Nuke and pave the lost supply chain, Pulse Secure and Codecov used to compromise their clients, OEM hardware manufacturer Quanta breached by REvil, more Sonicwall zero-days.
Nuke and pave the lost supply chain, Pulse Secure and Codecov used to compromise their clients, OEM hardware manufacturer Quanta breached by REvil, more Sonicwall zero-days.
Shiva Maharaj 0:00
This is the cybersecurity amplified and intensified podcast. So what's on the docket for today? I think we need to talk about just how,
Eric Taylor 0:11
how messed up we may potentially be in our supply chain with everything going around ransomware. So it's very loose discussion. But you know, there's a lot to cover. And I think we are in a world of hurt.
Shiva Maharaj 0:24
I think our supply chain is lost. I think we lost that battle. And now we have to look at it from the viewpoint, we're starting over every quarter, there's a major breach into multiple government agencies, by legacy software, and by legacy software. I don't mean something that's old, just vendors that have been there for way too long, and probably not have not had to be audited all over again, to fall into current day compliance.
Eric Taylor 0:52
Yeah, I think they really got complacent when they get down to quote unquote, too big for your britches, as Pappy would always say, and, you know, the hole, were too big to fail. And whatever analogy you want to use it, they just get to that point where they just don't care anymore, I don't think and you and I have had offline discussions kind of around this, when we do pen testing and stuff like that we start submitting stuff. These folks are just like, yeah, whatever, you know, until there's enough of a noise or a enough of a threat or something like that to, you know, force people to change, you know, your case in point. They were gonna talk about this in just a moment. But the CISA orders federal organizations to mitigate pulse secure VPN bug by Friday. You know, and this is kind of what the whole crux of some of our conversation was, you know, when we start reading at what the Hill has posted, multiple agencies breached by hackers using the pulse secure vulnerability. Are you familiar with this vulnerability? Have you done a reading up on it at all?
Shiva Maharaj 2:00
I have, actually. And it took them about three weeks to actually release a notice on it. And it's been going on since August of last year till maybe end of March of this year. So it has been considerable time, it's linked to a couple UNC is linked to aapt. China. It's yet another vector in to our infrastructure, civilian agencies, not military. But where this goes deeper, is they have gone into the defense industrial base. And that was the target Now, going off of this. How many vectors into our infrastructure Do we have right now?
Eric Taylor 2:43
I think we're really at a point where everything is to be considered compromised? Absolutely. If you take a look back and this article here mimics it, you know where the cybersecurity group once again fireeye has put something out between solar winds. Then Microsoft and Mimi cats, and pulse secure VPN, just all of these vectors are keep coming out.
Shiva Maharaj 3:12
Well, what if I added two more vectors in there? What about the sonic Sonic wall? Email gateways? And what about code Cove? Who does verification for code and testing or developers, they were breached?
Eric Taylor 3:29
That was a very interesting one as well, where a lot of developers are using yokel code to verify that their data stack is secure, that it's authentic, you know, and that is a nother supply chain. You know, if you're able to get in the middle of a code verification, code signing aspect of things, you're screwed.
Shiva Maharaj 3:50
Let's take it one step further. By all reports, the code Cove bash loader was weaponized as a Trojan horse. Yep. Which goes back to my point, I think our supply chain, it's lost. It almost reminds me of when Apple gave up on the fight against windows, they declared windows the vector and decided to refocus and they came out stronger. Is that something we should be doing?
