Welcome to today's PTG podcast, where we are discussing Biden's dire warning. That Russian cyber attacks are coming. Biden said last night that with Putin's back against the wall, there's a greater. Chance that he may employ. Additional tactics and an increase, the severity of the tactics, and one of the tools that he's most likely to use. And our view is cyber warfare. So maybe we can talk on that a little bit.
Sure. Yeah, we've been talking about that for. What three weeks now.
Yeah.
So it was just like, a speculation around increase your defenses, make sure you have capability. To To detect and defend your business against the cyber attack. also at the consumer level too. Then you don't make sure that your. Being cautious on emails and. Don't open any suspicious emails or click on links or attachments. And. If you get random people calling, you don't answer it. Don't be quick to answer the phone. I try to avoid the robo calls.
We had previous episodes where we put out some tips on how to best secure your mobile device and. So definitely check back on our YouTube channel and other sources there to brush up if you need to. But yeah, the. The writing's on the wall, right? It's just. It's definitely not going to get It's not going to go away anytime soon. Sadly, I think this is the new norm. And I think that I've said this before to, firewalls and antivirus are no longer enough.
So you have to have technology like XDR and some of these other layers, obviously training. And, doing the risk assessments and pen tests and all that fun stuff that. Quite frankly, a lot of companies, they don't have the budget to do it. So they, Pretty much do nothing. So I think Now's the time to really change that. And. Go through a proof of concepts and. Really. Ah, explore.
Hadn't looked through a lens that you've never looked through before to see all the things that are really happening on your networks without your knowledge. That you thought were getting trapped. We're not.
Yeah. I think too. Another thing that's really important that a lot of people miss, I don't know, back, like I think it was in 2014. I got hacked on my. Social media. Oh, my, my Facebook. They took over my chat and sent out some pretty inappropriate messages to like my cousins and stuffs. That was fun. So that's another thing. I'm not really sure how they were able to get it. I probably reuse a password or something, cause that was before I really. Knew any better.
That's another thing too, is that they'll also contact you in social media. They'll clone different profiles and pretend to be somebody. And send out messages.
Yep. Oh, Aaron you fro, so I don't know if you can hope. Now you're back.
Yeah. Hey, sorry about that. I guess my Internet's not the greatest. Shocker. Yeah. So just be careful on social media to be careful with emails, we careful with your phone calls, because I think didn't, we read too recently that SMS smishing is also on the on the rise.
Yep, absolutely. Yeah. Smishing, if you don't know what that term means is it's like fishing to your email. But it's to your phone, through a message. And the problem with smishing is that you can't hover over the link to see where it goes. So definitely do not click on any links in text. For sure. To keep yourself safe. Like I said we posted a bunch of other tips there to secure your mobile devices and take those security control precautions. Seriously, definitely.
Now with the threat landscape elevated.
Yeah, definitely.
Hey, Blake.
Oh, you're muted Blake. if you knew that or not.
Here we go.
Yeah. Yeah. And you guys talk so.
Hey, it's good to see some different faces.
That's right.
Looking at my face is stuck. a real nice one.
Yeah.
It's interesting to look at the quadrant of our pictures. Craig bits like. Glowing faces. PTG always got his. Is a really good visuals there. And then Erin and Blake have the blurred background and then mine is just the background. I don't know that picture. Just popped up on my thing. It's interesting cause. I just think it's neat. Combination there.
It's funny because with my big fluffy hair, Background, doesn't always do the best. So that's why I think Blair is probably. Better. Yeah, change it. Oh, there you you go. Yeah.
Blake's in space now.
I'm up here with you. Yeah.
Hey. Blake's keeping the international space station secure.
he's guarding us from the solar flares.
Yeah.
That should be possible. Yeah. So
Craig, what was the other you. He posted something about a what was it? It was something regarding passwords. Wasn't it?
I posted something, oh, this one's funny. I don't know if I posted this, but I read it. So somebody used the super secure password of password. wow. Gene genius idea. And then they got extorted for $15 million.
Oh, whoa.
fees. Because guess what it wasn't, I'm just on their email account. It was on a server. At a company.
Oh, Sirius. Oh, yeah.
Yeah. Obviously if you're listening, don't use the password. Take our tip seriously and secure your passwords with a multi-factor and obviously complex long string Use a password manager.
It's so easy. For example, somebody at their home network. Most of the time, whenever you put a router or wifi. Network in. Usually the access is 1 9, 3. 1 68. Like nine out of 10 times. And then it'll pop up for a log in and then it'll be like admin password. And that. The username is admin and the password is password.
Or it's just admin.
Or it's blank for some reason. And most people like, so anybody on your home network, if it's a friend or family, I easily get in there. And yeah. recommend James at. It's silly things like that, that people just don't know.
Yeah. These default configurations are just weak and insecure and, in the manuals, they always say, make sure you change this, but nobody reads the manual.
