Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Guarding Against the Inevitable: Strategies for Cybersecurity and Prevention
Hold onto your security blankets folks! Are we ever secure enough in this digital age? Get a grip on the pulse-raising lawsuit from the SEC against SolarWinds and the unexpected ban from the Canadian government on WeChat and Kaspersky. We harness the power of hindsight, looking back at how this enormous breach happened and what could have been done to prevent it. We delve into the harrowing reality of the threat lurking in every unvetted third-party vendor and the possibility of any app from adversarial countries spying on us.
Brace yourselves as we discuss the dark underbelly of cybersecurity, shedding light on social engineering, smishing, and phishing. The safety net of multiple layers of security measures and the crucial role of backups, are the shields you didn't know you needed. We bring to you the wake-up call to constant self-questioning and understanding the vital steps to secure your business. We take you through the process of identifying business vulnerabilities, discussing proactive security measures, and preparing for disasters. You can't afford to miss this candid conversation about the essence of a data-driven business model and the absolute necessity of being prepared for the worst.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Hey guys, welcome to another podcast. You got Blake Rea. Hello everybody, we're back, we're going to do a news highlight. Blake, you had a couple that caught your interest.
Blake:Yeah, I think the solar winds. If you thought we were done talking about solar winds, more updates. So I found it pretty, pretty funny. Well, I wouldn't say funny, but ironic. So the SEC is suing solar winds, alleging fraud and weak cybersecurity.
Craig:So for the people listening, what is solar winds? Just quick run down.
Blake:So solar winds essentially is an information technology firm. Back in 2019, they were attacked by a Russian backed cybersecurity group. So yeah, essentially a huge IT provider and the chief information security officer. Essentially the SEC was kind of targeting him, but yeah, it's a huge IT company.
Craig:Yeah, so just kind of give a little more depth to our listeners. So it's a piece of software that a lot of government defense as well as commercial, will use to manage updates, patches on their endpoints and things like that. Has other capabilities, but in a nutshell, it's an agent. Right, it's a software agent, so back. So basically the hackers were like, hey, if we attack this company, this particular vendor, they've got thousands of people that use this solar wind software agent, so it'll infect all those people in one shot.
Craig:So that's really what happened in the breach. And then what happened recently with the SEC charges is that, even though they lost a lot of their credibility and their trust because they're an IT company and they were breached, it just goes to show that what was that? 2019, I think you said they had what is that? Four years ago now, they still have not improved their cybersecurity to bolster themselves and take it seriously. And then the CISO apparently got charged from the SEC after there was an investigation or maybe the investigation is ongoing around how there is possible misleading of investors around cybersecurity. I think that's the.
Blake:Yeah, they overstated their cybersecurity practices and they understated their known vulnerabilities.
Craig:Yeah. So this goes back to what we've been preaching for a really long time now you can't trust, sadly, anyone trustless. Right, we keep hammering that home. Had there been some type of third party that has to check them and make sure and then put a report out, I mean, I don't think that's such a bad idea for especially for publicly traded companies to be audited like that by a third party. You know, kind of brings us fast forward to CMMC and why everything's evidence based and everything has to get audited and all those controls have to get checked by a third party and make sure that everything's being done properly and there's no fudging anymore. And that's kind of the point. But the stark reality or the learning lesson I guess in this is just because you have a vendor that might look good on the surface and so you know you have to do your own due diligence and risk on them. They may be an open window or a gap in your system to potentially have a breach, for, you know, to rope you into things.
Blake:Yeah, I mean this is making headlines pretty much everywhere and so when we were looking through the news to talk about on today, I mean people just repeatedly different huge outlets are loving to talk about this one.
Craig:Yeah, I feel like you know. I feel like the story is just kind of almost like mind numbing. It's like I don't know just my perspective. I feel like the headlines and the it's almost like noisy right, like it's just happening so much. I think people are just almost overstimulated with all this stuff and it's just like, well, okay, here's another headline. What do we do now?