Eric Taylor 4:15
I think so. I think we need to take a real hard look internally at what in the world is going on? How are these folks getting into these organizations and staying in there for so long? And I mean, I know the answer to it, but they have patience but nobody the internal it the the quote unquote blue teamers are not threat hunting. They're not looking at their logs they're supposed to, but when you take a look at the industry as a whole for me take cybersecurity aspect that I mean that's an invisible shortcoming with trying to find people but you know, qualified it, folks. Even in your And where I used to be, you're taking over a company's IT infrastructure, and you're just your heads down in your labs, like why in the world? Are they doing this? You know, I don't think there is many people who knows what they're doing. And it goes back to what you always keep saying the whole pizza tech, a low barrier to entry. If none of these people are actually monitoring their logs, I mean, when you take these logs and look at, just take your basic firewall logs. And if you're using an external DNS filter, or Cisco umbrella, whatever, if you start taking at least those two, and start analyzing those stuff against mitre, or atomic red team, or you take in any of that stuff, you're gonna start seeing clear issues, getting alerted on false logins. I can't tell you, I mean, we got another case end today. And I know I'm getting a little sidetracked on this one. But, you know, there's a new ransomware out there called cute locker that's going around and finding either Synology or qnap NAS devices, probably even Buffalo, but they are finding these NAS devices on the internet going in, and seven zipping all the files and password protecting them, you know, they look like they are doing right around a $600 payout of it. But, you know, it's that against a low barrier to entry. If somebody was actually monitoring those logs of that, that NAS device, never mind that you can actually to FA most of these things. And you can actually get them into duo or Mike is Microsoft authenticator, and, you know, really layer on the security on this thing is what, you know, a simple audit trail of is somebody brute forcing their way into this thing. They're not looking at this stuff.
Shiva Maharaj 6:56
Let's go back to the pulse secure zero day, who found it fireeye was fireeye, the one finding all this stuff. We've got the NSA. I'm sure every branch of the military has an intelligence component and the mandiant group out of fireeye estimates there are at least 12 families exploiting all secure vulnerabilities.
At what point do we just nuke and pave the whole goddamn thing? and start over?
Eric Taylor 7:25
I think we're past that.
Shiva Maharaj 7:26
This reminds me of that embassy they tried before the US tried building in Russia back in the late 70s. And early 80s. By the time they got to I think it was the third or fourth floor. They realized there were so many bugs and listening devices placed by Russia. It's just a matter of time.
Eric Taylor 7:46
Oh, yeah. I mean, I know fireeyes got a ton of really smart folks. I mean, they're, you know, they're they're one of the leading cybersecurity firms out there. But, you know, even those group of folks, takes so long to find some of these things. Why are we looking to fireeye to be the savior, there are too many systems that we need to go back to the internal, there are too many
Shiva Maharaj 8:12
systems that are supposed to be integrated with each other. There are too many places to hide. And the biggest difference, I think with us and say the Russians or the Chinese, their intelligence and their intelligence apparatus is built for the military, by the military in their agencies, whereas we go into the private sector, for them to build something for us. that's available to everyone, anyone,
Eric Taylor 8:38
and looks like ceases actually, according to here as listed to stay back threat groups.
Shiva Maharaj 8:46
It's linked to China, China's the IPT on this one, they will or try to attribute to via UNC 2630 I think it was
Eric Taylor 8:54
near once again, we said Chinese banks likely behind the attack ramp.
Shiva Maharaj 8:59
You know, even though they named Russian SVR last week for solar winds, no one actually knows. Its best guess it is best guess.
Eric Taylor 9:08
Yeah, I don't know if this has been any of this stuff has been the compromise a breach has actually been put to any sort of ATP mitre attack framework or anything like that.
Shiva Maharaj 9:19
I think it's still in its infancy.
Eric Taylor 9:20
Yeah. They also they I think it may be, you know, fire is already done that. It just is not public knowledge yet. Right.
Shiva Maharaj 9:28
You know, with the sonicwall flaw. It took them two weeks to release the patch and 25 days to make a public disclosure with their email security flaws. So you have sonicwall you have pulse secure, you have code Cove, all happening within a couple of weeks of each other being identified. How many more of our systems are compromised. And when I say our systems as a country,
Eric Taylor 9:58
like I said, I think it goes back to we need to do have trust but verify. But I'm even more skeptical of that. I think we are really at a point where we need a nuke and redo.
Shiva Maharaj 10:10
Absolutely. You know, new campaign is my favorite thing.