Anyone ever. Craig. Breached. When you actually type your password in right. There's something there that's intelligently receiving that input. and deciding if it matches the correct password. You know what I mean? Am I explaining that right? Something there is. Is comparing what you input to, what is the known password? Has anyone ever successfully breached that, like that. Right there that whatever you want to call it.
I think you're referring to the hat, the hashing database.
Okay. Yeah, that's probably what I'm referring to.
Yeah. We've definitely breached it several times. And when we do pen tests, for sure.
So is that That's not something you really hear very much about because you hear about people trying to wait passwords by, using algorithms to crack. And then you hear about advanced algorithms that listen for key strokes on a keyboard to determine what's being typed. But that's something you don't really hear about. We witnessed that in pin test that can be breached. So so that's. We'll hear more about that. Like why. If we've reached it and pen tests. What's the missing link there.
Okay. So the very first pen test I ever did ages ago was breaching the date, the password database on a unit system. And what happened was They did not restrict who can look at that database. So I was able to download it in the pen, test exercise, and then run some software that would crack the encryption. And it At that time now. I'm dating myself now, but at that time it was a 3 86 X 86 microprocessor.
And it took about a week to crack the passwords, but when it was done, I had about 1500 user accounts and passwords.
Oh, my gosh. Wow.
So nowadays fast forward to. Most companies use Microsoft windows server. As their operating system. There's what's called SMB. And there's obviously with the later versions of windows server, it's more secure. And encrypted by default. But in older versions, it was not, and you could still run software against it. And even You know what default settings may not be enough. But the point is that you could still capture that. Password database and then run.
Tools against it to crack everyone's password. What you were talking about a minute ago was called brute force. So a lot of hackers will try combinations and use software and scripts to try combinations of. What they'll do is they'll look at past breaches and they'll load up a database of all these different username, password combinations. And they'll start with that database and then they'll use, what's called a dictionary file, and then they'll set up a brute force attack.
So there's different ways to obviously mitigate those risks, but yeah, that those are the two most common practices.
That's. When you start digging into it like that, it's. It really puts a new, like you were talking at the beginning about looking at things through a different lens and it really makes you do that when you start hearing these details. Because everyone hears, password security, but when you hear it broken down like that in all the different ways that passwords can be breached. And it takes on a whole new meaning. It's oh wow. This. This actually really is. Something to really take seriously.
That's a lot of those. That's a lot of. Entry points,
Look at what happened with Equifax, right? When the heck of Equifax, had Equifax been encrypting, then the database that was captured install one would have been scrambled. But they didn't use that layer for whatever reason. And that's why.
They weren't encrypting the passwords that were store.
They weren't encrypting the data that was able to be exfiltrated out. I don't know if they were encrypting the passwords. By default, but I know that the payload was not encrypted to have they been using more encryption layers than the payload would have been scrambled. And the hackers wouldn't have been able to breach.
Oh, wow. So when you said. When I was asking about the, whatever it is that. Measures or compares. The data input for the password to what sports you call it a what'd you call it a half sweat.
Hashing.
So is that the. Okay. So is that kind of like the same concept of the hash algorithm? Is that. You know that, for example, that cryptocurrency operates on the foundation of is that kind of the same concept.
Similar concept. Obviously crypto is on a blockchain, so it's different but yeah, there's, Hash is our do I describe it? It's a mechanism or a methodology around so when you type in password your password, then translated by the operating system. To a hash screen. Which is similar to a quid, usually very long character. Multicharacter thing and then the tool, and then typically it's encrypted.
So then the tools would then decrypt that database and then be able to reverse the hash back to what is the English password,
so. the hash is one thing, and then it. Which is another thing on top of the hatch.
that's different. Yeah.
wow.
there's, what's called salting and salting is another type of security technology that is in addition to the hashing layer. That makes things a little bit more secure.
And that's, let's say, related to the same concept about. The secure.
Yeah, it's just another layer of security.
Wow.
Yeah. So this is.
I hear the hashing and I think of a new movie by M night. Shama Nella machine. Yeah.
Yeah, it's interesting when you. That term has. It's just interesting because it just it's like, there's an air of mystery around it. What is it? What is it doing actually? What functions is it performing and how I want it? Does this, is it getting smarter each time? Is there a degree of machine learning that takes place with creating each hash? Looking at it from that lens, like that's probably Linds.
We don't usually look at it through, but when you look at it through that way, it's if you were the algorithm doing the Hashi are you getting sharper and smarter hash?
No. It's a fixed programming in the. In the operating system. So it's not going to get smarter. It's just going to do it one way and it's not going to get any smarter. That's a whole different technology. Yeah.
That's interesting.
Yeah. So there is what's called SMB signing. And then there's different versions of SMB signing that would help better protect that hash database. But anyway, as new versions of Microsoft, for example, as new versions of Microsoft server came out. Security was elevated in each version of their server, at least. So obviously the latest version of server is more secure by default than like a 2003 server,
have you noticed lately, I've been really noticing a lot of the big tech companies. The others as well, but I've really been noticing what big tech companies they're really talking about security a lot lately, like security, like even on my at and T home network, the fiber optic network. They now have something called at and T active security or something like that. And you're hearing a lot more about this.
