Cybersecurity: Amplified And Intensified

Escalate, Exfiltrate & Encrypt - Round 4

August 27, 2021 Shiva Maharaj/Eric Taylor
Show Notes Transcript
Eric Taylor:

Yeah, that's how all the fans really got started. Well, you know, they,

Shiva Maharaj:

I think it was all a advertising ploy to get more action. This is true black of the fun. Welcome to a special episode of cybersecurity amplified and intensified with your host, Eric Taylor, and myself, Shiva Maharaj. Today, we are going to be going into the meetings of the tech executives and powerhouses of people who won't change shit. And their meeting with President Biden. And we're gonna unpack it from there, even though we already did this on May 17 of 2021 when the first executive order was given out, so I guess, Eric, we were ahead of their time. And the 24 hour news cycle needed a shot in the arm.

Eric Taylor:

Yep. Do you vaccine? Is this like a booster?

Shiva Maharaj:

I guess so. I think I think we'll call this the booster episode.

Eric Taylor:

There we go.

Shiva Maharaj:

Are we starting here today, sir?

Eric Taylor:

So I guess we'll kind of recap I guess and say okay, this again, back on May 19, was the exact Aria may 12 was the executive order from President Biden informing all government agencies, they must comply with a certain level of compliancy including MFA, you know, NIST 800 801 71, just all the things, you know, since then, everybody has come out. It was like, all msps must get the O CMMC. They must do this. They must do that. But we've talked about it several times at nauseum MSSP. Is the public. The public sector is not required to conform to this executive order, or specifically the Well yes, only the government sector has to confer conform, sorry, and CMMC is only for the DLD and their business partners, Id CMMC is not fully vetted, or is not fully read in and fully approved yet, if I understand some of the stuff. Last I heard, there was supposed to be like a quote unquote, final reading of the wall, the bill at the end of September. And you know, if that went through, then CMMC would be quote unquote, official,

Shiva Maharaj:

you know, I think it's a good thing that it has been finalized yet, because, in my opinion, technology moves too quickly for compliance to keep up. So with all these meetings of the bigwigs who, as I said, we're gonna do jack shit in the long run with the president, if we can get some kind of effect in towards CMMC, where it makes it better. I'm all for that. Where I have an issue is, and I skimmed through this, because we've been inundated with questions. It looks like the President has tasked NIST to really get together with what was it IBM, Google, Microsoft and Apple to put together some baseline compliances to do this, do that or what have you. Why not use CMMC? Why not have a single compliance regime? Let the do D audit their people and whoever they do business with let's Sisa or a division of Sisa or Mr. Inglis, who's now you know, is he so let him stand up a department to audit the private sector for CMMC CMMC civilian?

Eric Taylor:

So I mean, like we said, you know, CMMC is for the god, there's been a lot of folks that have said, No, what about I think even the DOJ was talking about, maybe it was the FBI, DHS, DHS, thank you was talking about? Sorry, I'm reading so many articles lately, I'm forgetting who wrote

Shiva Maharaj:

rates, what anymore was all the same shit, man.

Eric Taylor:

So I don't want to do a CMMC like version before the public sector. But even in this one, you know, they're talking about, you know, the NIST framework. They're not saying which compliance they're going to go through, which I'm assume is 801 71. But I just wanted, you know, I want to take a massive step back. And we've talked about this extensive nauseum, but we're going to have to talk about again, NIST is self acetate, there's no compliance, there's no auditing of compliance for the framework. None. So honestly,

Shiva Maharaj:

do you think big tech, or any big company is going to want anything else? away from self attestation? I just don't see that happening.

Eric Taylor:

It's so easy to be like, Oh, well, we could form to 70%,

Shiva Maharaj:

you know, understand and accept

Eric Taylor:

the risk. You know, we've seen this play out when CMMC was being developed and the D o d, or the do D primes and subcontractors were saying, Oh, we need so much, it's gonna cost us so much money to essentially implement 30 additional controls, is because they weren't even at the level of their self estimation that they claim to be.

Shiva Maharaj:

But that's the beautiful part about self attestation. If you really want to see how poor that model is, as I keep saying, Look at HIPAA. Look at sieges.

Eric Taylor:

You don't know we like to shit on Kaseya a lot, but they like to claim that they're CMMC compliant as well for their internal systems, though.

Shiva Maharaj:

We're going down that road today, aren't we? I told you I'm pissed. Alright. Let's start with vinegar, then I'm going to rename myself to piss. My name is PERS and my co host is vinegar,

Eric Taylor:

vinegar here.

