 Welcome back to the Cyber Underground. I'm Dave Stevens, and I am your host for today. I've been on a diet lately. I've lost a lot of weight. You're only a shadow of your phone myself. With me here, Gordon Bruce and Andrew Lanning. We're going to talk about cybersecurity safety this Halloween on a personal level and on a company level, and then we're going to talk about what's required for you to be a vendor with the DOD for cybersecurity requirements. Welcome, guys. You're just a portion of your regular stuff. They only invited part of me here. I didn't get a full invitation, so I didn't send my phone. You've obviously gotten into ketosis, I can tell. I wish it was this easy. Is the keto diet? The keto diet is working out tremendously well. Zero carbs. This is what you get. So is Halloween going to be a trick or a treat? Well, the Koreans want it to be a trick. The game, right? The Koreans. And now with ransomware, that's really scary stuff. South Africa has been now victimized. There's Johannesburg. We had Atlanta, ransomware. Big cities are going down now. Clicking on that email links. Especially the ones from Andrew. The ones that come from me, don't click on those. Not today. Click on this PDF. It's always a PDF, right? Is it? That's what they're doing? It's embedded in a PDF? Nobody wants to get rid of Adobe though, do they? Adobe's built into our lives. You just can't have them PDFs come in your email. Let's review some basic stuff. Just for the basic cyber hygiene at home. At home. At home. Change your password. Make it a past phrase. Have separate logins on the computer for everybody. So you know who logged in and how long. Even that user versus the administrator of the machine. Right. You're going to separate it so your kids shouldn't be an admin account, right? You don't want that. Nor should you probably. Right. It's best if you have just basic privileges, and then when you want to do some admin stuff, you can log into the admin account. Change the password on default password for any device you put on your network. That includes smart TVs. People aren't looking at smart TVs, right? They just hook it up. Not just the Wi-Fi, and these smart TVs have microphones. They don't look at them. They have cameras. What are they buying for? What? The TV. They're not looking at what it's got. Yeah, they don't. How about Siri and Alexa? No. Alexa don't go. Oh my gosh. Don't do it. Don't do it. So. Everything you say. Try to quote unquote improve the experience by recording your conversation. Exactly. Right. You've got that in the contracts now. Now, if you're not worried about your privacy at home, you don't have to listen to anything we say. It's only inside your house. Yeah, yeah. Privacy, you know. That's not important there. My recommendations don't have a smart TV in your bedroom. Oh right. Smart TV in your bedroom. No, you don't want a smart TV in your bedroom. It's not smart if you do. But now we have smart refrigerator, smart vacuums. The Zumba has gone Wi-Fi. It has. Is it viral now? Do they have a problem with that one? The Enviro? No. Did somebody put a... I haven't heard of a hack yet in a vacuum cleaner, but you know, it's coming up. Refrigerators and DVRs have been hacked already and used for DDOS attacks against Amazon. Yep. Yeah. What can't be hacked really? What can't be turned into a criminal? That's why you have to practice good hygiene. Yeah. It's so scary these days because even medical devices you could have implanted in your body, pacemakers, instead of having a hole in your chest and plug in, now pacemakers have a Bluetooth connection. That's what happened with the... That's why the only part of me got here today. That's what it was. We've been hacked. Somebody... They disappeared me. That got hacked early on. When the Bluetooth ended up. Oh, pacemakers, that got hacked early. Yeah. And cars. Oh, yeah. That's fine. Shut it down. Turn it off. Start your car. Yeah. Start your car. Which is dangerous because people forget and leave their car in gear. You know what we didn't say, but I think a lot of people aren't aware that they can turn on multi-factor authentication for a lot of the stuff that they do personally. Let's talk about multi-factor authentication. Yeah, I think it's a good thing because they really can stop some problems. There's a few different forms where you can get a text or you can get an email or you can email you a code or email you a text that you have to put in along with your email or you can run like the... What's that? Like Microsoft Authenticator. Authy. Authy. And I think that even now the UB keys, right? So you have to have a key with you and those have come way down in price. I think they're only like 40 or 50 bucks now. I like those. They're not one of my favorites. Yeah, because what do people do? They do. They leave them plugged in. They leave it in the machine. They leave it plugged in all the time. Yeah, that way the... That's useless. If someone's using your account, obviously the things plugged in there, well, they get to be used. They have the dongle stuck in the machine all the time and now you've got a... Oh, and I just used