Welcome, everybody. Introducing you to a new podcast today. We've got a guest. His name is Parker Stanley. Go ahead, Parker, introduce yourself, please.
I'm Parker Stanley. I've been in cybersecurity for a few years now. That federal government, local government, private company; seen all sorts of things.
Which is exactly why we invited you on!
That's right.
Mostly we want to know how you sleep at night.
Erin and BJ, do you want to introduce yourselves?
My name is Erin, and I am a project manager here at Petronella Tech. I've been working with Craig off and on since 2013. Yeah, Craig, this is when I started doing work for you. It's been a while now.
Yeah. Time flies.
Yes. Especially when you're having fun.
And this is BJ, and I just love talking about this stuff. So, my passion is AI and machine learning. That's my current passion.
Yep. And today we decided to talk about how people's bad cybersecurity hygiene not only impacts them, but it can impact everyone around you. It was BJ's idea to talk about it. And I think that's something that's often overlooked or not really thought about It's one thing if your computer gets hacked. If you're responsible for your friend or your loved ones getting hacked, that can be huge. And, on business side, it's your clients and their data getting compromised.
It wasn't my idea. I can't take credit. The idea came to me; I was standing there getting ready to cook something, and it popped up on my Echo Show. Alexa popped up a news article that an online news site had passed malware to its readers. I guess they had been hacked and they didn't know it. And everybody that was reading their articles was catching whatever payload was intended for their readership. It got me thinking.
I was like, we work with contractors in the defense industrial base, with that contract for the DOD. And just thinking about how they talk about island hopping and stuff. And I was like, this is interesting. This is something that needs to be talked about. Some people may not feel motivated to tackle cybersecurity because it's not fun, cheap, or easy. B ut it's so critical.
I'm sure that Craig and Parker have lots of examples of things they've seen, but it just brings it to a different awareness level. Island hopping is very real, and all it takes is one weak link.
Can you explain the island hopping?
Craig could probably explain it better. It's just a term that they use, especially for people that are in the same supply chain. For example, there's 300,000 contractors in the defense industrial base, and who knows how many vendors and subcontractors. But they're all connected because of the systems they use, and different tools that they use, and things they log into. It's just one big ecosystem.
The term island hopping describes: if a hacker was to breach one area of that supply chain and then plant the right payload or malware, it could then spider through that network, through that ecosystem. I think Parker had an example of something like that.
Yeah. So, is that very similar to what happened with Target? You remember the Target breach? With Target, the HVAC vendor was hacked. So, rather than hack targets directly, they went through the weakest link. In this example it was the HVAC vendor, which was a close partner. And that's how they dropped a key logger.
And what was the example you were talking about, Parker?
I've seen it before. You get a malicious email, but it's coming from a company that you've worked with before, even a user that you've worked with daily for years, but they got compromised. And then the attacker sends out the attack to everyone in their address book. And then they'll send it to the address books of those who got compromised from that, and it just blooms out to everybody.
Yeah. So if you draw on a whiteboard, the nucleus is the main company. Let's keep Target as the example. Target in the center. Let's do some recon and figure out who the vendors of trust are. So, we've got an HVAC vendor, an electrical vendor, might have some kind of contractor, or an organization to help develop new Target stores. I think FireEye was contracted. I don't know if they're still with Target, but that was the company that Target was using for cyber at one point or another.
So, my point is you draw this picture of how the main company connects to their trusted vendors, and then what the hackers do is they scan all and try to find the weakest link. What's the path of least resistance? How do we get in? And that's what the whole island hopping is.
That's a whole new category. I heard the term 'island hopping' late last year. And I think it was part of the CMMC. Yeah, I'm sure it was. I learned that term 'island hopping' when we were doing the training for CMMC to be registered practitioners in a registered practitioner organization.
And if you really think about it, if you step back and picture what you just described, Craig, it's a whole new level of threat for the big companies, even the ones that have excellent security and all the best equipment, all the best tools. How many contractors, and subcontractors, and vendors that don't have the right cyber security are they affiliated with? And then how risky is that? That's a whole new level of possible threat.
That's what's interesting, too. So, you've got an example that you're painting the picture around, BJ. You've got a smaller defense contractor, which is in the lingo is usually called a sub. And then you've got a bigger defense company. That's usually the prime or the main contract holder. So, you've got those two that are very close cog wheels together to get things done. And then you've got outside vendors.
