 Welcome back to the Cyber Underground. I'm your host Dave Stephens. Glad to have you here. Let me introduce my exceptional co-host, Andrew, the security guy. Hey, what's up, everybody? It's Aloha. Welcome. Hey, what are we going to talk about today? Let's talk about Brian Krebs right up the bottom. I love Brian Krebs. He's wonderful. What's his website? Brian... Brian Krebs. Krebs on security. Yeah, Krebs on security. Krebs on security. I was there this morning and I was reading, of course, about the boarding pass. Yeah. The boarding pass, if our friends out there don't know, the boarding pass, you get the, you know, all the details of your flight, your gate, the information when you get it to part, when you're boarding, and the ubiquitous barcode at the bottom. It's got that barcode on there. Well, nobody was checking it out, I guess. So now there's a website you can go on and actually look at the barcode and see what it actually says, that 2D barcode, and it comes up with, oh, different airlines put different information in there, right? And do you keep your, your, your boarding pass? Well, my wife is rabid about shredding those. She grabs them from me and she, at the end of every trip we take, she actually shreds them at the office. That's good. So what they were saying, Brian Krebs said there's a security researcher who went over the barcodes and went through a couple of airlines. One was La Tanza, and they not only had the person's name and then the other information, but they also had their locator code for the La Tanza system that you could use to walk through the forgot my pin feature on their website, then you could log in as that person and see not only that flight. And so with that, with that locator code, you could log in and then change the password to your account. You could unchange your pen. Request it, right? Right, you could request that. You could also see all your future flights, cancel or change flights, and change seats. That would just be malicious. And if you have your credit cards stored in there, they could upgrade you to first class and you'd never know until it was too late, right? You get a $10,000 charge. Oh, so you can take full control of the person's contact. Full command and control, yeah. Now, American Airlines wasn't as bad, but United Airlines seems to put a very important identifier in there. What do they call the mileage number? Your account. Oh, your frequent flyer number. Frequent flyer number, they put that in there. And that seems to be an ultra secret code. So you don't even see that on your United Airlines statements or bills. But that is your unique identifier in their database. So once you have that, you have complete ability to go in and monitor or control. Yeah, I guess if you were to call on the phone and say, I'm so-and-so, I need to change my password or where you might be able to work that out. If you had that number. Yeah, they might. Big volumes. Yeah, because I don't fly United. Some of the other airlines ask for some additional information that you would have to have given them. So if you had the boarding pass, you probably have a lot of information. Oh, I don't know what's on the other ones. Well, you got the gate, the flight, the time, the day, when you get a board, your name, first, middle, last, if you're a TSA pre-check. I mean, it's got a lot of great information in there. Yeah, those print on mine, the airline I fly, the number of prints up there, TSA pre-check, I think. Well, thank God for that. Yeah, I can't believe how much time I save on a TSA pre. That was the money well spent. Oh, yeah. If you guys haven't done that, go do that. Yeah, it's free if you get a Platinum Amix. Really? Well, I wouldn't have known that. So now we know that somebody, you know how to do that. You get these free ones. You got to get stuff for free. Or it might have been the global entry. Sorry. Global entry. What is this? Global entry is the international one. So where you just go to the key, you're registered. You give them all your info, and then your biometrics. And then when you come through, you just go to the kiosk and testify that you're not bringing any guns or weapons or drugs or whatever they ask. And then you just put your hand or take your face. And you go. I love this question as if I would ever say, yeah, I've got a bag here with a gun in it. Yeah, while I'm standing in customs. Here's my C-4. Can I get that through? Yeah, because I'm a fan of being registered and letting them know who I am. I think that helps you out if you've got to go to the embassy, if you lose your passport, and you're traveling or whatever. You should always contact the State Department. I'm big on being sort of transparent, at least to our government about myself, because I'm not up to anything bad. Well, that's what the government services are set up for, right? Foreign contact, and that's going to other countries. And I thought it was pretty neat I could go to another country, show my passport, and get on to a Navy ship. Get a tour, which is kind of cool. Their Navy or our Navy? Our Navy, no, they're a little stodgy about that. Well, some of them have beer. Ours don't have any beer like the Aussies. At least you see the Aussies out at sea. They have all these kegs strapped on the side of the boat. You're putting the posters on tap. Yeah. I think there's a limit, like two pints a day or something. They limit that? That's the Aussies. I'm just guessing. I don't know. Let's talk about companies and how they can