Microsoft's talking about it and they're just, hearing a lot more about security layers in, in, within big tech.
Yeah. It's probably because of the elevated landscape threat landscape that we're at. We're living in right now, right? So the providers are trying, to do what they can to protect their consumers. Just yesterday. I think you saw the posts that I posted about ASIS routers, being vulnerable. Big flaw there. So obviously you need to patch the firmware of your router and it goes back to what's called your asset inventory.
As a consumer and especially as a business, you should know what's on your network at all times. You should have mechanisms in place to make sure that devices can't be added to your network without your knowledge, you should be maintaining all those devices on the network. And obviously router firewall, access points, wireless wifi. IOT devices, all that stuff. The more stuff you buy, DJ. For more stuff you add to that network. The more you have, the more work you gotta do.
And then before you know it, you're going to have all this stuff, then you're not gonna have any time to do anything else. So you're going to need to outsource it.
So BJ, you're lucky for me. I have PPG managed services on my live.
Those managed services are limited to 10 devices, and then we're going to
Yeah.
Start charging you money because.
I feel like we need to write a system security plan for BJ.
Yeah.
Yep.
Absolutely. Policies and procedures going.
Yeah.
Yeah.
Backed it back to Equifax. Like I beat her, they got social security numbers from this. The people. So if there's anybody out there listening and you store social security numbers of your customers, that is a highest sensitivity data point. And for example, if you're an accountant or if you have a medical practice, doctor chiropractor, Dentist or whatever. Make sure. But you are encrypting your data. And if you don't know what you're doing, just reach out to. Yeah. and it's not, that's
a good,
that's a really good point, Blake. You can't also assume that you're a medical software provider or your it guy is doing that job because those are different.
Jobs
in different. And the responsibility
is
yours as the business owner
to
make sure that you have the supporting evidence and the proof that stuff is secure because there's data breach laws and almost all of the states,
there's
federal laws,
there's FTC regulations. So depending on the type of business you have, and you might say, oh, I'm a business owner or a. Maybe I have a plumber or I don't collect data on people. You actually are collecting if you're selling to a consumer. collecting oftentimes, name,
address,
phone number.
address up.
Yeah.
Now you probably want to take money from that customer for the services that you provide. So you're probably taking your credit card. Now you're subject to PCI compliance mandates, and you might have set or you might be thinking why you square? Or I use QuickBooks or something like that? Again, it's still the business owner's responsibility to ensure that proper safeguards are in place.
And oftentimes if you're a low volume business where you don't do thousands of transactions a day, you could do what's called a self-assessment and self attestation. when you go through that, it's typically 59 questions for a small business. When you go through it they tell you look. be storing credit card numbers in an insecure system. You can't be writing them down on a piece of paper. You have responsibilities to keep this information secure. And if you don't.
You're in hot water for fines and the fines are steep.
Yeah
some. Businesses, unfortunately, because in their defense, it's understandable because they're not it or fiber businesses, they do other things. It's like a wave, right? Like we caught the wave in the beginning. We all got online with AOL and whatever dial up service. And we all started chatting online when it was brand new. And then sometime between then and now things
gained
momentum
and
there was regulation put in place. And probably there's a lot of businesses that aren't even aware of their responsibilities in regards to. It infrastructure and cybersecurity and data breach reporting. I would say there's probably a large number of businesses that just completely are in the dark about their responsibilities. There. And but it happened
even
if we weren't paying attention to the regulation. As things progressed, it's there now and there's breach reporting laws and things like that. And It's an education matter now, right? Like people starting to understand what the responsibilities are.
And
I think like we talked before about the gap. In like we have experts like you Craig on one end of the spectrum that can, Just spell off all these, all this technical stuff, the thing, your brain. And then we have the other end of the spectrum that people who, maybe don't even really understand how computing works and how a network works and all that. And that gap there has created a lot of uncertainty maybe.
And
so now as people start to understand that the severity of risk, in regards to cyberspace now it's an education matter. Like now we have to all come together and learn what is this that we're using? And it becomes so reliant on,
and
then how do we knew that responsibly? And then how do we protect ourselves and our clients,
Yep.
A lot of people.
Go ahead.
Oh, I was just going to say a lot of people too. Like for example, like Craig said, they sign up for these third-party services. Square, whatever payment process or whatever website. A lot of especially medical practices. They use a lot of like customer, patient like software. And a lot of times when these people sign up for them, they're like, oh I don't have any data here. I'm using. This patient portal or this or that, it has an, a cloud. They promised their secure.
A lot of times, if you go back and read the terms of service, they are UBS. Absolving themselves. Of legal liability. So if your patients are stored within their database and somehow they get hacked, you get had to vice versa. They're your client list. Leaks out social security numbers. You are responsible for that. That loss of data.