Eric Taylor 10:13
What do we go with? You know, let's just say hypothetically, you know, we're gonna do devil's advocate here. If we want to nuke and replace what we put in, there's like every MSP
Shiva Maharaj 10:25
out there, build it from the ground up.
Eric Taylor 10:28
So Linksys and Netgear Got it?
Shiva Maharaj 10:31
No, but seriously, this goes deeper than just, I would say, a nuke and pave. All of our hardware is built in Asia, quanta, they do Apple, Dell, HP, Lenovo, Cisco and a few others. They were breached by reavell. And now reavell, is requesting 50 million from Apple to pay for the plants all of their latest Mac books and what have you. So our supply chain is compromised. From the hardware side in Asia, it's been compromised here, at the code level. These aren't exploits that they're doing. This is getting into the DNA of code that Russia, China and whomever else has been able to do.
Eric Taylor 11:13
You know, you're talking about reavell. That brings up a very interesting point. You know, we've kind of gone back and forth on this a couple times, where, with our incident response, we're seeing a lot of law we're seeing a lot of people not getting hit, but you know, re Evil has been pretty quiet until recently Darkside which I just learned this week. Shame on me for knowing this. But you know, they released their decrypter to bitdefender. In January or February, something like that. Yeah, their site's still up, you can still go and get whatever you want off of their site. Which is weird, because normally once they release it a crypto just like whatever, and they take down their onion page. That Walker of course has gone, which we thought Darkside was doing. But there's a lot of ransomware pages and content. I forgot about that Conti is now offline. Yeah, and those are another big player. And it's not uncommon for coffee to go up and down from time to time as I tried to get stuff but Conti with all these other ones going dark, if you will. I'm scared. I think something is getting geared up.
Shiva Maharaj 12:31
I think we shouldn't be scared. I think every time there is a lull in activity. It's the ransomware actors training their people improving their tactics and techniques, and spreading that knowledge in their community where it makes them all stronger to come after us. Because these are nation state backed. Let's be honest, this is cyber warfare. This isn't hacking. This isn't driven purely by profits. Yes, there's a profit component to it. But this is about getting into the US and causing havoc.
Eric Taylor 13:05
So you know, the sonicwall. And now the VPN issues, you know, those are a nation state. But I don't know how much of this ransomware to some degree is actually nation state, you know, nation tolerated? Absolutely. They got the Safe Harbor that we you know, the term we use a lot.
Shiva Maharaj 13:24
It's like the Godfather. I'll do you this favor. I'll give you safe harbor. But one day, I'm going to come ask you for a favor.
Eric Taylor 13:30
Shiva Maharaj 13:31
That's what it pans out today, I think.
Eric Taylor 13:34
Yeah. And I do think that a lot of them are talking, you know, I do think that they have their own private discord or slack or whatever. But I do think that all these folks are communicating with each other.
Shiva Maharaj 13:44
Speaking of a private communication, did you see that the Russian SVR created their own secure drop on the dark web? No, I didn't see that. The Onion address was made public yesterday or today maybe. And it's meant for the International crowd to report any threats against the Russian Federation.
Eric Taylor 14:05
Shiva Maharaj 14:07
They're taking a proactive stance against that. So it's like,
Eric Taylor 14:11
there's not don't ask the hotel, but please ask it tell us everything
Shiva Maharaj 14:15
pretty much and you can stay anonymous,
Eric Taylor 14:17
Shiva Maharaj 14:19
But that's a whole different ball of wax. Going back to pulse secure, and sonicwall How long before voice at the FBI decided it's their job to patch this stuff for those affected?
Eric Taylor 14:33
Yeah, that was one thing I meant to bring up is, you know, even though CISA is already given the mandate to have things patched within the next 48 hours, essentially, or just a little over 48 hours, but is the FBI going to step in and start patching stuff?