my four digit code to get in because the dongle's there. Yeah, because the dongle's there. So you know, if you implement a practice, you have to practice the practice. That's right. You can't just like have an implementation. It can't just be a policy. It can't be a policy. You can write a policy. But you've got to enforce it. But then you have to have a procedure, and then you have to have some sort of implement a tool. You've got to check back. And then you've got to do it, actually. And then you've got to track it. And then you've got to ask somebody to watch you do it because you most probably won't do it because you're lazy because it's security versus convenience. That's right. Well, I think for most small business owners, that's what we think, right? We're so enveloped in our little world, our little work bubble, that we've got to get stuff done. And it's just not in our heads to follow these security rules. In our heads? Pun and tether. In our heads. Yeah, we're drifting. Okay. Sorry. Yeah. I think people just get so wrapped up in their own little world that they don't want to go through these procedures. And with multi-factor authentication, it does slow you down a bit. Not that much. But you need it. Just a little bit. And when people mention multi-factor authentication, when you get a text or you get an email with a code, that's called out-of-band communication. It's other than the channel that you're on. You're on the Internet, but you got it via text and device, right? Yeah. I got to warn people there is a SIM card attack. Oh, yeah. That's the new one. You can get personal information from the web, the dark web, and use that to call a cell phone vendor like ATD or Verizon. And, okay, no liability here. I'm not accusing ATD or Verizon of this. But you can call them and ask their customer service to change over your SIM authorization to a new device. Yes. And so everything that you were authorized to do on your phone now is on your hacker's phone. A criminal's phone. A criminal's phone. Right. And this is a horrible attack because then two-factor authentication gets bypassed. Right. So then there's another thing that's happening. If you've got companies that are giving your employees mobile devices to use, it's really easy. And you better have with whoever the carrier is, you better identify who has the authority to make a change because what can happen is someone can walk in and say, I'm working for an XYZ company and I lost my SIM card. So I just need to get another SIM card. We all set up and so on. And if there's no one person's name on the list and they've just got a list of all the employees or they might not even have that, people are going in and getting those SIM cards added and now I'm on that company's network. Yeah. If you're with Verizon, you can definitely put a person and a passcode with that so that that cannot happen to you without authorization. I set that up a little while ago. It's a good thing, I think, because I think my daughter's kept calling in to make changes and I had to shut that down. Can we get more minutes? Can we get more minutes? Can I get more bandwidth? One of my favorite YouTube videos is out there that a lady calls in and this is called Vishing, Voice Fishing. Oh, yeah. She got a cell phone provider to change the account over to her saying it was her husband. With the baby crying in the background? Right. That's the one. Fantastic. It was just so well done and she's what? She's a 26-year-old pretty blonde girl. You can't trust anyone these days. And there was no baby. It was just a recording on her computer. She brought you too. Yeah. But it sounds real to the person on the phone, I suppose. Wow, so you can really bypass a lot of this stuff. Social engineering is about 90% of the first incursion of all hacks is you have to trick somebody into doing something to bypass the heavy security like the firewalls and locks on the doors and so forth. And the thing about Hawaii is we tend to be very accommodating, right? Hawaii is more like, oh, let me help you, please. I'm more than happy to help you. Let me help you. So people go out of their way to provide you that assistance not knowing that they're actually creating a problem. Right. They're making a bigger problem. It's a scary world we live in. So, oh, and if you buy a new device, change the default password. Yeah. Otherwise you show up on what is it? Shodan.io. Yeah. Every IP address out there in the entire world that has a default username and password for a device shows up on Shodan. It does. And you can just look them up. And since he brought it up for the small businesses, we should talk about that. That reconnaissance phase that criminals go through when they're checking out your company in this first phase and looking for weaknesses in your people you have an open computer laying out in the lobby that no one ever pays attention to or something. And that reconnaissance phase, that's when you can find out if people are targeting you. So if someone does walk on your property, train your people to question that behavior. Escort them back to the front and find out why they were there. Don't