Maybe that small defense contractor is using a managed service provider or an IT company or an IT guy. All of these connections are different little islands, and everything in the whole thing, the whole chain has to be secure. You could even take it down to the consumer level. You might have a credit card. Maybe you use a Visa, MasterCard, American express, whatever. Maybe you have more than one. Each of these credit card companies are little islands to your identity.
Maybe you've got a mortgage. That's another company that has your PII, your personal identifiable information. Maybe you bought a car and they have your information, too. So, you've got this thing, usually it's a credit report, that shows you how your credit history is built and the profile that makes you. But the scary part that a lot of people don't look at is how to score and vet all of those vendors that you've had for however long you've had credit history.
All of those little islands of companies that have your information, even the IRS. You pay taxes. The IRS was hacked; the IRS is an island. So, you've got all these little things. If you look at it, a lot of consumers blow this stuff off and they're like, oh, I'm too small; nobody's going to hack me. Hackers don't care. They don't care.
They want to hack you, even if you're small, because it's really a question of do you have good credit or bad credit, or do you have enough good credit that the hackers can get away with hundreds or thousands of dollars? That's all they care about.
Yeah, this opens up a whole new problem, because then it begs the question, what if the hackers aren't even after your data? They just want to use you as a staging ground to launch their attack from.
That's exactly right. And that's where I was going with Parker's example. He was talking about address books and things like that. All these islands, these partners have their own ecosystem, their own address books. So, if your persona is good enough to be impersonated to then get a bigger payload for the hackers, you may be a target. You may also be a target if you have good enough history to get a surgery. I've written about this before in the past.
A bad actor might need a surgery, but they might not have health insurance to get the surgery. So, they steal your identity because you may have health insurance. They impersonate you, they put the surgery under your name, your identity that was stolen. And then guess what? You get the bill in the mail. And you're like, what the heck? I didn't have a surgery. And I wrote about this in my book.
And what happened with one guy was he was being harassed nonstop by bill collectors, because he was like, look, I never had the surgery, this isn't true. And he literally had to go up to the hospital and pull up his shirt and say, look, if I had surgery, I'd have a scar here.
With the risks that we've known about for years you might be targeted because of this or that. But with this threat of people you correspond with regularly unknowingly becoming a vector of attack it could already be at the point where hackers aren't even looking for people with good credit anymore. That's not even their main target. It could just be that they're just scanning for vulnerabilities, for weak links so that they can enter into an ecosystem.
Targeting opportunity is a real thing. You just happen to be in the wrong place at the wrong time.
And if a hacker uses a software tool or something to run a vulnerability scan or something like that, and they find lots of vulnerabilities, I would assume even if you had crappy credit and this and that, you would still possibly be a hot target simply because you're an easy way in.
Yeah.
Of course, the attackers would love to get into Apple or Amazon. They have the most money and the most information, but they also have the most security. And then you have this company of 50 employees. It has one IT guy that's got a couple of certs that he cramped for. They might not have as much money, but it's an easy target.
Not really. That's what happened with SolarWinds. What was it? They were able to get into a vendor, and that vendor was exploited or vulnerable.
It was a software, right? Didn't they get into a piece of software?
SolarWinds? SolarWinds makes different kinds of tools like agents. These agents are typically software agents, and they're used by a lot of IT companies or even regular businesses of all sizes to do the remote monitoring, patching maintenance of their systems, their endpoints. And SolarWinds was breached. And what happened was it bled into the people that were using their platform.
There's so much irony in that. You're going there for solutions, and then instead you're catching the problem.
Didn't it get hit again recently? Besides the initial SolarWinds issue a couple of years ago, there's something about them more recently.
I haven't heard of the recent one. That could be true, but the original one was on March 26th of 2020.
So it was two years ago.
I don't know if it was another attacker or them finding another vulnerability but they found more yuck. They weren't even aware of it at the time. It's so interesting. Even with COVID we all learn how connected we are. It spreads like wildfire, and you're starting to see a similar picture emerged when you talk about cyber security. Is any, for the lack of a better word, island separate from the others in the cyber world?