Shiva Maharaj 14:49
We'll find out after the warrants are unsealed. Let's talk about the patching guidance from CISA. Okay, they've been talking about Paul security. Was it yesterday or Monday, Monday, I
believe we five days the patch, why not three, if you are doing proper asset management, you can probably mitigate this pretty quickly. Now, there are prerequisite patches for certain versions that need to be installed before the mitigation can be installed. And I get that. But again, if you have proper asset management, this is a two to three day operation.
Eric Taylor 15:27
That's an interesting conversation. So like internal IT TAKES shadow IT THE outsource it out of the equation for a moment, you know, internal it, yeah, they probably have no backup hardware, backup, firewall, backup switches, things of that nature. So if they apply a patch, and things go awry, and they can't roll back, and they have a backup they can throw in, in leverage. You know, we've talked about most of those being overworked and not knowing really what they're doing to some degree, do they even work? They on Tick Tock her Tinder all day?
Shiva Maharaj 15:59
I don't know, I am. So pro Tech Talk.
Eric Taylor 16:05
You know, that's always funny. Like you always see these Tick Tock things come across, I'm like, I can't see that stuff. I can't know if you've got an MSP or mssp are now just an outside consultant that's doing this stuff for you. Even in a co managed or 100% off site. Let's just say, you know, they have Sonic walls at every location.
And there's a bug in that patch, what's the likelihood of them being able to replace all those or roll those things back in a timely fashion? And that's really where a lot of this stuff comes in.
I think that having maybe a phased rollout is more pertinent, you know, it brings up a question, you know, or the whole topic of what is an acceptable patch policy? I mean, I think in most situations, an internal IT firm should be able to get things patched within five days, seven at the latest, you know, maybe if they have to wait to a weekend to reboot stuff because of maybe VPS can't go down, or whatever, you know, you got to have that patch. What,
Shiva Maharaj 17:08
what world do we live in where VPN can go down? To give adversaries persistent access? A lot.
Eric Taylor 17:16
There's a lot of micromanagement that uses Azure.
Shiva Maharaj 17:19
Oh, no, I get that. But we're talking about government agencies here. So what are we gonna do? Just leave it open? let it continue to be exploited? Sure. Because Sally wants to grab that file off the server. Or john, whoever, you know.
Eric Taylor 17:38
Yeah, I really think that the there push to have it done by the end of the day Friday. I mean, let's just be realistic. You know, hackers work heavily over the weekend, because that's the downtime of the company. Right. So yeah, they're trying to mitigate and make sure that these things are patched as quickly as possible consequences be damned. Yeah, I just really hope that these code writers are doing their due diligence before releasing a patch, but the brain is staying around full circle is, do we even know this code is properly signed?
Shiva Maharaj 18:14
Not anymore. Code code was breached? They got popped the same way that similar ones got popped. That's what I said. We have to start over. Was it an FTP server? That I do not know?
Eric Taylor 18:25
Yeah, that whole joke is, oh, yeah, we got breached by FTP. No, no, I don't think though.
Shiva Maharaj 18:29
Listen, I think with the scale of the breaches and the companies that are being breached right now, there is definitely a physical security human component that comes into play here. I don't think this is just coming in over the wire.
Eric Taylor 18:48
Do you think a lot of this is has a physical aspect to it?
Shiva Maharaj 18:51
I think so. With how wide they are. I read an article recently that the Chinese government will send someone over here in their youth, let them live their entire life, go to school, get top grades, get clearance go somewhere. Four years later, they'll tap them to activate them. They're playing the long game, whereas What are we doing?
Eric Taylor 19:13
Shiva Maharaj 19:14
Well, aside from that, that's a necessity. Come on. It's like breathing for some people. But realistically, what are we doing?
Eric Taylor 19:22
We're not doing anything. Unfortunately,
Shiva Maharaj 19:24
we're not even protecting what we have, quite honestly.
Eric Taylor 19:27
Not official. So you know, you know, there was a good thing that was said, and I'll circle back in a second. But the Middle East and Asian countries are more worried about math and other skills, where typically Americans are worried about the next 30 seconds of fame.