Craig:And I think the takeaway is audit your, your vendors, audit your third parties that you're doing business with and push back on them. Push back on the vendors for their security. Ask them for proof and evidence of, you know, various standards. You can go as high as SOC2, type two or ISO 270001 and some of the derivatives. Those are kind of like the gold standards. But small businesses, you know they're not going to be able to afford that. But there's still some questions that you as customers of these companies can put pressure on these vendors. You know, I feel like if the public puts more and more pressure, you know, into more of a trustless model that don't trust would verify, I think that's going to be, you know, good for all of us.
Blake:Yeah, another one that stuck out for me is the Canadian government apparently banned WeChat and Kaspersky on any government focused apps. I mean I think I'm surprised they're just getting around to it now in all honesty. I mean I think the US government had banned WeChat years ago. Obviously, kaspersky is Russian antivirus software, which is probably I mean, they were a lot more popular back in the day than they are now. But yeah, I'm surprised it took so long for that to happen.
Craig:Well, it's kind of like what we talked about in our last podcast. Around DJI was under the microscope and still is, and we talked to our listeners and we were like, look, you don't kind of go through all your apps and your software on your phones and your endpoints. You'd be really surprised if you actually did that and went through all the stuff on your devices to see where it is. And, quite frankly, I would not be surprised if there were one or more apps that were kind of gray or shady, in my opinion, around where they developed. What country are they coming from? And I think that's the big takeaway with this.
Craig:I think it's if you've got apps that are in a country that the current landscape and climate is either hostile or considered an adversary. I mean, it's a big risk for you having that on your phone because you have to assume the worst. You have to assume that, oh, this app's spying on me. It's kind of like you have to put the layers in place and assume that everything is your camera, your microphone's being turned on without your knowledge or consent. So what are you doing to prevent that stuff? So you either make the choice to uninstall the app If you're on an iPhone or another device that has controls where you can limit, that's obviously limit location services, limit the usage or only ask for, allow the app to ask permission on. When can we use the microphone, when can we use the camera, physical safeguards, the tape over the cameras or cover them up.
Craig:It's just crazy all the stuff that we, as consumers, have to look out for. But I think it's awareness. You're making your job a lot harder if you have hundreds of apps on your devices. This is really the bottom line here. So try to simmer it down, try to go through an exercise and regularly check these things, especially if you're in a regulated industry or you're a defense industrial-based contractor. But even at the consumer level, like with the WeChat, we talked about TikTok. We talked about what was the other one? It was TikTok. Oh, we talked about Meta and the lawsuit 41 states banding together and suing Meta about unfair practices towards minors and children, purposely creating addictive products. I mean, it's just crazy, I don't know, it's just mind blowing to me.
Blake:Yeah, I mean obviously anything TikTok is huge. It seems like the-.
Craig:I don't know why. It's huge, though YouTube has shorts which isn't short, similar to TikTok. I don't know what the difference is. I guess I'm-.
Blake:I've never used TikTok, I've never even had but isn't the whole point of TikTok like short video clips. Yeah, it's short format videos.
Craig:Right, so I think YouTube's answer was shorts. They call it shorts.
Blake:Instagram has shorts.
Craig:Right, but I don't understand why. Why so much gravitation towards-. It's kind of like the Twitter thing. There was the character limit with Twitter and then there was just explosive growth at that time. It was just kind of weird how some of these platforms just explode like that, in my opinion, I mean-.
Blake:Yeah, I mean you would think like I think TikTok did it first, right, like, with the short format video, and then Instagram rolled out their shorts, and then YouTube rolled out their shorts, or whatever the reels, whatever they call them. So I think the fact that TikTok did it first and then these other but you would think, like people would want to consolidate their app, you should like to see the same shorts from Instagram, for example, the reels, like you're going to TikTok to see the same content. I just don't understand.