comply nowadays. There's always been these rules. So decades ago, the government came up with rules. You've been dealing with these for a long time in your business, right, the DFARS. Oh, yeah, I'm a real breaker, but you know. When you do business with the entities in the government, the Defense Logistics Agency, the DOD, the Air Force Army, whatever, there's always rules about how you have to secure your systems. There used to be information systems. Now they just say systems before you connect to a government system. Or even if they just send you information that they can consider CUI, controlled, unclassified information, which doesn't seem like a big deal. If you think it's unclassified, why should be controlled? And someone gave me a great example. If you had, say, a floor plan of every building on a base, so that floor plan for one building, no big deal, right? It's sensitive, but if it got out, it wouldn't really hurt anybody. But if you had every single floor plan of every single building on a single base, you could probably figure out where things were. You'd know where the high-ranking people were because of the big offices. You'd know where some of the storage facilities were probably the armory, probably where some of the big vehicles like tanks are. You could figure that out. And you could see how far away from the fence they were, your ingress and egress points and points of attack and so forth. And utilities, right? So that becomes sensitive information at that point if you compile a whole bunch of that. So that's what these rules are meant to prevent is people getting a lot of this stuff out. So they developed a rule set for federal systems by the National Institute of Standards and Technology, which has been around for a couple of decades. You want to go to nist.gov. And you can look all these rules up. And they're part of the Department of Commerce. Interesting. No, Commerce. Oh, I would not have guessed. OK, it was better than Treasury, I guess. Well, that makes sense. So the Department of Commerce works well with industry and university systems to do stuff for the government. The government doesn't play well. That's why NASA was involved in this when they first stood it. I think so. So they developed these rule sets. And one of them was, and they numbered them, this one's 800-53, and it's in revision 4 draft. And it's a list of rules that you have to comply with to configure your systems to be able to be secure enough to hold this information to a reasonable assurance level that you're not going to lose it. And there is different levels. You could be a low, moderate, or high risk. And if you're moderate, which is usually what everybody is, you have to comply with these rules. Now, in 2015, they came out with a subset of the 853. So that parent document was for federal systems. Right, for the executive branch and DOD and those guys, some guidance for federal systems. The guidance. So it's very hard for non-federal systems to come up to that standard, 200-some-odd controls. Too expensive. And it's way too hard. So they made a subset of the rules, a little bit less than half of the rules. So you've got to comply with 109 of them. And that's 800-171. And that's the new rules that you have to comply with. Now, they came out with this in 2015. I think there was some objection. The SBA went to fight in a lot of lobby organizations. Small business just wasn't ready to even absorb something, the lighter weight set of controls. It's expensive to implement, to go through the process of implementation, and people just weren't ready. So it was great guidance. And the small business, I guess, made enough pushback to the Fed that the Fed said, OK, they actually pulled some stuff back and changed some of the stuff about wireless and a few things in it, and then reissued it and gave us a deadline, which is? The end of this year, 31 December. And that's a hard one. The document says, you can lose your contract at the end of the year. That's pretty draconian. Well, I think the interesting thing for me was they expanded, they took out information systems, as you mentioned, and made that verbiage systems, which immediately impacted the things I do, which are low voltage security systems. So that's a piece of that now that's subject to that guidance. Additionally, the 171 guidance is actually underneath DFARS, right? So your Federal Acquisition Regulations. So it's Defense Federal Acquisition Regulations, right? And there's a certain quote that ends in 7012. I forget the other numbers. But if you have that in your contract today, in fact, you don't have to wait till the end of the year. You're supposed to be compliant today. Right now. So yeah, so it's actually active. The government is just definitely going to start identifying the material it gives you as CUI. There's a CUI registry where you can go and look at the different types of stamps for the different types of information classification. And then you have, interestingly, there's people like me who create CUI. So my systems, I have to go look at all the stuff that I'm creating on behalf of the work I do with the government, classify it myself and secure it to the appropriate level. And then label it. And label it. So this is the thing that I think a lot of contractors aren't preparing for that I talk to. Well, businesses by their very nature run lean, really lean. They lean as they can because they want to maximize the margin and the profits. So complying with these rules is an