Shiva Maharaj 19:44
I can see that. You know, we live on this extremely shortened news cycle. And it's about getting that 15 seconds of fame not even 15 minutes where as China, Russia, they have been playing the long game.
Eric Taylor 20:00
Yeah, there was just reminded me when you were talking about Chinese spies, but, you know, everybody's like, Oh, well, that's not really a thing. But if you go Google it, I forget what Senator It was not too long ago that was on the National Committee, Security Committee or whatever that had his girlfriend will come to find out, she was a Chinese spy.
Shiva Maharaj 20:19
But go back to I want to say 2008 2009, about a dozen Russian operatives were identified and deported to Russia. And they returned as conquering heroes. And then it happened again, I want to say in 14 or 15, with a single person from Russia, or the Federation. So what what are we doing?
Eric Taylor 20:38
Exactly? I mean, I'm sure we are doing the exact same thing in their country.
Shiva Maharaj 20:43
I don't hear anything about Russian systems getting breached? Do you?
Eric Taylor 20:47
Maybe we're a little bit more secret.
Shiva Maharaj 20:48
Super Secret squirrel. I like it. Now. I'm
Eric Taylor 20:51
just kidding. I just think that they do have a better long game. They're more focused.
Shiva Maharaj 20:57
I think they have a long game.
Eric Taylor 20:59
We don't know. I don't know why I've said it before. We are a nation of consumption. where nothing more than that. So how do we move forward from here? just dropping a bomb on it
Shiva Maharaj 21:09
and walk away? on where our infrastructure or them?
Eric Taylor 21:16
And then I'm out of business? But no, I mean, yeah, I mean, on infrastructure, it's, there's got to be a mentality of ripping or placing leave God to? Yeah, I know, a lot of people may not like this, but we got to pull the manufacturing out from overseas.
Shiva Maharaj 21:31
Okay, so let's pull on that thread, we take the manufacturing, we bring it over? What are we going to manufacture with?
Eric Taylor 21:38
We have to start building that infrastructure?
Shiva Maharaj 21:39
Okay, but where are we getting the raw materials?
Eric Taylor 21:42
We have to start working on all that. I'm sure a lot of the raw materials we can get, we can get silicone, we can get, you know,
Shiva Maharaj 21:49
where are we getting it from? Most of the mines in Africa, Australia, across Asia are controlled by Russia and China?
Eric Taylor 21:55
Yeah, I mean, we just had to get the raw materials from there, I would imagine. So we still buy from them. But at least they don't have a direct line of, you know, our technology. They're not manufacturing it.
Shiva Maharaj 22:05
So we will create our own inflation basically. Exactly. Okay.
Eric Taylor 22:10
Would you rather have inflation that we already have going up in the country? Or would you rather potentially just leak all the data out?
Shiva Maharaj 22:17
I mean, we have lower prices and still getting leaked?
Eric Taylor 22:19
Exactly. But we're talking about change. So
Shiva Maharaj 22:23
but how long do you think this change is going to take this is something Russia has been dealing with for 25 years give or take since the fall of Soviet Union, China, I think has taken an even longer approach. 30, 40 years, this is in the making?
Eric Taylor 22:35
Yeah, I don't think this is going to be something that'd be completed in our lifetime,
Shiva Maharaj 22:39
or with our kids be the last generation or the sacrificial lambs so to speak. I don't know, maybe it's interesting, because I don't think that the breaches and the supply chain activity stops at these four or five incidents for this week. I think we're gonna keep seeing this over the next few months, or a couple of years. And APT activity should only be going up. I'm not seeing any defense for us. When a company is breached, there's nothing that says they have to disclose it. Where do we go? Alright, there's
Eric Taylor 23:12
getting to that point. Right. And, you know, we've had this conversation a lot of times about, you know, who's gonna be the mandating force, you know, whether it's cmmc, or if it's, you know, the insurance companies or whatever it is, but yeah, there's, there's got to be accountability, there's got to be disclosure, there's gotta be, there's gotta be something, but a hard stance needs to be made, you know, a line in the sand, if you will say, okay, no more. We are starting down a different path, you know, through that whole fork in the road type of thing. We need to come to that.