Craig:Yeah, I don't know, does TikTok do like pay-per-click ad revenue models as well? Yeah, yeah, I mean they're all pretty much trying to fight for the same Because I know that Google posted that their stuff was down big time as far as ad revenue and people using online advertising through pay-per-click and stuff like that.
Blake:I find that hard to believe because so through the Google Ads Manager, I mean you're running ads on YouTube, I mean you're running ads on their Google Ads network, which essentially Google allows users like web admins to put little generic banners. So essentially then Google will feed a banner to it, or an ad, depending on the dynamic network that the user or the audience finds interesting, and then they pay those web admins for that space. So I find it kind of interesting that they would say ad revenues down.
Craig:Yeah, I think that that was the last that I saw, anyway, just trying to see if there's any other. I know that there is this huge move it ransomware. We talked about that a little bit. Do you remember that?
Blake:Yeah, I do.
Craig:Then there's also the Android spyware that's tracking almost like the Pegasus.
Blake:Speaking of ads, I saw the malvertising. Did you see that one? People that are downloading malware through ads now, so like ads are delivering.
Craig:I've talked about that many years ago, but I haven't seen recent press around it.
Blake:Yeah, I just saw the headline but I didn't read too much about it. But essentially, you know, malware distributors and architects are essentially serving up ads to their own.
Craig:I know what would happen in the past was these malicious actors would buy legitimate ads, get them approved and then swap the content on the web server to have an infection.
Blake:One of them has been targeting like a payment platform, like a Brazilian payment platform that I was reading. But yeah, essentially the malware ads are being placed in advertising sections of search results and then, whenever they click on it, they'll be redirected to like a cloaking service, so it'll filter, you know, obviously, any type of. They'll have some type of like click cease or some type of technology like that that filters out any type of bot traffic and then, and then, yeah, I mean essentially it'll look like they're banking, they're banking software, or I don't know how it's crazy.
Craig:The other one I saw was the FTC put out some new guidelines for car dealerships, automotive dealerships.
Blake:You see that I saw you sent the link, but I didn't get a chance to read it.
Craig:Yeah. So basically in a nutshell, there's a new extension to the FTC where they're requiring the car dealerships to use encryption more heavily, specifically adopting encrypted messaging tools and hard drives. So I know we've got some clients have fallen to that bucket and I've sent out some emails to talk about that. But you know we talked months, if not years now, about how it's. Just every day is going to be some new regulation and my hope is that you know we just simmer it down to CMMC. So it's just kind of the gold standard for everyone to follow, right to make everybody's lives easier.
Craig:But if you're in a business and you're not regulated now I actually find it hard to believe because there are so many state and federal breach notifications and privacy laws. You may just not know that those laws exist. And then if you're handling certain types of data, like the whole reason why the FTC cracked down on car dealerships is because they were like oh, all of our customers are giving, they want credit to buy a car, you know. So there's so much personal information being given and then there's handling of that sensitive information to protect the public. So that's where the whole FTC crackdown happened and I think, again, it's for good, you know. I mean we're obviously in cyber and compliance, so we want to make it harder for cyber criminals to, you know, steal people's identities and cause a breach. But yeah, I think that the takeaway here is, even when, if you were to go to a financial either a car dealership or a bank or wherever you're going I'd still be pretty stingy on how you give your information and require evidence of protection of that information to protect yourself, because you know if they're handling it sloppily and what happens, you're the result of the breach and then now you have your own cleanup to do to protect your own identity. So it's you know.
Craig:The takeaways here are, you know, we share this news and information not just to kind of scare everybody, but just to this is the world we live in. I mean you just got to take matters into your own hands sometimes and embrace everything that you can that's trustless and assume the worst. Assume that you know people are spying on you and data mining points around you to maliciously, you know, put harm on you, either by social engineering and phishing and targeted attacks, or you know there was a another headline I saw around the data breach with LastPass. I mean that was December of 22. And then just recently I think it was just a few days ago, it was on October 25th 25 different LastPass users lost more than $4 million worth of cryptocurrency.