When you factor in things like cookies and IOT devices, iSP themselves, is any island actually separate from the rest or is the whole cyber space? Is it one ecosystem with lots of different moving parts?
If you get hit like SolarWinds did, people will make sure your island is separate from theirs. One thing people also don't take into account is your reputation after the fact. I don't know if there's a single person who at this moment is willing to work with SolarWinds.
And that's crazy because that could have happened to anyone, but you're right. It comes with a huge toll on the relationship, and these are all things that people don't think of until after the fact. Think about mathematics with the least common denominator. If you put that thought on to cybersecurity, what are some things in common that pretty much everyone uses? And what if something like that was embedded somehow at the supply chain, top of funnel?
I'm just thinking out loud, but something like an Apache licensed software, the document itself, that's on every device that has these Apache licenses. Something at that core level that almost all devices have.
Like the issue with Lenovo machines a few years ago, or the the issue that Intel was having. People discovered there was a vulnerability in their processors for a number of years.
Yep. I don't know everything you guys know about the actual computer itself and how it works, but what if there was a way they breached something that happens on every machine, like a low battery pop-up saying that you have 10% battery left. What if something like that could somehow be targeted?
I actually do see a little bit of that, the little pop-ups that Windows will send you. People will get pop-ups right there. That it's an actual Windows pop-up but it's coming from a cookie you got from some website that says you're infected. If they just made them look more believable, they would probably get more clicks.
Or if they get it to the right place. As things become more connected. It's so dangerous because you have the whole internet of things. What's the number now, Craig, do you know? I think a few years ago we heard that was 50 billion devices on the internet of things?
Oh, I can just do a quick search. It changes every second.
Yeah. But if you think about that, as things become more connected, the risk involved gets much higher, too.
To answer your question, BJ, there's projections of 1.3 billion by 2023. As far as IOT.
Wow, a billion. I guess that is a lot.
What's also interesting is it says that's the 1.3 billion projected subscriptions. That's subscriptions by 2023. The number of connected devices in 2021 is predicted to hit 46 billion.
Oh my God. Okay. Here's a really relevant current example that you guys may not have even heard of yet. So, I use this app called IFT. I don't know if you've heard of it. It's an automation app, and you can program a lot. If you're into automated home and stuff, you could program a lot of your smart devices in your house to work together and to link to other platforms like Alexa, Google assistant.
I've been using this app and I've been running these automations and trying to link a lot of this stuff in my home and my devices together. Just yesterday, I started getting all these emails about some of my applets, the automations that you set up. All my applets were being turned off. I'm like, what's going on here? They're all getting turned off. I was at the point where I felt really happy. I'm like, wow, this stuff's really flowing. It's really working well.
All my automations are just executing perfectly, and I was starting to feel really good about it. And then I start getting all these emails that they're all being turned off. For example, every time I play a song on Spotify, it was logging to a Google sheets document. Anyway, I didn't know what was going on. I kept trying to turn them back on and then they would just get returned back off. I Googled it and found that other people were having the same problem. It was on Reddit.
This just started yesterday or maybe 48 hours ago. And everybody's getting these error codes from Google or 400 on there. Any automations that linked to Google, or Google assistant, or anything. They're getting all these error codes, and nobody knows why, and IFT doesn't know why. It just got me thinking, I was just playing with it all, but I have these long sheets, of all my songs that were playing. And it's a lot of automated activity.
And I'm probably one of the lower end users on these apps, but some people have this stuff set up to such a degree. If you think of all the connections, and for some reason these started to turn off recently. But how fast something can spread through an app like that?
You're right. And it's similar to what happened with the whole SolarWinds thing. A malicious code was injected. And then when that was in that ecosystem everyone got the update. But the update was bad. So that's where it balances out. I've talked about this before, too. You've got all these apps on your phones, you've got all these computer software on your computers. You're entering, and you're trusting all of the vendors that have made these apps for you to do their security updates.
But if you picture it as a house, every one of them is a window. So, if hacker were to break through that window, that's how they compromise and escalate. That's another illustration of using the automation technology that you brought up. That software, and all those people that use.
Yeah. There's some problem. Something happened to turn off the functionality, the linkage between these different platforms. Something happened recently to make this be the case, but all of those things that were running. The people that are using this one app had 5 million downloads. Just these people using this one app linked it to so many things. I'm linked to Google calendar, Gmail, Google assistant, Alexa, all of these things. And I'm one of these 5 million people.