Shiva Maharaj 23:48
I think we almost need parallel construction, have set up an entire new group of cyber hunters, killers, whoever, whatever for us, and have them build their own tools, build out their own stuff, while we continue to use and mitigate what's out there and just do a hard cut over and leave the past in the past.
Eric Taylor 24:07
I wonder if the NSA is actually doing any of that? You would like to think so.
Shiva Maharaj 24:12
I would hope so. I'd like to hope they've been doing it for the last 20 years and not going to a publicly traded company to buy their software. I never expected the NSA to have been using Orion. Yeah, they should have had something homegrown with all of their cyber warfare operators as they like to call themselves the come into the managed services space with their specialized tools. You think the NSA would have built half of that stuff out?
Eric Taylor 24:41
It's really interesting. I would love to be a fly on the wall. In some of these conversations be like
Shiva Maharaj 24:46
Ask China, Russia for the transcripts.
Eric Taylor 24:48
You can’t do that because I remember Trump asked at one time and he got blasted all over the kingdom Kong about that
Shiva Maharaj 24:54
about the Hillary emails so well, you just have to say please, this time, I think that's the best Record.
Eric Taylor 25:01
Cuz I don't think I've ever heard Trump say please,
Shiva Maharaj 25:03
you know, I saw an article a couple months ago, maybe back in February, any intelligence related warrants, or DOJ activity is now being done by paper only. They don't even trust their own systems. That's sad. That's the world we live in.
Eric Taylor 25:19
Shiva Maharaj 25:21
we need to make an about this, I think we need to just rebuild and go from there. But you're also going to get into labor laws, unions will make it incredibly hard to produce anything here in a cost effective manner.
Eric Taylor 25:34
Depends on what state you're doing. Federal labor laws, OSHA, you got the federal level to that aspect, as long as you keep it out of, Oh, God, we're gonna get political, but he keep it out of the democrat states, and more than republican leaning states where a lot of these companies seem to be going, you know, people are fleeing New York, California going to Texas and Florida.
Shiva Maharaj 25:54
But it's New Yorkers, and California is going to Texas. So I joked around with one of our peers, and our daily zoom call is going to be called New California.
Eric Taylor 26:04
Hmm, there's takeout in New Mexico, and it just be one big swoop.
Shiva Maharaj 26:08
It's like Joe Rogan on his podcast was saying, you know, all these people are leaving New York and California to go to Texas. I hope they don't turn it into what they fled from.
Eric Taylor 26:17
I bet you they are or they're trying to anyway. But yeah, it just really depends on what state they set up shop in and kind of go from there. What about your stack?
Shiva Maharaj 26:27
How are you assessing what you're using for your clients on the consulting side, as well as the remediation side, in terms of the types of breaches coming out there? Because I know how your mind works. Just because your vendors weren't affected? doesn't mean you're not going to sit there and expect your guys to be safe.
Eric Taylor 26:44
Exactly. Yeah, it's, we do pen tests against our vendors that we use, right? So we are constantly testing them, I make sure that we are under a safe harbor with those folks. But it's getting to the point, really aware, I'm going to have to start hiring external pentesting firms to test my stack, make sure I have 365, you know, lockdown configured that we are not falling victim to some of this stuff. We're only as smart as what we know. And, you know, there's a ton of great penetration companies out there that, you know, can bring some insights that we have never thought of. Right. So I think by doing that helping making sure. My stack and my my house is as secure as possible. is the best way to go. Cuz even though we're going through compliancy I always say a compliance does not equal security.
Shiva Maharaj 27:41
Oh, absolutely. I think they, they can help each other. But security is easy. In my mind. It's getting there is the tough part. Right? That's and staying there.