Craig:Now, my argument with that would be, yeah, they had a breach, but once the consumers in the public were notified of the breach, any people that were holding crypto, especially, or any people that were affected, for that matter, again should have taken matters into their own hands, chose a different password manager and changed their passwords. But these 25 people and again, I'm not, you know, pushing blame on people, but I'm just saying that it gets to a point where we have to take certain things into our own hands and do our own thing. You know these companies that get breached left and right. Again, we're the victims, right? So assume the worst, assume all of our stuff is out there. What are we doing to monitor it and what are we doing to protect it and how do we make it? What actions can we do as a human and a consumer to make it more difficult for hackers to breach our identity or our systems?
Blake:Yeah, I mean it's all about embracing the zero trust framework. You know, like another, another instance, I mean I don't think I ever told you this, but I was importing something from abroad and then I get a phone call and it was FedEx or UPS or one of the I can't remember which one. But they called me and they said hey, are you Blake? They're like hey, yeah, we, we got your package here. What's your social security number? Like they're like oh, our tax ID number. Like they didn't put that on there, you know. I'm like Okay, how do I know that you're from FedEx, you know. And then, of course, they verified a bunch of stuff. You know, like that it was a legitimate call, but immediately, I'm just quite surprised that you actually answered the phone.
Craig:I mean, it's gotten so bad where I don't actually answer my phone live anymore, unless I'm expecting the call for a meeting or something, or it's somebody that I know and trust. But if it's just a random caller, there's no way, because there's so many social engineering, smishing, fishing, all sorts of stuff.
Blake:I normally wouldn't answer the call because, you know, I typically will only answer phone numbers if they're from, like, my network or extended network. So in this case it was, ironically, a call from South Carolina. So I'm like All right, like I, you know, have a California phone number, like if somebody's calling from North Carolina or South Carolina, like they know who, I am like right, because I lived in North Carolina, south Carolina, so so yeah, that was like the one reason why I answered it, so yeah, Well, that's crazy.
Craig:I mean, that happens all the time. I get weird text messages. My wife showed me a text message, you know it was kind of similar to what you were just talking about, about a shipping or something. And she's like, is this legit? And I looked at it up and I'm like no. I'm like look at the phone number, it was like plus 60 something, different country. I'm like absolutely not.
Craig:You know, but it, you know, just put so much pressure on us as everyday people and we live and breathe this stuff. Right, blake, I mean. But imagine the people that do not right, how, how hammered they are every day from every every direction, whether it's phone calls, emails, text messages or any other messaging. You know social apps, things like that. Again, the more you involve yourself in the wider spread your your attack surfaces for you to get scammed, right. I think it's.
Craig:It's sad and unfortunate for these folks. You know that lost all this money. But you know, I don't say anyone layers to cure all, but had they used Google authenticator or Microsoft authenticator, the software apps for you know one time pins and passwords in addition to the password? I'm saying that's not an excuse. You should have changed your password.
Craig:And you know again, adopting more layers, adopting more trustless systems. But you know it goes back to backups, right? I mean, we can't even get people to listen and backup their stuff and they won't. They don't want to pay for it, and they don't. They're like, oh, it's just cost too, it's too hard, or they don't want to pay the money to do it. But then they lose everything and they're like, oh crap, you know what does it cost for data recovery or whatever you know. So it's like we all need to do more in in in educating ourselves and taking the security training that we talk about and the testing, and just keep doing better and putting more pressure on our vendors and and demanding more evidence and pushing more back on these vendors to take security more seriously.
Blake:And it all starts with, like, questioning yourself, right, like you know. Ask yourself the simple question, like what is the worst thing that could happen to my business? Like what is the worst thing you know?
Craig:like I would cease to operate if this happened, and then but I don't think people want to see the reality of that, though. I think that they just don't think it's going to happen to them until it does. And then it's the old crap moment of how do I get out of this?