And then depending on your service industry, there's also like a window of opportunity from the time that the breach occurred to like the time that you have to notify your customers. And if you don't follow those two things, like you could be in hot water. So if you're serving customers at all, the biggest thing you can do is go back and look at your service agreements. Look at your contracts.
Look at the terms of service for the applications of third-party software is that you signed up for and see what, where the liability falls. That's the biggest thing that you can do for
yourself right now.
What comes to mind to Blake is the. A lot of people will tell me, oh we use Google. We're a chiropractor or we're a small medical office. We use Google. If you look at Google's terms and conditions, Like you said a lot of these companies, Google, Microsoft, Amazon, they all hold themselves harmless of any kind of security. So the security is on the consumer. They provide you with the platform.
But
it's your responsibility
as
the user or business owner to secure that platform. properly. And if
you're not
knowledgeable
about the cybersecurity, you need to hire a company that is because one wrong move. One, one wrong change of a setting can cause a breach for you. And it's very rare nowadays, especially if you take a credit card or.
You're
meeting with a consumer. It's very rare nowadays that you're not subject to, it's almost assumed nowadays that you are regulated because there's all these regulations. For any kind of business, like I said, FTC regulations, there's ADA compliance. Now for people with disabilities, you've got to make sure that your website is properly able to be read by. What's called a screen reader and we have a free assessment around that now where you can just reach out to us.
And it takes us just a few seconds just to show you at no cost. Look, you have a website. If you're in business. You most likely are not an ADA expert, but we can show you in seconds that look here's some problems with your website and how you can get a steep fine, a nasty fine. As a business owner. And I would argue if you're take a credit, if you're in business nowadays, there's probably a very strong probability that you are regulated in some way, shape or form.
That is
a perfect example, Craig of the culmination of all of this, because there's all these different industries and they have different regulations, PCI gap, whatever for, credit card processing industries you have CMMC for, cybersecurity maturity model for the department of defense.
You
have all kinds of different areas, HIPAA for medical. But then you have this ADA, and that is one that is a unifying regulation. Because if you have an online presence in a business capacity, no matter how small it is, technically you are required. To be ADA compliant and that applies to everyone that could be, if you're selling t-shirts online, out of your pickup truck, it doesn't matter if you have an online presence, you are subject to ADA. And. There is.
Literally a pathway there for, if someone sees your website, it feels that it's not ADA compliant. If a contact there's contact information online for this, you contacted your report, the business as not being a compliant. And then the business is sued by the federal government. And then the person who blew the whistle on that business. Gets a portion of the reward for the, from the fine. And so this is a very real,
this is not something coming in the future. This is already there.
And there. have already been lots
of lawsuits and lots of payouts to whistleblowers.
And so this
applies to everyone
like everyone has to
have to be
compliant for ADA. So
that's good, point
to point out, this is really a, this is really an umbrella now. Like it's everyone who's online has responsibilities,
Not only ADA, but. Oh, sorry not only ADA. But your big ones are CCPA. If you have customers in California. You got to pay attention to that. If you have customers in a European unit,
they
got GDPR. Yeah. Those are two that everybody has to
comply with.
York has its own version of that California
And the beauty
of it is as, as much as this may sound like bad news on the front end, right? If I have a online business and I'm not compliant with any of this right now, and I'm not even aware of any of it, I'm going to hear all this and I'm going to be like, oh my gosh do I just want to have to stop doing business? This sounds bad, but the good news is that there's a lot of overlap with all of this.
Like. All these different types of regulation and compliance, they're called different things and they're written up different ways. But it all boils down to the same general good practices for cyber hygiene. And so once you get your stuff it's flossing your teeth, like you do that from a business perspective. We practice. Good cyber hygiene. Once you get it down.
Once you're there, you're really going to be okay with all these different regulations because they all are redundant, they all point to the same. Good.
To be clear, it's sometimes there's PR. I think what you mean, BJ's there's parallel. So for example, if you're a medical clinic, you're most likely subject to what's called NIST 66 is the framework of maturity model to follow. But if you're like a DOD contractor or a defense industrial base contractor, your requirements are higher. They're heightened, so that would be NIST 801 71 or 1 72, and then whenever CMMC signs in the law. So there's different levels of process, like the.
The HIPAA might have maybe 50 controls and DOD might have 110 controls, but the 50. On the HIPAA NIST, 66 verse the DOD NIST 801 71. Th there's overlap there. So some of the, we're not saying that every company needs to do. The maximum, obviously that would be good for any company to follow the same regulations as a DIB contractor, but maybe that's not cost-effective, but there are ways to get that cost down. The point is that.
As a business owner, you have obligations on there's different regulations and you can satisfy. By doing some of the security controls, you can satisfy multiple regulations and that's the point.
Yeah.
That's exactly the clarity that, that's what I meant. And when it, we see a common misconception, right? We see this a lot within HIPAA, within the medical practices. And we see it probably I would venture to say even more, which is unfortunate.