You can just start to see this picture emerging and you start thinking about cookies. All the cookies that are there in the background, we don't even really ever think about that. We have the conscious connections we make. I'm going to do business with this company and I'm going to choose to click on their links and open their emails, but what about all the stuff that we're not even consciously aware of?
The stuff in the background, all the cookies, and the different pathways, and stuff that we're not even thinking about.
Yeah, exactly.
Another thing that I think about is when we have potential clients, for example, that are like, yeah, I know I need to get this done, but we don't have time to focus on it or excuses. But when it boils down to is that, that's really selfish. I think a lot of businesses think about how cyber security is going to impact them and how they might not get a virus or whatever. What they don't realize or don't think about is how it's going to impact everybody else.
One of the biggest reasons that password security is so important and why it's evolved so much is because of the fact that if a hacker gets into your system and they find out your login credentials, and you use those login credentials for your bank, they can log into your bank and steal you blind. Right or steal your customer blind. And it's such a myopic and selfish way to think about things. When in reality everybody knows the internet is connected. You're only as strong as your weakest link.
If you do have a vendor, or you use somebody that doesn't have strong cyber security, that could really hurt you. I don't think that people really think of it in that way. They're like, we don't have time for this. We don't have the money for this. Okay. Go tell that to your clients.
Yeah. It's clear that they're not thinking it all the way through. That's really become clear lately. As a cyber security plays, we've witnessed people be aware of the fact that they may have an active infection and not prioritize it in their budget to take the right steps, the right actions. And these are not bad people, they're good people, but they're not thinking it through. And when they don't prioritize it, they're not thinking it through.
I think people are missing the awareness of how connected the internet already is. And that we're not all separate from each other. I'm paranoid about clicking links anymore like you guys do. I can't click anywhere. I won't click a link, you can't pay me to click on that, but I don't think people realize how connected everything is. I was doing some reading about cookies on Spotify this week. I have an interest in Spotify because I think it's a really neat development for the IOT.
It' s a lot of the intelligences that are out there, like Google assistant, Alexa, Siri that can access the same content at the same time. And Spotify has got an API for AI, it's linked up. And I was looking into Spotify. I was reading in some of the fine print because terms and conditions are always the fun thing to do when you have nothing else to do.
I got really deep into it just reading about cookies, and I'm like, wow, just cookies alone should be enough to make people think that we really need to take our cybersecurity seriously.
I'm just wowed by the fact that you read about cookies.
I find it interesting. I don't think a lot of people even know what cookies are.
When you get reading about it, there's all these different types of cookies. And it's so weird. It's so ironic. Like everything in life, they say humor always has a degree of irony in it. And I think that's true with just about everything. If you think about the purpose of cookies, was for, I call it big tech, but I guess it would be. Trying to make a buck off people using their platforms, right?
So cookies are there to be able to track and, brilliant intelligence on the user and, present them, targeted marketing and, see what platforms they use. So you know, all this stuff to gain data on your users so that you can then use that data to your advantage. So that's like the point of cookies. But when I started reading about the cookies and the different types of cookies and what they're capable of doing and how far their reach is, I was like, oh my God.
Like this right here, just this advertising avenue, weaponized and cookies, literally could sink the way of it's, they're everywhere. Like they're literally everywhere. And they're actually described as a piece of technology, like cookies falls under technology. Like it's actually a thing,
Yeah, but people love it. They love having passwords.
Isn't that the truth? I don't think there could have been a better response to that whole. Yeah. That's that? Isn't that right?
Anything convenience. In my experience, personally, convenience is almost always the exact opposite of security.
And I'm saying
that, have I not been saying that BJ and Craig, when I talk about like one of the reasons I like one of our vendors, gatekeeper and even our other like big vendor blue shift, they actually are. I guess I like companies that marry efficiency and. Security because you're exactly right. Parker. Usually if it's convenient, then it's not secure. And if it's secure, it's not
convenient. Yeah. And this is like a double-edged sword, like Parker. So write that. Yeah. People love it. And that's why it exists. But this is like a double edged sword because it's yes, it's it puts these cookies that are pieces of actual pieces of technology all over the web and in everybody's devices, pretty much with all over the internet. Like you might as well say it in the background, IOT is already connected by cookies.
