? I don't know if it's too dirty.

Craig:

I think it's quote unquote too expensive.

Blake:

Well, some of the materials that have to come together to produce a phone, like from some of the semiconductors aspects, like some of these raw earth materials, like they're likely not even found here in the US, which is the reason why, like, for example, I don't know, I mean this.

Craig:

this article I pulled up is saying that there's basically a supply chain of dozens of countries just to make an iPhone, of all the different parts and pieces. Right, that's crazy to me, I mean. But my point is, you know we talk about this and security and compliance, and I'll call this the vendor relationships. Each vendor we bring into the ecosystem has to be vetted and tested and we need documentation, policies, procedures, you know, attestation, evidence, so you got over a dozen things that make up we'll just call it 12. We've got 12 different companies that make up an iPhone. Iphone's got a huge market share. I'm sure iPhone is in several government agencies. So you know it boils down to how do we know that all these different countries that are putting their parts in the phone are not putting it back to work?

Blake:

Yeah, you know. Yeah, I mean I think our supply chain has always been a huge issue, like for me personally and so like, obviously, when I was in Europe, like I would see like Xiaomi, for example, like huge. I mean they make I'm not going to lie I feel like they make great products, but the fact is you don't see like a Xiaomi store, like you can go and see a Xiaomi. There's like Xiaomi like retail locations abroad, like in almost every other country. I've never even heard of that company. Yeah, they're a huge phone manufacturer and they make super high quality like Android devices.

Craig:

Yeah, and don't get me wrong, I'm not saying you know everybody's guilty either. I'm not saying DJI is bad, you know, I think their products are cool, but I think the question that is raised is where's the evidence, where's the? It's almost like you're guilty until proven innocent, right, instead of the other way around. My point, though, is that I think if there is more of a trustless mentality, like if maybe the solution for a company like Apple or DJI or these kind of companies that are bringing products overseas to our country, maybe it's third party testing, maybe it's evidence of unbiased surveillance and deconstruction, like I fix it, they disassemble everything, right, and these websites like ours, technica, all these different, but still I mean, how far does that go? Like what are they gonna get into the chips? Right, you know they're gonna disassemble it, but they're not. You know what I mean Like. So it's like. I think the bottom line here and we can go down this for a long time, and I know our time is short today, but I think the bottom line is again we're forced to live in a trustless society. You can't trust any of it. So I think that if you choose to use a mobile device or you choose to use a computer. You just gotta be really careful of where is it coming from?

Craig:

Again, we talked about this before what software is on it and what layers are you putting in place to make sure that you do the best you can to limit Like? I'll give you an example. One of our layers that we talked about is the layer that is keystroke encryption, as well as screen anti-screen scraper technology, and I told you it was really disturbing how many programs the software intercepted. That basically said hey, adobe wants access to your microphone and camera right now. Well, I'm reading a PDF, so it's like you know.

Craig:

So my point is that that could be an effective layer to you don't need to give Adobe your camera and your microphone when you're reading something. You know what I mean. Like. So maybe we just need to work harder at putting more of these safeguards and layers in place to protect ourselves and I know that I've heard many times like the Air Force, on a base, for example, you can't even bring the iPhone or Droid in. You have to have it locked up in the trunk of your car. So it's kind of like you know. I think we all should have a Faraday bag, you know, and you know it's like how far do you take this stuff? But it's kind of comical and I laugh about it because we're forced to do this stuff if you want to protect yourself.

Blake:

Yeah, I, earlier we had a ticket that came in and it was for Microsoft Word and they weren't able to open Microsoft Word because malware bytes was blocking it with the excuse that an exploit was happening. And so I had to go in essentially like, just like dumb down, you know malware bytes to allow somebody to use Microsoft Word and PowerPoint, and it's like, really, what information are you requesting to use?

Craig:

You know. That reminds me of remember the macro virus. Possibly that might have been before your time. So one of the early viruses exploited the macro functionality of word and things like that. Macros are, back then, a form of automation to do things faster, but nobody really used them.

Craig:

So my point is that Microsoft, adobe, all these big vendors keep adding tons and tons of features, apple included. They just put all this stuff on and then they turn it all on. So it's like I think they should take the approach that a lot of Linux distributions do and turn all off and go through the list and figure out what you want to turn on If you're in a secure area, or you want to be, or you're going to be in a audited or regulated area. Maybe that's the better approach. I mean like, so, instead of going through all the work and we call this process security hardening. So there should be different distributions of hey. Look, this is the version, the DoD version. They used to do this with Stigs and other things, but I think we moved away from that for whatever reason.

Craig:

The lines got blurry and then Microsoft went down the rabbit hole of GCC, high and then commercial products, but there's still no clear like hey, buy this from Microsoft, it's already from the factory. You know what I mean. There's no like and the same thing. Apple did a good job, I think, recently with their lockdown mode on their iPhone, which I've tested for a while. But I feel like there should be more of that and I feel like we, as a company in cyber and compliance, should be better supported from our vendors to help from their perspective, to help us do the job, because it ultimately goes back to them anyway, like we're going to be asking them in GCC High environments hey, where's your evidence for this? You know what I mean. So it's like why not just have it ready to go? And I know Amazon has GovCloud, but my point is that I feel, like our vendors, there should be more work and heavy lifting done by that side of the equation.

Blake:

Yeah, I mean permissions and applications are. Yeah, I'm not a huge fan of how these phones are configured. Now, even computers, you know where everything that's put on there can have free reign right Over your data, whether it's whatever bloatware, malware or not malware, bloatware freeware, whatever shareware.

Craig:

I think the takeaway here is since we only got a couple minutes is start now. Go through your computer, go through your mobile devices, go through your stuff and just either turn off what you're not using or uninstall it. I mean, the more stuff you got on there and the more stuff you have turned on, the easier of a target you are. So think about it as more things that you're turning off and more things that you're uninstalling and not using. Think about it as enforcement layers to protect yourself. So the more stuff you remove and the more stuff you just get rid of that you don't need, the better, the more unhackable you become.

Blake:

Do we know those Chinese games?

Craig:

Well, it could be games from anywhere, I mean, but yeah, all sorts of games. If you're not using a certain electronic device on your network, get rid of it.

Blake:

You know, yeah, it's a good end. Note right there, yeah.

Craig:

All right guys. Well, I think that's a good rap for this one. We'll definitely lots more to talk about, so we'll record more soon.

Blake:

Thank you, see you guys on the next one Take care.

People on this episode