We
see it even more amongst the defense, industrial base contractors, they have a common misconception that if they're small, that these things don't really matter because they're so small. We hear that a lot. Why I'm such a small business, I'm such a small contractor. I only have this many devices on my network. So the CMMC is really not that important for me. That's a, that's very untrue because it doesn't matter if you're small, you are a possible attack vector and you are. Double launching pad.
And you could be, you could be a gaping hole that could cause a ship to think. You know what I mean? Like it doesn't appear that your network is small. You are an access point to. Defense industrial base.
That's right. And there's like a what I call foundational level of security, whether you're one person working out of your house, or if you've got a hundred people or a thousand people in your company, there's still a threshold and foundational level of security that if you're dealing with just one document that has sensitive information, controlled unclassified information. Or you have patient health information and you're a small chiropractor and it's just you and an assistant.
You're still subject to the same HIPAA compliance as a hospital.
Yeah,
you're, you might not be as big and as complicated as that hospital, but you both take insurance most likely, and you both are handling patient health information. So you're created the same way.
HIPAA
compliance for you is going to be oftentimes less expensive
than that.
Hospital, but you still have to have that minimum foundational compliance layer and you have to show all the supporting evidence to
make sure that
you're compliant.
Yes. I want to bring up something to you. There's so my boyfriend is a he's. Surveyor. And he worked for this one company. I won't say any names, obviously, but he worked for this one company. I know they have government contracts. And he like. Show me around the office one day. And there was just like maps of the city. Just like sitting out. And I was like, oh my God. They would be in so much trouble if they did this because.
Yeah. If I was a bad actor of some sort, like I can go in there and Use those maps or take pictures or whatever, and like use that to hurt people of some way you. We as a small company, they just do serving. So you think that I go, what's the big deal, if you have a government contract, In the wrong hands, like this information that you have.
Be really
And it's very valuable to the adversary too. So even if you're
Oh, yeah.
person and you're dealing with. Our purchase order of the widgets of missile part or whatever. And you're that one, metal manufacturer, whatever you're doing in your small business, in your contribution. It doesn't matter how small you are. You still have that obligation to protect that sensitive information, because it's so valuable to the adversary.
Not only that too, but if you're a reseller. Let's just say you're buying. Proprietary barns from a defense contractor or whoever. And you're not even doing it. And you're just reselling those parts. You still have to follow the same regulations as the person that's supplying those
parts to you.
if you're, what's called a sub to the prime.
You
have the what's called the trickle-down effect. So the whole flow of see why from that big provider down to your small company. You have to keep all of it secure.
Goes even further. Subcontractor that you have vendors of the
subcontractors.
And then all of the, any third parties or anybody involved, like in the medical world, you've got the, what's called the covered entity,
which
is typically the doctor's office or the hospital. then you've got, oftentimes if you take insurance, you've got, what's called a clearing house. And then let's say you've got an it provider that's what's called a business associate. So all of those. All are subject to HIPAA compliance.
Yeah.
Yup. But yeah, all the vendors, all the solutions, any kind of software or equipment firewalls. All that stuff has to be compliant. And if you don't have the evidence for it, you'll fail the audit. And that's where you go. You'll get in trouble.
Not only will you fail it, but also, I have a feeling we're about to see some big.
Attacks
or attack attempts, so it's. It's unsafe. For the national security. Just in general. And that's what I was wondering about Craig. I was reading the article that you had sent about. Biden's warning. It could be something where they go after like small. I don't know. I see like the adversary is like laying dormant almost
until. That's right area. Remember that term, right? We hear it from one of our partners with regards to the AI driven cybersecurity software that extended detection and response that term dwell time. So we've known about a lot of breaches recently that were very big and very widespread. And then they went silent. And does that mean that they're no longer a threat? Absolutely not. There's now we're in the dwell time phase. So now we don't know what's going on in the background.
So like you had solar winds and then you had logged for, I always get it mixed up. Is it log for day or log for sale? The one that was
the app.
it's both. Yeah, both.
Okay. So then you have those two main ones, that were huge recently.
And
they are, they're seem dormant right now, but
obviously
if you just think it through, because they say. I read an article last week that the log for date, just that one alone there's every hour millions of breach attempts happening
to
exploit that vulnerability. Now, when you do the math with that and you look at how many businesses are affected by that log for J vulnerability, and then you. You factor in the mathematics of millions of breach attempts happening per hour. And then how many of those are successful off? Probability is going to mean that some of those are successful. And then with those successful ones, we know that there's something like 80% lateral movement from a breach.
So when one of these breaches is successful, then there's going to be an 80% likelihood of a lateral movement. And so we're in that holding pattern right now where we have no idea what the situation truly is because we're in the dwell time
phase right now.
not only are we in that 12 time phase, but you have to assume that we're all Swiss cheese. We've all got all these vulnerabilities, especially businesses. Most businesses let's face the facts. They don't have the technology to stop this stuff. They've got more holes than they can fill and they need help and adversaries. Are exploiting that it's so easy for them to write a script and find the low hanging fruit. They literally push a button to scan, like it goes back to them to report. Okay.