Blake:Yeah, I mean, it may not, it may not happen, but it doesn't cost anything for you to ask yourself that question, Like, hey, what would happen if this happened, you know. And then you ask yourself, what am I doing to prevent this from happening? Like what you know? And then you put your plan in place like, okay, well, if you have one single point of failure for all of your intellectual property, you know, and your backups are in this service or that service, and if that you don't have anything backing up that service and your whole company falls and uses that, that one service provider, and there's no redundancy, you know, how can you implement redundancy? You know? I mean, that's a simple question, it doesn't cost you anything to ask that. And then you start exploring the wrap. Oh right, Okay, Well, if we're you know, here's how we implement backups for said service. Well, it even.
Craig:it even goes back to your everyday life too. So like who do you bank with? What happens if this bank goes out of business? You know, do you have money in another bank? You know, like, fdic insurance only protects you for a certain amount. You know, if you're a business owner and you have more than that amount, how are you protecting yourself? Do you have multiple? But you know what I mean. Like it's redundancies in every, every part of our lives. I think and I think that's a great point that you bring up it's asking these difficult questions and taking whatever time it takes to just kind of chip away at it and it's it's, it's a snowball effect and it's a lot of work, but but it's planning and preparing for the worst and in a layered, you know, methodology.
Blake:Yeah, I mean, it's a simple question. It costs nothing for you to think about it, right? You know a lot of people that you. You know you have resources here. Obviously, we're making podcasts, we like to give out free information, right?
Blake:So you know you're more than welcome to pick up the phone and give us a ring, chat with me or Craig about. You know disaster recovery options, or I mean who knows even a disaster recovery plan? Right, absolutely, if it happens, here's what we need to do, right, and that all it takes is you just saying, hey, I'm interested here's, here's what I, here's what I thought about. Right, I thought here's where the weaknesses are in our company, and it's really easy for you to spot it once you start framing it right, it's all about the framing. Okay, here's our weak points. You know it doesn't take you paying somebody to tell you that to figure it out, because you live and breathe that organization every single day, those workflows, those practices. It's really easy for you to look at it right from an internal perspective and to because you're familiar with the environment. You know, you know to do a self assessment of your, your business.
Craig:It costs nothing you know, yeah, and then for the businesses that are more mid market or more mature, then then we can move into tabletop exercises with your team and test the the plans that you have worked so hard to put in place and see how, how effective they are, if there's any gaps that need to be filled. Or you know that constant drilling and testing is only going to make you faster, better and stronger.
Blake:I think one thing I've noticed with a lot of people that I talked to it's almost like they get embarrassed for having vulnerabilities or they're. It's almost like I don't know, I don't know how to describe it. It's almost they feel like embarrassed. They're like oh, I am doing this, or anytime I've asked a question to somebody I'm talking to, it's like automatically go into defensive mode. Right, you know, and that to me is almost like I wouldn't say like makes me think about their weaknesses even more. But but yeah, every time we've asked these questions to clients that we work with, they automatically go to defense. Well, I do this, I will, I do that.
Craig:It's like yeah, and I agree with that. I think that you know. I think the takeaway is we're not here to make you feel bad or shame you or put you down. You know we're here to help, right, and that's why we're doing these. You know, that's why our phone number or website, and you know you can reach out to us and get the help that you need.
Craig:We're not going to be like, oh, you should have done this or what if there are gaps? We're going to show you what the gaps are and and you know you don't necessarily have to do all of them. You can hire somebody to do some of it for you, but somebody's got to do the jobs right. And our job is to show your gaps and your, your vulnerabilities, your weaknesses and how you know. Look through the lens of a hacker is what I've said before how are you going to be viewed, or how are you viewed right now and how much of a mark are you and how easy of a target are you? And our job as your provider is to make you better and stronger and more safe.
Craig:And you know leverage technology, some of which are free, you know, and don't cost money. It's just a. You know different methodologies and recipes of doing things. You know you'll get to a point where either your business is best served by you and these kind of functions are better outsourced to professionals. But if you're super small and just just starting out, maybe you do all of it yourself at the beginning. But it gets to a point in your growth and your maturity where you have to document your policies, features and and how you're going to respond to certain situations so that your company can grow and have that strong foundation. So as you hire people and expand, you have a blueprint.