just hand them off to the restroom. Oh, it's that way. You've got to train your people to want to query people that are on site that they don't recognize. Facial recognition is a good indicator. That's really you. I recognize Dave. I know it's you. I recognize Gordon. I know it's him. But if you see somebody in your company, and you don't know who it is, It could be you. I could have disappeared. Or I could be Mac. Or I could disappear. Or I could do that. But you know my point. So teaching people to challenge people in a polite way. It doesn't have to be confrontational. But you know, hi, how are you doing? May I help you? Who are you looking for? And then you know, you're trying to get that person back to the lobby. You need to be able to be worth of your own personal safety. This person could be violent. There could be a real problem there. But you know. But it could just be war walking. Which is really common. Yeah. Because they're going to come and check out what's vulnerable in your organization. They went the easiest way and not the hardest. So one of the biggest vulnerabilities that I've seen out there right now is people have a public Wi-Fi in their waiting room. Oh, yeah. So people go, they make an appointment. They sit in the waiting room. And that's the Wi-Fi. And it is not separated by any kind of VPN. Well, and they should. Your guest network should be on its own network. And not sharing anything in your network. Yeah. At my waiting room, you can, even in my training room, you can use the Wi-Fi out on the street. The Spectrum Wi-Fi. The wireless. That is a little bit too powerful. There's a no-down front. You know what I mean? Really? Yeah, yeah. So since we have a service for them, I can use that public Wi-Fi. Oh. So I don't even have sales people come in and like do a demo, use my Wi-Fi. Like, oh, sorry. You don't get on my network. That's good though. Yeah. You're a security company. Yeah, I think so. I mean, that's what you do. Well, I was. Part of me is. But there's part of me that's here and part of me that's not. Oh, yeah. Well, your body's still working. So, you know, your boss is happy. And theory. And theory. Your body? No, we got his head. Your body's gone. All right. What other practices can we say? Oh, gosh. Okay. Small business. Small business. Or, you know, make this happen in Congress. In Republican states there's nothing more important than to have trust. That's great. So follow my lead. I love to watch you. I love to see how say, call me. I'm Oftentimes I'm Day 2. впер desert.iot Right. Quand- Aw, and. Maybe. Your boss does. Yeah. Do not have Windows 7. I know everybody. Windows 7 is awesome. I love Windows 7. Yeah, it's a great FaZe. And I think they did this with Windows Server 2003. Five years in, it was a quarter million to support that. I can't imagine any person or small business still running, having any reason. I mean, computers are so cheap today. I don't know if people know. But I can give you an example. Some few hundred bucks, right? You can go... Well, it's not just that. It's the interaction with all the other applications. It's the application side. I know the voicemail system. So your phone system. I know of phone systems and the voicemail system is Windows 2003. And there are companies I know today that are still running their phone system with their integrated or interfaced voicemail system that's running on Windows 2000. So they just connected to their network. They don't want to upgrade it. Your voice system, voiceover IP. IP system. Very commonly connected to the main network. Yes, yes. You're sure. No, no. Don't ever do that. Yeah, why? Disconnected because... They have SIP on there. SIP is really secure. You can do a voice attack on the phone and actually do a freaking, which is frequency attack, and fool the phone and get access to that server. Once you have access to that server, you have a pivot point to the rest of the other network. Yeah, it should be totally segmented. It should be physically arrogant. So a lot of people just, again, might comment to them as if you've got a phone system. You've had it around for a number of years. You say, oh, I just love our phone system. But there's high probability that if nothing's happened to that phone system in four or five years, it's non-compliant. Yeah. It's hackable. Okay, we're going to take a break. We're going to take some bills. We'll come right back. Until then, everybody, stay safe. Keep your heads on. Hello, I'm Mufi Hanuman. I want to tell you about a great show that appears on Think Tech Hawaii. It's all about tourism. In fact, we call it Tourism 101, where we talk about the issues and challenges that faces our number one industry throughout the state. We'll have some interesting guests, very informative dialogue, and allow you an opportunity to maybe learn a little bit more about why this industry is so important for our state. It's been great for us in the past. We need it today, and especially going forward. That's Tourism 101 on Think Tech Hawaii. Mahalo. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea program. My program airs every other Monday at 1 o'clock on Think Tech Hawaii. Most of my programs deal with my own life and law experience. Recently, I interviewed Alex Jampel, who I have known for over 30 years, about his voyage across the sea as a lawyer from Tokyo to Hawaii. Those are the type of stories that I like to bring and like to talk about. Human stories about law and life. Aloha. Welcome back. We're still floating around. And we're going to talk about what you can do if you do business in your business with the Department of Defense, especially if you're in the D.I.B. What is that, Andrew? What's the D.I.B.? The Defense Industrial Base. And what does that encompass? Supply chain providers to those manufacturers and service providers to the Department of Defense companies. Department of Defense organizations. All these different industries included in that. Water, power. Well, that's critical infrastructure, sure. And so many of those do have contracts, so they may be considered tier one providers. Like Wine Electric does. Border Water does, for example. Yeah, for sure. Different place, different areas, different places. So now we're having all of our vendors to the DOD that are private companies have to comply with a subset of the rules that have been instituted for military and governmental organizations. So government has the National Institute of Standards and Technologies, NIST 853. That's for rooms. That's for everything, base included. Base is included. Yeah, so then they took a subset of that, 110 of those controls, and made them the 800-171, and they said, you must comply, and no one paid attention. So, yeah. That was 2015, right? Now they're saying, oh, now not only do you have to be compliant, you have to be certified as compliant. So they're making a certification organization who will go out and certify all of these organizations that they have 800-171. This is called the Cybersecurity Maturity Model Certification, or CMMC. Welcome to the Halloween episode. Acronym horse. Acronym horse. So we're going to do a lot of them. Enough to drive you mad. Let's talk about the D-Fars difference real quick. Right, so that's the Defense Federal Acquisition Regulations. Yeah. That's D-Fars. Let's talk about that for a second, because that's where this came out. Yeah, that's just sort of the guidance, right, that points to the NIST 800-171 control set as the framework of controls for cyber maturity in an organization. And there's different levels. And there's some other clauses in the D-Fars as well. They can invite you, right? Yeah. We talked about those before. So there's different levels. You want to be Cybersecurity Maturity Model Certified, CMMC. You have to get certified by an organization. You get a level one through five. One being the lowest, high being the most secure. And it depends on your organization. And as you were saying, Gordon, a couple seconds ago, this is just best practice. Yeah, it really is. Level one, I don't care if you're a law firm or whatever you're doing, is that right now, because of this 800-171, there's a whole set of rules, protocols that you can follow. And even if you just say, okay, I'm going to be at level one, even though I'm not doing DoD, you will then be practicing very good cybersecurity hygiene. That's right. And then you've got a way to measure it. You've got, there's free tools out there that you can use. And so I would encourage anybody that's doing business that your goal needs to be at that level one certification. Now, if you're doing DoD work, you've got to be three or higher. Essentially, I think in most cases, where you won't get the contract. Right. So it's a go-no-go decision. Right. As of next year, they're saying that by late next year, if you even bid on a contract, you have to have the certification first. You've got to hand them over your certification or a copy of your certification. I heard a huge number. 300,000 contractors will have to be certified. 300,000 contractors. And how many contractors do you think there are in Hawaii? Doing DoD work. Well, we have 11 military bases. Yeah. And I don't know that many contractors that are doing DoD work that are out there actually doing this today. No, no. I've got a few clients that have reached out to me, and I don't need any more work, please. That's what it makes you say. I'm taking work. I'm punting them to you because they're now realizing that any new contracts and even the old ones are going to have to be all of these guidelines. All right. So in a five-year cycle, when you renew one of these years, they're going to say, OK, now you have to add this in. Yeah. I thought it was really, really insightful. Katie Errington had that webinar the other day. She's the director of, was it OUSD? Oh, no. You did the department. Office of the Under Secretary of Defense? Yeah. And so she's driving this program. And she was on a company called ExoStar, had her on a talking webinar the other day about it. And she went directly to landscaping companies. I thought it was awesome. She said, yeah. So we've got landscaping companies out there who have all these plans for all the facilities of all of our bases. Oh, genitorial companies, too. And