Eric Taylor 27:52
Yes. Now, do
Shiva Maharaj 27:53
you think current legislation or current government structure is able to keep up with the changes in the cyber world?
Eric Taylor 28:00
No, cuz I'll ask you what, name one government program that they run successfully.
Shiva Maharaj 28:05
HIPAA is the most secure compliancy out there that and CJIS, neither has been breached, neither has been abused. And they are enforced like none other. Literally.
Eric Taylor 28:18
Literally. None other. Yeah, I'd rather just pay the fine,
Shiva Maharaj 28:22
what fine appeal the fine. And they never come back to re audit you and it gets forgotten about.
Eric Taylor 28:28
I've heard stories about that. I really have.
Shiva Maharaj 28:31
I've seen it happen. I've been called in to do post audit work. And when I give the bill, they say no, it's too much. I circle back with him in a year. No, HHS just never came back.
Eric Taylor 28:47
Okay. That is crazy.
Shiva Maharaj 28:49
I guess they're just overworked you, it's easy to pay the attorneys fight the audit, and HHS moves on something else, maybe they don't have the resources for it, maybe. So I'm willing to bet if their enforcement section was actually funded by the fines they put out and collect, there'll be a lot more fines
Eric Taylor 29:08
paid, may actually have more secure standpoint than what we have now.
Shiva Maharaj 29:12
I'd like to see a single compliancy set. I'd like to see them take cmmc with its five levels. And have that be the only compliancy out there based on your level is what you're able to touch just like how classified information is handled. You know, you have your various levels, but it's one set.
Eric Taylor 29:33
Yeah, I've heard speculation that the NIST framework and all these other ones will go away or go to the wayside of the CMM GC and I would love to see that.
Shiva Maharaj 29:44
I don't think it's going to happen. I think lobbyists and companies will hold out as long as possible so they don't have to spend that money to change. Yeah, cuz
Eric Taylor 29:53
I mean even the going through cmmc those levels you still got years to get ready. Leave another word. on getting auditors ready.
Shiva Maharaj 30:01
I think the first audits are scheduled for late August of this year. I thought it wasn't a next month, they've started giving out your your dates where they're going to start the audit.
Eric Taylor 30:11
So they're still training the auditors apparently.
Shiva Maharaj 30:13
I think that they're giving companies the ability to finalize their control sets and mappings to make sure.
Eric Taylor 30:20
Yeah, I mean, there is I'm not gonna lie. I mean, going through those control sets, even internally here, but the task?
Shiva Maharaj 30:27
Oh, absolutely. You know,
Eric Taylor 30:28
just writing all of your frickin policies down is a nightmare. So what you're not supposed to just remember it. And when they ask for it, say Hold on, let
Shiva Maharaj 30:36
me write it out for you. Yeah.
Eric Taylor 30:40
Yeah, I know, one MSP colleague of ours, it's, they've got I think their CMC documentation is over 400 pages right now. It is crazy. And they're not even done yet.
Shiva Maharaj 30:53
Are they a big company? Are they a small company?
Eric Taylor 30:55
I think there are right around 20. Team members, they do a lot of GCC high stuff and everything like that. You know, they've got one guy who's dedicated just to documentation. I think they've got like three documents altogether that they use just for documentation, like one's a question and answer. One is a policy that we'll link to another one it is they're showing it to me a couple weeks ago, and I was just like, holy crap,
Shiva Maharaj 31:22
I think you're going to need to have a compliance department if you're going to be dealing with any any of this stuff. If they're dealing with any compliance, I can't I can't imagine. Someone can do it all for themselves.
Eric Taylor 31:33
Maybe I mean, there was a, say, a guy in a shed somewhere, get go through full cmmc.