Shiva Maharaj:

Can we throw up the executive order? Not them? Sorry, the White House rundown of the bullet points from yesterday's meeting? Sure, absolutely. Because there's some pretty interesting stuff in here. And, you know, I do want to say, at least, the White House is taking an active stance in doing something, my only real problem here is what are the timeframes that are going to actually be kept held to?

Eric Taylor:

Who knows? If we had the executive order here, and there was compliancy timeframes, like 60 day, 100 days, I'm stopping at 60 every day, so within 60 days, um, you know, OMB was supposed to do their consultants I have I haven't seen any, any other timeline reporting come out of any of these things. You know, Homeland Security, has 60 days, you know, start doing some stuff. Well, it's

Shiva Maharaj:

an actively evolving situation.

Eric Taylor:

But isn't an executive order, just that you must comply? I would think so. Or at least I would hope so. So why is it some of these announcements or compliancy, coming out from the executive order, you know,

Shiva Maharaj:

even at 60? I think, you know, you got to give them time, they were caught on the backfoot. And maybe they need some time to roll this out. And telling people, hey, we don't have MFA rolled out across the board is kind of a security risk. I would say not that the bad actors don't already know this because of physical placement of assets as well as technical compromise. What I wanted to focus on or two bullet points here, Biden minister, the Biden administration announced day that NIST will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain.

Unknown:

Well,

Shiva Maharaj:

here's the thing. When's that going to happen? Once it gonna be put into place? It's further down. I want to say mid paid mid fold. First, up, right there there. Yep. And probably zoom in a little for the audience. Okay, when's this gonna happen? This was announced six snop. Sorry, three months ago, give or take with the executive order of may 12. Okay, fine. rehash the next one Biden. ministration also announces formal expansion of the ICS cybersecurity initiative to second major sector, natural gas pipeline. Okay, this is a clear result of colonial. Again, what is the timeline? I'm happy these things are moving, but what's going on. And then the rest here is Apple announced Google announced IBM announced, Microsoft announced, namely, Amazon, great, that's all bullshit. No one cares what they're gonna do, because it's not really going to have long lasting effect. What I found interesting here is there's a lot of talk about cyber insurance and using your posture to rate your risk. Now, the insurance companies are going to love self attestation, because it's going to allow them to say, Do you fulfill these requirements? Joe Schmoe is going to say, Yes, we do. They're going to have an incident because they're idiots and didn't spend money the right way. And the insurance company's gonna say, Okay, show us where you had these your checkbox compliance. And when you don't have it, because of self attestation, the insurance company will keep your policy premium. And they will deny your claim, which is what I've been saying for the last God knows how long But hey, no one listens to me. Why would they? I only make sense sometimes.

Eric Taylor:

So is this going to be something that they're going to work bilaterally with the executive order? Or are they going to wait for an executive order and adoption of CMMC? Before you know these tech companies actually have any real traction?

Shiva Maharaj:

Oh, well, the major things for the tech companies are implement MFA train your employees which is stuff let's be honest, they should have been doing for a couple years now. It's nothing special. Nothing Great. Now, I also see here that you're going to have coding for girls great. I'm all for that then concept over 3 million students and 35,000 classrooms over three years. Listen, all this is all well and good. But there is a way to turn the big ship that is United States cyber infrastructure and what have you and have this done within three months. Baby for all it needs is proper buy in from the right people and we can improve everything in three to four months, people will say I'm crazy. You know what,

Eric Taylor:

there are ways to do it. You know, one thing that I've seen here you know Whatcom community college now is it is designated a new framework, you know, for cybersecurity, is this a? Because these folks are apparently in the mix of the conversation? Are these guys and gals going to potentially inject their framework in replace of NIST for these they comply? Yeah, I really think that I'm with you. We something needs to be done. Now. I'm tired of frickin talking about it. Not Not us talking about it, but I'm tired of you know, it seems like every couple of months or every couple years, were getting up on our soapbox and black change must happen. Change What's happened, and what it's easy fucking ever gets done.

Shiva Maharaj:

But it's far easier to say change must happen than actually affect change. Now the problem I see with NIST and there, God knows how many goddamn frameworks cis has their frameworks. Hippo, the hippopotamus of these shit, HIPAA, everyone has a framework. And I'll go back to the old adage of too many cooks in the kitchen. And on top of that, you have state frameworks and all these other things. And this is this goes back to why I like CMMC. five levels, even though I think two of them are pretty much bullshit and should be lost. But the world needs to ditch diggers too.

Eric Taylor:

Yeah, I mean, those two that we're talking about, you know, two and four are really the the quote unquote, gateway. So the X y&z level, but yeah,

Shiva Maharaj:

which is fine, if you're an idiot, and you need that extra help to not get anywhere, hey, more power to you.