extreme effort. It's a tremendous effort. I've been at it for a while, getting prepared a year, just learning what it's about, trying to make sure you know there's a bunch of people you can hire. They charge anywhere from $200,000 to $20,000. But here's the problem with that. If you do that, they have all the knowledge. So inside your own organization, how are you going to know what you've done, how to change it? Are you going to budget for the future? You really are at a loss. So we inside our organization decided we had to learn granularly what this is all about. And it's going to help you maintain it. I think so over time. One of the hardest parts of this, right? You develop all the controls. You comply with all the rules. And then you document them all. So you can be audited at any given time. But then how often do you update this stuff? How often does your organization change? So think about it. Every time you lose an administrator, you bring one on. Or you even lose a staff member who may have been in contact with CUI, right? The controls over their account, what's your policy for managing those? And how quickly are they turned off? And how do you verify that? There's a lot more to this than most people think. And it's definitely not something. If you're just starting today, you're not going to make it anyway by the end of the year. You might be brilliant. You might get it, but this is my opinion. You're way, way late if you don't know what 800-171 is. And it isn't just the contractor. Here's the important thing that they don't understand. I just sat in a nice long webinar about a couple of lawyers talking about that flow down and the responsibility of flow down through the supply chain. So as a contractor, if I'm contracting directly to GOV, and then I've got subcontractors under me that may be exposed to this information, now I've got to be responsible for them and their compliance. Well, that makes you wonder who you want to dance with and who you don't want to dance with, right? And clearly, when you outsource your physical security to a patrolman and a guy at the door and a guy at the gate, now that organization has to feed you the information to comply with those controls. And now you have to keep checking back with them, hey, are you still complying with this control? How are you complying with the control? Okay, we're going to take a little break and come right back. We're going to pay some bills back in about a minute and we're going to talk about how to implement these things and maintain them, which is not easy. This is Think Tech Hawaii, raising public awareness. Ted Rawson here, folks. You're a host on Where the Drone Leads our weekly show at noon on Thursdays here on Think Tech. We talk about drones. Anything to do about drones, drones, remotely piloted aircraft, unmanned aircraft systems, whatever you want to call them, emerging into Hawaii's economy, educational framework and our public life. We talk about things associated with the use, the misuse, technology, engineering, legislation with the local experts as well as people from across the country. Please join us noon on Thursdays and catch the latest on what's taking place in the world of drones that might affect you. Hello everyone, I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech Hawaii every other Tuesday at 4 p.m. And with the show's host, Martin Despang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 p.m. on Think Tech Hawaii. Welcome back at Cyber Underground. We are talking about the NIST rules for small business 800-171, the 109 rules you must comply with by the end of this year to do business with the government when you use controlled, unclassified information. Yeah, if it's going to be given to you as part of a contract or if you create controlled, unclassified information in the course of executing on your contract. Storing it, using it, consuming it, transporting it. In use, in transit, and in storage, yes. Right, so let's talk about how we can implement the rules and how we can offload some of those responsibilities. And you're doing something similar right now in your company. Sure. You have a storage solution that you wanna do and you have CUI and you wanna push off some of the responsibility for a data center storage solution to a vendor. And a lot of people go in cloud these days and there's several vendors out there that say they comply with these rules and how do they split them up for you? Yeah, so interestingly, you can download the full suite of control documentation for Office 365, for example. And it's got a very high level of assurance with almost every control in 853, which is really good. There are four controls in there that only achieve moderate level of compliance. So say you're executing at a TS level on a contract, for example. That's top secret. Yeah, you may not be able to use Office 365 in your environment. So that's something you need to plan for if you're gonna pursue top secret contracting work with the government. So that's one of those things that, for me, as a small business, we've got to look at the future budget, the future work that we wanna go get, and then the systems we have today, what kind of costs could come along with chasing a certain award or being awarded some certain work. Your IT infrastructure costs for protecting that information now have to be something you're thinking about and trying to estimate. So I have been going around. We live in an Azure environment today, which has some documentation. It's