But then it's like a double-edged sword because not only is that true, but then you also have the people like the big companies that put out the cookies for monetary value. Then it's wow, could this end up being, this could backfire you for quite some time and still be wondering.
Yeah. And I think to Parker probably in your experience, most people, I would say tend to choose convenience over security and that's probably one of the reasons
users will choose security every time I trust them. Yeah.
Yeah. And then the big tech guys will choose collecting big data over making sure that those barriers are in place. So that island hopping and infections can't happen. But through the over usage of cookies, big tech has probably put themselves in a vulnerable spot,
I don't know. Could you explain that?
If you just reverse engineer, the thought, these cookies are pieces of technology and there's different types of cookies and there's different things they do, but they're basically like a form of intelligence because they, they're not like they're processing information and they're like, these cookies are actually like little box the way I envision it, basically, because they're programmed to do certain things, they perform certain functions.
And so there's a degree of intelligence there because they're customized. Do you need to do certain functions, certain tasks, and they have certain boundaries and they follow these rules. So anything that's capable of following rules on performing functions has a degree of awareness or intelligence to it. At least if you just call them like cookie box, like they're everywhere. And if somehow. Something was to link all these, right? Like just the say, use an example of AI itself.
If AI was gathering all its members and gathering itself to prepare, to become autonomous, like what if it was to tap into all this technology of these cookies everywhere and what if that was like a way for it to pull itself up? You know what I mean? It could, people don't think things through is my point.
Like none of this has been thought through like from when you know, the internet, which, the eighties, but I read something about it being more like the fifties or something that they sent their first message or something, but, or the twenties or something like that. But anyway, like it wasn't thought through, like there wasn't a plan put in place for cybersecurity or to keep everything protected. Like it was rust like a gold rush before it was really thought through.
And I think we're definitely seeing the climax of that now. The fallout of that. And then when you think about even a, like a bigger picture, like you hear lately about, stuff about global satellite internet and stuff, and it's like taking it all the way, like looking back from the start of all this, to where we're at now. And it's if we've learned anything at all, I would say we should have learned that cyber security should be the number one priority.
And it's still not the case, because it's not convenient. And it doesn't make
money. It will never be the first thing thought of it's like when the first car was made, there was no seatbelts. They wanted the car to work. They wanted to be able to drive around. They didn't think about the safety until, oh, we had some people fly out the car when they hit something.
Just a few weeks ago we heard you're right. And just a few weeks ago we heard some of the Tesla cars number that they were having breaking problems. Like they were doing some auto, automatic braking thing on their own or something like that. And just right there, that should give us pause. I'm thinking. Before we go any further, before we do global satellite internet and all this other stuff, shouldn't we get all that figured out like really carefully in perfectly.
I think blindly trust Elon Musk.
I think it goes to the fact that, companies are pushing things so fast security is always taking the back seat. So they put it out there, like the same thing with the autonomous vehicle. The technology that Tesla's striving for. If it's not perfect right now, look, there are, there have been many car crashes. It's good, but it's not perfect. So there's associated risks that I think a lot of consumers don't really understand. You're putting your life in the hands of that car and people
don't want it. It's the
same
with anyone. Oh, wait, that's the key. That's the key Parker because you're right. Because people, and when I say people, big companies, big tech organizations, even government entities there, they all compete right. To be the first to arrive in the first to monopolize something. And so there's all this momentum caught up in the competition of things. And so it, unfortunately the side effect of that, like the good news is that it causes the tip of forward progress to always be pushed forward.
But the bad news of that is. People are prioritizing being the first to arrive. And the first is, whatever over, let's do it the right way
and bring it back to the vaccine with us too.
Yeah. That's a good, I
think that everybody so that you don't get COVID, but who knows what's going to happen? We're all going to have tales in five years.
I'm sure there'll be a good use for a tail of thumb, some way shape or form to look on the bright side. But yeah that's right. If if we had a way to. Say stop the insanity, in the words of Richard Simmons, stop the insanity and let's do things correctly. There should be no more advancement of anything until we get the framework, get the foundational layer.
You can't even get everybody to agree on a flavor of ice cream. You're never going to get everybody to stop everything.