Eric Taylor:

But, yeah, I just think something needs to be done, you know, whether it's a CMMC light just to remove, you know, classified controlled information out of CMMC, I think to apply,

Shiva Maharaj:

I think it should apply, because here's the here's the beautiful part about having one compliancy. Let's say you don't have any, any clients in the DB, but your CMMC level five, because I don't expect you to be a one or two, or even a three for long, quite honestly. And you have the opportunity to go bid a contract for someone in the drB. You're already there in terms of compliance.

Eric Taylor:

So let's have one compliance, let's have a civilian oversight body and let's have a military oversight body yet before we get a bunch of trolls licious may doesn't clear you can do yourself acid station above a level three up to level five and B sub acetate for level five and just wait for your government sponsorship to be fully audited and accredited in but there's nothing saying that you as a business can't hold yourself to a higher standard and self acetate to that level. So

Shiva Maharaj:

and it all depends if Kaseya is offering level five. Oh, fuck me.

Eric Taylor:

Yeah. Now here's for one second, before we go back to this topic has anything to do come out from those shitbags.

Shiva Maharaj:

Yeah, there. I get emails once a week from them saying, hey, let's teach you how to be more efficient and secure. And I just sit here and I laugh.

Eric Taylor:

Yeah, we're the most secure platform ever. No, I don't think so. But anyway.

Shiva Maharaj:

Anyway, back to the show. That is all this stuff. Now. I posted a tweet and I tagged POTUS, and I really don't think he gives a shit or is gonna listen to anything I post on Twitter. What I basically said, Hey, POTUS, why don't we ask the people who've asked for budgets, tools and training who've been denied of what we should maybe be doing, instead of actually going to the CEOs of these companies, where there's going to be a game of telephone and no one's actually going to do you want anything,

Eric Taylor:

it's all a dog and pony show, you know, this is why I keep saying I'm tired of the talk. I'm tired of everybody getting together and stroking each other off and making each other feel good to make it look good for show. I mean, it's so fucking political, that it drives me nuts. You know, I want I want Actually, I want to be moving in a direction. Oh, you pick one. And let's fucking go there. Right? It's not that I cannot be that damn hard.

Shiva Maharaj:

There's no money in that. There's a lot of people that need to eat under that trough. And all these meetings, all these conversations cost money, and a lot of people are getting paid.

Eric Taylor:

I mean, I know pallet jack has helped a ton of MSP startup companies, you know, and he is doing something or another with the state of California trying to come up with theirs. But that's only going to be enhancing of government state regulations. From what I've read, that's not going to be sponsored into any sort of national framework, right?

Shiva Maharaj:

It's got to be something federal man, we're, we're 50 countries rolled into one year. You can't have a California compliancy like that. You can't have a New York, New Jersey, where just because it's not going to work. What happens if you're doing business in two states? What up? Consider this. You're in DC, you operate in DC, Virginia, and Maryland? Do you really want to deal with three sets of rules and what have you?

Eric Taylor:

I do I have

Shiva Maharaj:

to I get that you do. But wouldn't it be better if there was a federal compliancy that was accepted by every state? Now when I say federal, I don't mean federal government, but a compliancy regime that is accepted by all 50 states? And that's it. Your administrative burden will be relieved tremendously.

Eric Taylor:

Yeah. I think the only thing that really should change from a federal policy if a state wanted to mandate a quicker notification timeline, you know, some of you know the states like the New York shield act is what a 24 hour notice. I think,

Shiva Maharaj:

you know, I think once you start making exceptions for other people, you're going back to the same problem we have right now too many compliances I think find the timeframe that everyone will stick to find something that will work for everyone.

Eric Taylor:

So you got to think is going to be the driving force for this because clearly, you know we've talked about insurance companies are clearly not going to be the fucking driving force.

Shiva Maharaj:

They are good White House. Sorry, God,

Eric Taylor:

the White House is clearly in a, my deck is bigger than yours, let's stroke each other yo mindset who the EFF is going to put something together and move the ball forward.

Shiva Maharaj:

So if I had to take a guest as guests, sorry, as to who was driving the show right now, it is big business and the insurance companies, and that is why NIST has been chosen to create the framework, they need that self attestation they want that self attestation

Eric Taylor:

good than you can handle the truth.

Shiva Maharaj:

And that's what they're saying, right? You can't handle the truth that we want you to self attest, so we can deny your policy or deny your claim.