Here's
low hanging fruit. Here's the. The easiest ways in, and then they push another button to drop the ransomware and it's And in less
than an hour,
they just got a pay day of millions of dollars because of all these businesses
that are Swiss
cheese. Yes, they do that. Push that little button, they run their automated software and then it's the wild west. They swing their right hip and they move this lateral. And they,
and
then it's just what is the
mathematically
it's astounding. think of the possibilities. The potential is literally like,
just again,
to bring it back our, to your first statement, Craig, when you talked about looking at it through a different lens, like I guess a way I kind of frame this in my mind, the current state of cybersecurity, if we were to picture the internet or the cyber space as an entity, just picture it that way and picture it getting up and walking right now. We've got like a zombie. I was on being with rabies and everything else walking right on this framework.
That's got tons of holes in it and it's just a mess. It's a monster. Epic proportion. So we all need to do our part to get this thing in order. So that we have something that's a more pleasant picture, then. Then the current monster.
And here's the.
Okay, Greg, I was just going here's
the other side, too. There's new laws that are being pushed through every day that a lot of people are, may not be aware of, but there's, what's called breach reporting laws and those breach reporting rules and laws, they vary from state to state, but there was another thing that Biden signed. I think it was just a few weeks ago, shortly after the war started, where he said that if you're a. A government entity, there are a couple of things that they did. If you're a government entity.
Now you have a shorter time window to report that breach because this think about it from before when they didn't have that law in place. Businesses didn't know, number one, if they were breached because they didn't have the right technology in the lens, but number two, When they finally discover it. they only have a certain period of time and it's the
timer
ticking to report it.
The other thing that
they introduced it to
local government
was they introduced a a cyber team that it's like a response team for cyber. This is brand new too. If you're a local government entity, you have access now to an incident response, cyber team. To help you with. When a breach does happen, they'll do the. You know that the forensics
and
the detail there.
But
if you, like you were talking about, if you don't have the right technology and lens on your network, you don't know about a breach. You're not necessarily held harmless from that. If you're breached and you don't know it because you don't have the proper eyes on your network. You're not absolved of any, ramifications there.
That's right.
You have a responsibility to know when you're breached. And so that's a factor as well,
it's kinda
I think about it as like taxes. If you didn't, if he failed to pay your taxes. And then you get audited. And then they discover, oh, you failed to pay this. Now you have penalties and interest, it's the same thing in the cyber world, if they do the forensic investigation,
And
they find out, oh, this breach happened two years ago.
You're going to have
penalties and interest. We're
not reporting
You know what I mean? So your. You've SB in touch with a good cyber attorney to help you. And I'm not saying this stuff to scare you. I'm just saying this is the reality of the world that we live
It is
if the reality and the solution always goes back to using like humans, they say throughout history have always been as good as their tools, right? Like you can look at the iron age and all these. It's always what tools are available to humans and how do they use those tools to their maximum potential?
And right now tools like extended detection and response, because from a breach reporting perspective, that's how, when your network is breached because you have AI eyes on your network and it knows when something happens and it tells you, Hey, there's something happening here. And so then you're protecting yourself from liability there because your. You're knowing when you get breached and those tools are available.
So not using them as Mont a good defense to not knowing that you were breached because those tools are available to all at a very low entry point.
Price-wise.
Yeah, and it's definitely a very effective layer. Def it's not the cure. All, you still need training and all these other things, but the more supporting evidence that you can furnish, the higher likelihood of. Of a payout. If you do get a breach from
cyber
insurance, it'll give, if you don't have cyber insurance, it'll allow you to qualify to get cyber insurance. Quite frankly, the more layers you have in place, you're not going to have a breach in the first place.
Yeah. And if anything from just protecting your business standpoint, it shows due diligence, it shows that, cause that was the thing. Yeah, with HIPAA. There's that due diligence? Like it shows did you actually, did you try and so not doing anything in regards to your cybersecurity is definitely not showing and due
diligence.
Yeah. Like with HIPAA. That law was enacted by bill Clinton in 1996. That's old, it's so vague the HIPAA law it doesn't even talk about the requirement of encryption.
However,
nowadays encryption is so easy to do.
I be really
hard to argue in an audit
that
you chose to not leverage encryption at
different layers
in your system security plan. And in favor of how inexpensive often free it is to do, to implement. I think it would be really hard to argue your point.
As
practice. It would just be wise for anyone doing business online. To try to do a self assessment right now of themselves, or just say, look, if I were breached and. W we're asked all these questions did you have, what tools were you using to prevent a breach? Did you use encryption, ask yourself those questions now, before someone else asks you, it asks you those questions and, apply just. Just a degree of wisdom and those questions.
If you ask yourself, I. It is a no brainer that you should take some kind of action.