a little more difficult to get your hands on. I'm looking at putting our environment into the government cloud that Amazon operates, which is already FedRAMP compliant, and they have a full suite of documentation via third-party service providers. Everything's as good as you pay for. And of course, you wanna do it on your own, which I suggest you study this to learn why it is and go through the exercise because the plugging in of the information into these controls isn't in and of itself not that difficult because you can choose to do what it is. For example, if you need to audit all the network devices on your network, for example, you could use in-map and do an audit and that may satisfy you. Now that's a one-time point in time, so I don't know right after I did my little scan. That's your snapshot. Yeah, somebody might have popped up an illicit Wi-Fi hotspot, one of my employees plugged in a Wi-Fi hotspot or something, but I wouldn't know that unless I'm monitoring it somewhere else or until I do the next scan. So how you choose to implement these tools and exercise the full suite of controls that are available is gonna really dictate sort of the limitations of what you can talk about as far as your own cyber maturity. Now, we're looking at that as a way to differentiate ourselves from our competitors who we don't feel are on the ball with this at all. So that's a great competitive advantage, right? To say that we actually do this right now, we can put that on our contract and we're ready to roll right this second. Yeah, and so the government requires it, but for the rest of the regulated industries that we work for and folks like people that want a high level of assurance out of their supply chain, or if they do government contracting, they can come to me and I can demonstrate the level of maturity that we have. And it's not as easy as just having a policy, you know, a written approved policy that perhaps all of your employees have signed for that they understand that policy. You also have to implement the control itself. You need to monitor that control. If you can, you need to automate that control and then you need to report upon it. Perhaps it's a constant reporting if something gets outside of a certain threshold, information starts to flow the wrong direction on your network, whatever it may be. So there's many steps into that maturity process and there's many levels of maturity an organization can hope to achieve. And unfortunately, it's not just about the rules because some of these things have to do with what's your disaster you're covering? Oh yeah, you have to have your SSP. What's your business continuity plan? What's your change control plan? How do you employ onboarding and off-boarding? There's configuration management, systems and administration manual. You have to make all these things up. Sometimes there's nice templates out there, but everything you do is your way and it's got to comply with the rules. Yeah, and don't do what a lot of people I think are thinking they can get away with and that's just going out, get your hands on a template that worked for someone and not customizing it to your organization because it won't fly. I mean, they're looking for that. There's a ton of people that'll sell you $3,000 template packages and $5,000 template packages. You still gotta supply the information. You still gotta make decisions about how you're gonna implement that control. And that's gonna be a cost thing. There's gonna be a cost for how you implement, monitor, manage all these controls and either just the technical controls. There's human control that you need to consider. Which are the biggest leak in any organization. Once you harden the world, you really get this great hardened picture. You measure up to all the technical controls they've given you. Now you've got it. You've still got, I think they said that gets you about 85% safe. And you've still got the old login, yeah. So training your people. All the stuff that we talk about all the time, all this phishing and all that type of awareness training has got to be going on. People have to sign for it. There's insider threat training. It doesn't end. I mean, it's an ongoing cost to business to operate with a high level of cyber maturity. And you can't just throw a couple IT people at this. You need someone who's mature enough to manage the entire operation from a higher level. Yeah, well, and you need ownership leadership guidance. If the ownership is not bought in, they're not going to fund it because they're not gonna understand the root of the issue. Now if I tell them, if we don't do this, we're gonna lose our contract, they might go, oh, that might be enough. But that's pretty lame to me. They really need to understand what this guidance is for. There's NIST uses adopted, but the Baldrige self-assessment, great tool. It's free for senior management to take that on and see what they know about the cyber maturity of their organization. But you have to be painfully honest when you fill that out. Very. You can't lie to yourself. Oh, no. Because the assessment comes out completely wrong. Yeah, yeah, no, you gotta tell the truth. I mean, any kind of self-assessment, of course, you gotta be honest with it. And it's pretty good. I mean, most people couldn't hardly, they're gonna either know the answer or not. I think the key, really, in that case, if they don't know it, they need to go after the way. They answer to no, yeah. I don't know it, that's no. Well, I better