Shiva Maharaj 31:40
I think that's more the exception than the rule, right? Like the average pizza tech out there. What are they going to do? add extra pepperoni every time there, they have to do an audit. I saw in one of the it groups on Facebook this morning, a person posted a question. Like my client is going through an audit and the insurance company wants to know what kind of security policies are in place? How do I do this? My question is, how do you come up with a question like that if you are their provider,
Eric Taylor 32:11
they just seen dollar signs and took them as a client, not knowing what they were getting into. And the client
Shiva Maharaj 32:17
saw dollar signs and took them as a provider or saw less dollar signs than someone else. But that's what we have to deal with in our industry. And it's not just us. It's the big guys.
Eric Taylor 32:27
I mean, most of those audits, as long as you're able to prove or show that you have adequate documentation, you know, standard operating procedures, that paperwork on anything and everything that's getting set up. And a good scope of work as part of your contract is really all you need. It's not that complicated.
Shiva Maharaj 32:48
Yeah, but how many riders actually have that? And that's what I think also the insurance companies are banking on. They want that self out to station thing. They want you to say I have all this. So then, when an incident comes, they ask for it. And when you don't sorry, claim denied. Look at what is it mondelez and Mark, each are suing their insurance companies, one for 100,000,001 for 275 million, because their policies their claims were denied.
Eric Taylor 33:16
Yeah, yeah, we've made that comment before. And as much as I hate to see that they got popped. But I am glad that somebody is standing up against the insurance companies because, you know, I've looked at the insurance companies for a while as being a possible governing body to some degree to help enforce some sort of compliancy.
Shiva Maharaj 33:40
That's the blind leading the blind. They're getting popped themselves.
Eric Taylor 33:44
Exactly. Yeah. When we're seeing more and more of insurance companies and underwriters getting popped. They're not even paying. They're just like, whatever. The Oh, new can pave themselves. And like, so you're not paying the ransomware just to keep your client information off the dark web?
Shiva Maharaj 34:02
Well, they can't if they are governed by Sarbanes Oxley, they can't pay the ransom.
Eric Taylor 34:07
Yeah, I've never done enough research on the specific companies that I've seen to actually see if they're under any sort of governance or not, but it's a mess. Like kind of goes back to the whole beginning of the conversation.
Shiva Maharaj 34:19
What do we do new convey, then? I think we need to build our own systems. And when I say we, I'm talking as a country, build our own systems. And while we're doing that, find rights to natural resources. Or take a look at labor laws to make manufacturing here, available. You know, what can we actually mass produce? That's more technical than a toothpick. I keep asking people that question. But what can we do at scale?
Eric Taylor 34:52
As a country, we're so divided. We can't even say what green technology is appropriate. We can't Agree or disagree on whether we should be fracking or not pick any of these manufacturing and these resource topics, and we're so divided on what we supposed to do. So how are we going to get any traction? And I know that's a facetious question. It's a, you know, not one I expect you to answer by any means, but it's more for people listening is what do we do? You know, when we are too busy fighting with ourselves,
Shiva Maharaj 35:26
we're never gonna get anywhere. I'm of two minds there. I think everything we're going through as a country, is making it easier for Russia and China to use propaganda against us, incite. If civil war is going to happen, it's going to be far easier for them to incite it with everything that's going on. But getting away from that piece, I think we as a country really need to look down inside ourselves and really decide where do we want to go? Do we want to be the country that appears to take the moral high ground? Or do we want to be stronger and unified, if we're not unified, we're not going to be strong. And right now, I'd say Yours is the common enemy for Russia and China. So I have no doubt they're collaborating. And I have no basis for that. But it would make perfect sense.
Eric Taylor 36:19
Yes, it would. Yes, it would. Oh, I think that help wrap it up for the day. What do you say, Mr. Show?
Shiva Maharaj 36:26
I think so. You want to take us out.
Eric Taylor 36:27
All right, ladies and gentlemen. Thanks for tuning in for another show. We're talking about ransomware. We will talk to you on the next one.
Shiva Maharaj 36:35
Thank you. Thanks again for joining us for the cybersecurity amplified and intensified podcast.