The biggest action people could take is just to call us. They could take advantage of the free phone call. And they can get in touch with us. We could ask him some questions over the phone. Instantly great. Their maturity level, and if they're ready to do something about it, we have options for that. If they're not, and they just want information that's okay, too. But the point is to take that first step forward, right? Like at least try to chip away at this stuff.
It's not realistic that it's gonna, we don't have the magic pill. We're not going to say, look, Do this one thing, and then you're all secure. It doesn't work like that, but it is a continuous effort.
Yeah, sure. Is.
I wanted to say to you, this is a good segue about a lot of people whenever they reach out to us and we start Pointing out like what they should be doing. And. And what they are doing, we're not here to turn you in.
like
we're not going to turn around and say, oh, John Smith from dadadada. I was doing this incorrectly. A lot. It seems like a lot of people start defending themselves and they're scared to admit. We have a new dialogue with a customer. They're scared to admit what they're doing wrong. Yeah. And it's not really about that because. The quicker you are to admit in the more. Honest
you are with us. Yeah, easier.
Yup. Or if you come in for an assessment and you're saying that you're doing this, or you're not quite sure, or you say you are. And you aren't. And we expect that. And then we find out that you aren't. We're not hearing it. We're not going to penalize you obviously, but. It adds more work to us and it's we have to go back and do the work again. Independently in it. It ha it hurts you more than it hurts us. Because we can accurately, you.
Give
you a more accurate timeline. If you were more transparent. Or more accurate costs to remediate. Your business. So don't be scared to approach a cybersecurity firm if, as us
and
tell them what. You're fearful of. Or what you're doing wrong. Because
we're. There's probably a lot of people. We see that with the DOD contractors, that because of the fact that it was written in their contracts years ago, that they were supposed to be missed when the 800, 1 71 compliant. And they. They've been saying that they are to get these contracts, but they know that they're not, and now they don't want, there's an uncomfortable transition now to go from self.
Attestation of being compliant to now actually enlisting help of professionals to get compliant, even though you were attesting to that compliance, but no, this. Because there's a degree of fear there that's causing a blockage for people, but know this you're not alone because we have been seeing this as a. This is very consistent. This is why CMMC came about, because this is such a widespread issue. You're not alone. Like everywhere.
Most contractors are in the same boat as you, everyone that calls us, they're in the same mess. You're not alone. You haven't been the only one attesting to compliance and not taking it seriously. This is a widespread problem. It's affecting most of most American businesses. It is a matter of national security now. So there's no reason to feel fear or guilt or shame. No, that we've all been guilty of this.
And
now it's just a matter of fixing it and there's no judgment involved because we know how widespread the problem is. It's pretty much throughout the whole defense industrial base. And then it spreads from there to the whole nation. It's not just your business. And this is a national
problem. I don't remember what portion it was, but the number of. Companies that were compliant is like 1%. It's
it's like
nothing. Yeah, when they did their audits about the, because they were trusting, that. But that's just human nature. It's not something to feel guilt or fear or shame over. It's just human nature. We prioritize what we feel is most important. And then we focus on those things and we back-burner everything else. And unfortunately for the last several years, cyber security was on the back burner and that's how we all did business with cyber security on the back burner.
And so now it's shifting and it's okay to know that you're a part of that. That, that culture that had it on the back burner. Everyone mostly was, but now it's just, Lockheed Martin, like that the whole reason that China had a certain fighter jet was because of a breach at Lockheed Martin. It's just, it's a communal problem. We all understand. Cause we've all had it on the back
burner. Everybody. A few, if you think about it, if the only. 1% or maybe even 0%. I don't know Of people of these businesses are compliant clearly There's something wrong with the policies right that's you can't have that many people Unable to get compliant with ness or struggling to get compliant and think no it's all your fault You know what I I think a lot of people don't
know where to start. I think they're
confused. They don't know where to start and, like that's the point of. is to try to make it easier, but it's. It was still really it, I think when it
published in one point, oh, I think it created more confusion than anything. And I think that it's been cleared up a little bit, but there's still a lot of misinformation out there, but the point is, that's what we do. We do this every day. We work hard to vet and test different solutions. We have the most efficient cost-effective path that,
and
we're always working to improve that. It's not millions of dollars for the little guy. We can come up with some affordable solutions that will vastly improve the security and move your spurs. Score up the ladder. You got to go from a negative. Most people are negative in the. The defense industrial base and that's okay.
We understand that, but we've come up with a very efficient cost-effective way to move them from that negative score in a short period of time to a positive score, and then keep honing that and then eventually getting them to that. Perfect. 110. We have the path.
pill. It's it's we found a strategy that is, identifying a very strategic point in the CMMC and then applying the right, the smart tools to that strategy. And it makes for a quick pivot into the positives. Like we. We've taken clients from the negative, like Negative a hundred or whatever it is to like a positive 60. Pretty quickly, fairly quickly by just utilizing one simple strategy and then applying smart tools and then making that
pivot. And,
we do as much of the work as we can. We probably do 80% of the work for the co. The company and,
We
ourselves through all the rigorous exams and certifications, really for our clients, the knowledge
and
expertise that we've gained for CMMC it helps us help the small business. It helps us help the medical clinic. That's subject to HIPAA compliance. That stuff we know is like the back of our hand now. And we've already found the efficiencies and more cost-effective ways to make them compliant too. We talk a lot about CMMC and TIFF companies and things like that. And some companies that are listening or people that are listening are like that's not me. I'm not a D that's okay.