she said, this stuff is definitely CUI. Squares, footage, exit points, entry points. The very first time I had heard someone acknowledge of that level. So people started to understand, wow, I do have information that's very important. She gave another example of a problem. CUI classified, controlled unclassified information. Yeah. And she gave another example of a weld. She was in a welding shop. So they had a four-man welding shop looking at the, you know, what they were doing. And a guy had a blown-up image of the weld that he was doing, of the part that he was welding on. And she said, can you shrink that? And he had the whole aircraft. So there's another example. That just became CDI. CDI. Yeah. Yeah, control defense. So there's a, you know, just an example of the kind of information that's out there that the criminals are trying to get their hands on. Maybe it's nation-states. Maybe it's criminals that want to sell it, whatever it is. But that's why they're going after these small businesses who are so unprotected and so open. There's some people that don't even know what they're doing is something that could be exploited. Yeah. For instance, they were doing a main waterline upgrade for one of our bases out here. And they published on the web the construction areas in the route where they were going to be doing the construction because they wanted to notify people the traffic was going to be backed up. But then you know where the main waterline is. Yeah. So what do you do about that? I mean, this, the problem's like that. Tamper it. Craziness. Hey, it's hard to get this together. You know, it's like we were saying before. This is painful for organizations to do because not everyone has a dedicated cyber person. You know, most mom and pops, they have, you know, your cousin, your nephew, your son or daughter or the tech guy, the tech guy. Yeah. Right? And then they're responsible for all this cyber hygiene. And it's hard to go through this stuff and then you're supposed to make a plan. Yes. You got to put down some policies and procedures. You need policies and procedures. You need plans. The tool that you're going to implement. And again, if you're doing, looking at the full-blown suite of 800-171, that's 110 cyber controls. I hear 24 more are going to be added next year. Yeah, they are. Yeah, it's quarter. Quarter's four and five. I think for sure, before we see Rev One, I think we'll see quite a bit of changes. So we should get 06, Rev 6.6 this week, right? This first week in November. And I do believe that before Rev One, they said we should have what, by, you know, February, March. And I think we will see some different things come into play. I've got to tell you, this process, when I first heard about it, I thought, I thought, no, it's federal government. This is gonna take years. No, they're ramping this up. That's what rapidly I'm impressed. I think, because it's sort of already been done, right? It's been around a long time. Actually, it's since 2015, right? And so it's really, this has been hashed over. It's been a lot of people working on it, I think, for quite a while, just figuring out how to introduce it. Small business freaks out when you try to make it spend money that it doesn't want to spend. Oh, that's why the self-reporting thing failed. Right, and we didn't even talk about the fact that, you know, now, come September of 2020, you know, if your bids, if the request for a proposal from the government says you must be CMMC level three, when you bid it, because that's a line item requirement of the bid, you'll be able to charge the government for that level of maturity, assurance that they're asking for. And so this is what we've sort of all been waiting on, is how do we get our money back for, you know, implementing all of this. They've clarified how you're gonna get it, yeah. Well, what do you think? Yeah, Amazon gift card. That may come slow. Amazon gift card. No, it has to be a Microsoft gift card. Now, they sell that 10-year-old, $10 billion deal. Oh, that's right. It'll be an excellent store. It'll be for the Microsoft store. That's what you're gonna think about that. Yes, that's right, but you gotta put this cost up front and, Andrew, you know, from experience, this is quite painful. Oh, and it's not inexpensive. Yeah, so we're in a norm of regular Azure environment currently with our Office 365, and the difference between that one and the FedRAMPT environment we're moving to is about 11 bucks per person per month. Explain to us why you had to go there. To, because we're, since we're a full cloud, I don't have any on-prem services, right? So all of my stuff is in the cloud. So therefore, if you read the DeFars clause, it addresses where there's another clause, and there's, I forget the number, but it talks about cloud service providers and what their responsibility is and what your responsibility is, and so. Your responsibility. Yeah, and so since I'm in a cloud environment, the environment that I'm in can be assured to the 871 controls, but it doesn't currently meet the DeFars clauses for two specific areas. One of them being. Incidents. Yeah, forensic