go find out. Sure. I'm not passing the muster on this control. Let's talk about how these controls are broken down. Okay. So how we can knock them out. So 853, the big document for federal systems, NIST has 800-171 for small and medium businesses to do business with the government and CUI. And we have in that document 109 rules. Yes. So those 109 rules just give you kind of an ambiguous paragraph. This is about what this rule means. What you have to do is go to the parent document, 853, and find the associated rule with that sub rule. So we have 3.1.1 in 800-171. It aligns to access controller AC2 in the parent document. AC2 has 11 control checks. Now that's, you take the rule and you break it down 11 different ways. These are the things you have to check to make sure you're complying with this rule. In addition though, after that, there is 15 different checks you have to do to comply with the supplemental guidance that also enhances the controls that you're checking. So if you're not doing it the right way, they're gonna tell you, this is the way we want you to do it. And if you're not doing it this way, we humbly suggest you follow our advice. Right, and then there's always a large paragraph of more supplemental advice. Then you gotta read through that and see if any of that applies to you. So you have to go through this, identifying the control, identifying the person who's responsible for the control, identifying how you're handling it now. How are you gonna change it to comply? What's the gap? Yeah, what's the gap? And then, how are you gonna monitor and control that later? And then report upon it. And report it. So you just, in this constant cycle, and I figured out for very small businesses, when you actually implement these, you might spend 1,000 man hours trying to nail this down at the company and document it all. But the ongoing process might cost you five or six hours a week. If you stay on top of it, it'll probably average out to about five or six hours a week. And that's an okay cost to deal with. So you get hit in the beginning, but then you can just manage it well. And if you document these things well enough, your onboarding process can be, hey, here's our documentation to read how we do these things. Do them this way. And if you see a problem with it and we're not complying, tell us, we'll change it. You need to change control board. You need configuration management processes. There's a lot of management processes and policies that you have to put in there. So if you're just taking the network monitoring guy and the infrastructure guy, and you're saying, hey, get this done. Yeah, you're not gonna have it. It's not gonna happen. They've got too much to do already. Yeah, and your problem is your business is at risk of having all contracts that you have. That they do have to cite the DeFar clause in them, right? So the government does have to make you aware, but if you're in the business of creating information because of the business that you do, now you're responsible for knowing that, right? And also letting the government know. Now, there's other rule sets you might have to comply with it. And from what I've seen, and I do the audit, so I know how this goes. If a government organization comes in and says, you're complying with everything except these four rules, you don't qualify. You can actually say, yes, we know, but it's mitigated this way. It's in budget for the next quarter, and here's the date it will be complied with, and you can check with us on that date and we'll give you our documentation to be updated. If you have a plan to comply, and it's not five years out, they're usually pretty nice about it because they need to do business too. And if you're an important customer to them, they're going to work with you. But you have to show due diligence. And the due diligence, that's the hard part. Yeah, and it is, even though the clause is what, reasonable security. But the reasonable security is backed up by a lot of guidance for what is reasonable. I think the toughest part of this for me when I first got into it was reading everything before the charts of the guidance. Because that's the easy part. Oh, I just need to do these things and these things. But there's 60 pages before that of here's what we mean. When we say moderate level of risk. Here's what we mean by CUI. Here's why we did this. Here's why it's important. Here's what your loss could be. And that loss, that's an opportunity risk for companies. If you lose a contract, you took on that risk when you didn't comply with the rule set. There can be criminal penalty. So when you sign the contract that has that DeFars clause and you're 171 is not up to speed, there can be a criminal penalty for that. That's scary too. So you could lose money from your business, you could go to jail. That's right, fraudulent. So, tons of good news today for everybody. Yeah, that's not very friendly. Wow. What good to do in business with the US? The good thing is there's, you know, there's guidance for what to do, but people need to go do it. That's right. This is the time to do it. It's wide open, there's website, there's tons of people given information about how to do this, but you gotta go do it. So do it today. Okay, everybody, we're gonna wrap this up. We only got a couple seconds left. Thanks for joining us. And next week, we're gonna go over some networking scanning with Wireshark, with one of our professors from a local community college. Okay, until then, stay safe.