But the point is that. It's a proven methodology for those folks. And we have a path forward that's cost-effective that we're going to get you from that negative score or that. That mark. So to speak that easy hack to a much more hardened. Company that, hackers will move on to an easier target.
Yup.
And the Miller keyboard businesses
that become on the brain to you. I think. Sorry. think that's another important thing to think of too, is like, The lot of the people that we work with as well, we. keep compliance in the back of our head. Like we are trying to simplify it. The for everyone as much as possible, we do the mapping, right? So if we a certain. The solution, we can help you map it back to the security controls, as opposed to doing it yourself. And you're like, have no idea what this covers,
Yup.
think that's another. Important service that we offer.
And another thing too, a lot of it, folks, we're not looking to take the it guy's job. If you've got her relationship with your it guy, your it company, keep that relationship, let them do that work, but we're here to be their cyber security and compliance arm to work with that provider where, if you're an it provider listening, We have solutions to help bolt on our cyber and compliance team to your services, we're not going to steal your clients.
We're just here to help the client and in the end, help them become more secure. That's what we're about.
Yeah, a lot of the companies we work with. their it, and we hand in hand
with them. Yeah, because technically, especially with CPMC, there does need to be a separation of it and cybersecurity. So technically, if you are regulated by CMMC. You can't have your IP team doing your cybersecurity. If there has to be a separation
Yup.
and cyber security.
That's right. Awesome guys. You want to wrap it up here?
Yup.
Talking about what we love. And then we always go over our time. But it's because this stuff is so relevant. It's so relevant. It's so critical right now. My gosh, does everyone realize just deal. The viewpoint out for a moment because everyone realized that we're in a cyber war after just having two majorly, huge exploits out there with log for Jay and solar winds. And that's a horrible time for a cyber war guys.
Pipeline. Like according to the hackers, Colonial pipeline. They weren't even trying to mess us up. Maybe they were. It wasn't their goal. So if you look at something like that wasn't even their goal. They do want to wreak havoc.
Yeah. It's not, yeah, it's not time to be fearful. doesn't help anyone, but it's time to pay attention. Yeah. Maybe aware of this. To just take decisive action and just say, I'm going to stop being part of the problem and try to be part of the solution because the more of us that get secure, the less pivot points, there are the less threat vectors. There are an attack surfaces. We're all one moving organism, right? So the more we do our part, the safer we all are.
That's right.
More to say there's two parts of a cyber attack. There's the physical, right? Like entering your system, collecting your data, breaching your network, yada. And then there's the psychological side of every attack.
And then you have the reputation management too.
Yeah. A lot of attackers, for example get a lot of calls about people that are like, oh, my Facebook's had. getting these messages and these text messages about them releasing this. And, releasing or sending messages, like Aaron said, messages. To their friends and yada. That's the psychological side of the attack. And a lot of hackers utilize that to make their prey or their. Our target feel weaker to lower them and, create a larger advantage.
Between the data that they're collecting and what they really have. So that's another side. And, the reason why I was saying that is you need to frame your mind for both sides, doesn't. That helps a lot to step into to doing. The security things that we're talking about. But you need to frame your mind stop thinking that this can't happen to you.
I assume that it has.
Yeah.
Yeah. it really is. That's the reality of it. It's most likely it is. And it has happened to you or it's continuously to you.
Unfortunately as the rise of automated tools, help us to manage cybersecurity much better. the flip side, you have automated malware tools and that makes the risk so much more widespread in such a faster spread. that, it's literally it's really it's really illogical to think that this can't, I won't happen to you do to automate and malware tools. Let's spread the reaches far and wide.
That's right.
happened. Craig said, if. If you have used Equifax trans union. And whatever security number is probably on the dark web already, or your password is already on the dark web or your Gmail account, or it probably has already happened. You just haven't found out about it yet. asked the truth. Yeah, that's the reason why we're here and we're doing these types of things for awareness, but. Frame, frame your mind. You need to be prepared to. To
take on both sides. It's just time to go on the offensive. It's time to go on the offensive as a nation with our cybersecurity and stop just
That's right. All right. guys, let's wrap up for the day. Another good session. Thank you guys. Have a good rest of your day. All right. Bye.
Yes. Thank you everybody for coming. And please join us tomorrow at noon for our live broadcast on Facebook, Twitter. YouTube live. Or LinkedIn. If you're not able to join us live, we will be posting our podcast pretty much wherever podcasts are posted. So check us out. Thanks a lot, please like it. Subscribe. And we'll talk to you tomorrow.