examination. If the government, if I were to be breached and the government wants to forensically examine our hard drives, I've gotta be able to provide those hard drives. And they take a rate, an Office 365 you're in a shared environment with other people, so they will not give those. Except if you're going Office 365 GCCI. And that's what he's going on. And so, you know, if you're Office 365 GCCI, so there's like, you know, E1, 2, 3, 4, 5, then there's GCC. Don't mean compute cloud. Yeah, then there's GCC, and then there's GCCI. If you're GCCI, you are actually running isolated from everybody else. And they can come in and just take that entire. Sure. I think there's some other assurance that the administrators of that environment are having, I think at least a green card or that they're American citizens. Yes, definitely. There's some other assurances there. And there's also the notification piece. There's a 72-hour notification, I think it's Clause C, so that what you don't get necessarily with your normalized Azure environment. You could put a tool there, perhaps it gets it to you, but this is insured from the cloud service provider level that I'm gonna be able to notify the government within 72 hours if I've had a breach in my environment. Now I love this environment because they're actually working on compliance controls in the GCCI that you can actually use to track your compliance. Yes. And you can put it all in there. There are a number of those already pre-written, so just a matter of you taking those and adopting them or adapting them for your organization. And not just NIST, but they also include PCI, HIPAA, SOX, ISO, 27001, there's a lot of different compliance models. And let's not forget mobile device management as well. So all your mobile phones and everything, all at MDM, it has to be managed and tracked as well. The other thing that, so we're kind of talking about the money, I'll just finish that up real quick. The actual run time on that environment is only about 5% higher than the regular GCC. So it isn't super exorbitant, but what I've got to be able to demonstrate for the government, in my opinion, I've tried to do this shit, is the difference in cost between my normalized environment and then that higher level of security environment that they've asked for. So they're gonna want to know that and how am I gonna regain the capex? The capex costs to move and set up that environment and migrate all my data, that's pretty pricey stuff. And I hope to be able to get that back over time. But they may say that that's, they may say that, well, that's great, that's good cyber hygiene. Yeah, it costs to do this. You should've been doing that anyway. So it's the Delta. Yeah, yeah. That's what we're looking for is that Delta and then can I add a management fee on top of that? Cause it's gotta be managed, right? So perhaps I can charge the government for managing it. So these are some of the questions I'll be discussing that with the director with down in Tampa in a couple of weeks at the, there's an NDIA event I'll be attending. Oh yeah, that's right. Hoping to get some clarity on some of these questions I have or at least get them, get them introduced. So they're, I know they're a little early cause they're still trying to mesh out the program elements themselves, but. You know, I guess quick, didn't you just win an award and we don't have a lot of time? Paul Marcus, I did PSA, PSA security network gave me a Paul Marks for for collaborate, industry collaboration. I've been a lot of work for our, on behalf of the security industry with the, with the cyber community and. So congratulations. Thank you. Thanks guys. That's off to you. Yeah. Let's do a head bump. A head bump. You know, so these icons of the industry receive this award before these guys I've known for years. The icon of the industry. Yeah, Jim Henry and Mike Covellin and. I can't be in the same room with them. Bill Bowes and the amazing guys, you know. So it was, I got up there and talked about that, that gravity of being associated with those guys now with the question that really comes to your mind is, am I that old? Yeah. Oh, don't talk about age. No, no, let's not go down that path. Gordon, is there anything you want to say before we get out of here? No, this is good. Everybody just just, you know, practice good cyber hygiene and you better start looking at this stuff. It's scary out there. You have to start looking at this. You have to. And we're going to come back at least once a month and do defars for dummies. Yeah. And give you updates on this process because yeah, by January, February, March of next year, you're going to have to make a decision. I personally suggest you start doing this right now. Oh yeah. Oh, right away. The policies and procedures are going to be over a hundred pages long. Right. It's painful, but you know, my company helps. It's worth it. And you can get paid back. Yeah, that's right. You can get paid back eventually. Keep all the bills you get from Dave. Thanks everyone for joining and come back and see defars for dummies or our next episode in a couple of weeks. Until then, stay safe.