Blake:Yeah, I mean a lot of companies now with digitization, like data is the business model? Yeah, right, like we have clients that their whole business and all of their revenue comes from the data that they produce, that they share and that they, you know, publish, right. So, so if you're, if your business model is data driven, you know, maybe you should look at it, you know, but if you have a food truck and you're you know you don't take credit cards, you're all cash powered food truck, and you don't, you know you don't store any credit card information, or you know you don't get anybody's phone numbers or emails, or I mean, it's obviously different conversation, right. So, but, yeah, you know the self, the self kind of realization as to, hey, what is our, what is our revenue source? What does that come from? Like, what, what drives the revenue? If you're a medical debt collection company, you know, when you're making calls left and right trying to collect debt or whatever, like, the data is the revenue source, right, yeah, I mean there it is so. So, yeah, that self realization has to happen.
Blake:Don't be embarrassed, you know, like there's nothing wrong with being uncompliant. I think the only thing that we that I think is wrong is once you realize that you're not doing the right thing and continue to ignore and continue to ignore the right thing, that you you know. You know you're doing the wrong thing. That is when you know obviously it's, it's, it's embarrassing, right, you know, for your clients to know and find out. So so, once you realize you're doing the wrong thing, start doing the right thing. You know these are choices, right? You know that we make every single day. It's like you know you can go make a cake and eat a whole cake, or you can go to the gym and eat, you know, a plant based diet or something. You know what I mean. Like we know, we all know the right choices and they're right in front of us. It just starts with one foot in front of the next, like small steps, yeah, yeah.
Blake:Yeah, yeah. It's just making the right choice at the right time. So being ignorant doesn't make it okay.
Craig:You know? Absolutely not. I think it. It almost makes it worse, because now you're holding information that you know is wrong and you know what you need to do. And then it's like, all right, take action, start today, chip away at it it's not going to happen overnight, you know and just keep working towards the end. You know, and once you get there, it's a continuous effort to keep yourself secure and compliant. However, if you've got all the big work done and you've climbed the mountain, you know it becomes easier.
Blake:Yeah, it's easier to go down the mountain than it is to go back up it, you know. So, once you've reached and summited that mountain, you know not saying you have to go down in your cybersecurity, but it's easier. The uphill battle right.
Craig:But I think the takeaway is not only does this stuff that we're talking about make your business and yourselves more secure, but if you're in business to profit and make money, it gives you that foundational layer to build on. You know you can. When you start a business, you can be just you and do what you want and try to do everything yourself, and that's fine. People do that. But you're going to hit a ceiling. There's going to be a point in time where it's either too much work or you need to expand, or you need to bring on somebody and hire and expand. And if you truly want to be able to take back control of your time and be able to expand, you need to hire good people and then you need to train those people and then follow the policies and procedures and the methodology that you put in place for your company. And then that's the kind of the maturity ladder as you become more and more mature, it becomes easier to expand because you have the blueprint and, like I said, the hard work, the heavy lifting, it's been done and it's almost like maintenance mode, right? Like you brought the good point around exercise Typically people that don't exercise it's really hard to go to the gym, right, and then it takes a good two to four weeks of going consistently to really break through that psychological and emotional barriers on a health level to change that habit, the bad habits, right.
Craig:And then, once you do it often enough, then you actually look forward to it, it actually becomes somewhat enjoyable, and then you're mad when you miss a day, kind of thing. But in order to break through and that's different for everybody, but my point is, in order to break through that it's just like anything else you have to break through that habit and you have to be persistent and you have to keep chipping away at it and keep trying, keep working and eventually it'll pay off.
Blake:That's it. I think that's a good note to end on Yep agreed. Well, thank you guys. Have a great day, as always. We'll talk soon. Take care, We'll see you on the next one.