Eric Taylor:

It's gonna be sad that if that's where we're going to end up hanging our hat, so to speak, you know, it's just, I mean, I guess it pisses me off, because I'm so passionate about the security industry that I'm like, Fuck, let's do something, you know. I mean, that's kind of why we're on this podcast is really the whole reason that we're talking about this crap. And you know, I know I'm a small boltless are a very small fish in a very, very little fucking

Shiva Maharaj:

Guppy compared to some of the people out there. Are you kidding me? So we got to do something, buddy of mine texted me this morning. He's like, hey, when are you guys gonna do a podcast on NIST and the Cybersecurity Framework and requirements from out of the White House. And I'm like, dude, we did this. Back in May. Episode 11,

Eric Taylor:

whoever's listening link is in the show notes. Now you're watching on YouTube, we'll put the link up at the top, are we ahead

Shiva Maharaj:

of our time, ahead of everyone else's time,

Eric Taylor:

I think to some degree. So I mean, you and I both are pretty much I mean, I'm still going through it. But you're a lot farther along the line from our private conversations along further long line of the CMMC compliancy that I am, just because I'm a busy, busy, busy, busy, you know, 28 hour a day work day, some days. But, um, I think at least for those who are going through CMMC, even though it's not fully ready, if not fully approved, or whatever, but at least starting to go down this framework. And if CMMC CMMC doesn't get approved, and it's something else that gets approved, so fucking Be it, your nose, any companies,

Shiva Maharaj:

it's so much overlap with all these compliances. So you do any one of them, you're gonna get 60 80% of the way through most of them.

Eric Taylor:

If people both companies will go into this thing, and this is kind of why I like CMMC, to the degree you're going into, into a compliancy framework, knowing that you're going to have your ass audited, you're going to have to answer to somebody about what you're doing. So going into any framework with that mindset, they're going to make a change, I think

Shiva Maharaj:

I want to see them get rid of the we've identified the risk, and we accept the risk answer. Yeah, because that is just a steaming pile of shit. But what do I know?

Eric Taylor:

I mean, there's a and this is what a lot of companies we are our clients, and our prospects are going to have to understand prices for it and cybersecurity services are going to go up because we have to align with businesses that align with these frameworks. And that like, let's just take we talked about Kaseya, we've talked about RMS, we've had guests from RMM shows on here, and PSA, some of that, but if we have to go, it's our tool set, we have to migrate to those who support actual logging and do all these things income. In order to be compliant with these frameworks. Most of these things are not what they call channel programs, they are more of an enterprise program, which means more money, therefore the path the cost is going to pass through. So people have got to get ready and prepared for that.

Shiva Maharaj:

The only way you're going to get them ready for that is if the fines outweigh the cost now, and that that truly is the barrier to security in this country. And I'm sure it's the same in other countries, but we're here. What do we care about the others? Let's be honest.

Eric Taylor:

I mean, all the other countries don't really give a whole lot of shit about us, or why should we care about them?

Shiva Maharaj:

Exactly. So, I mean, you're not wrong, dude, you're not wrong. But my thing is, let's have an actionable timeframe that we're going to stick to not a, hey, let's aim for this. And then two years later, you're still holding your dick in your hand.

Eric Taylor:

Exactly. That's, that's why I'm bitching about the stop talking. And let's fucking act.

Shiva Maharaj:

What do you think is the first thing they should do? And by that, I mean, let's say the president or anyone who can make this change across cybersecurity in this country.

Eric Taylor:

I think the biggest thing that would be a big benefit is incorporate an auditing firm for NIST. I got

Shiva Maharaj:

a better one for you. Okay, mandate that every piece of software must offer MFA at no extra charge from a regular subscription to an enterprise because you know, that's the game they like to play for that and SSL but also say, every vendor has to provide MFA and They have to do it by the state, how quickly will the market move? And if you don't do it, it's this penalty per user account

Eric Taylor:

and mandate every user have MFA. Yeah. Or they get their account suspended?

Shiva Maharaj:

No, just keep taxing them, or finding them put the IRS in charge.

Eric Taylor:

Oh, good. You know, they just did hire like 30 or 40, or 86,000 more people to go after more tax records. So look, I play people over there.

Shiva Maharaj:

My point is, you can do this, like you're calling Microsoft, Google, Amazon apple and say, MFA, well make it across the board. What happens to software made by Joe Schmo who gets an API connection, Insta 365. But and that's an admin API connection, because why else would you want to connect, but there's no MFA there? So you get in and you abuse the the API? What good is the Microsoft MFA?

Eric Taylor:

Yeah, that's really a lot of the crutch. Right? Because I mean, you've got to the the whole point of API is to create that integration. But you know, we have a lot of people including our buddy Ryan weeks around that Ryan weeks

Shiva Maharaj:

datto the CFO? Yeah, Ryan's

Eric Taylor:

Yeah, right. Yeah. Okay. Sorry. brain fart any more coffee. But yeah, Ryan weeks is even talked about even on the cyber CO and a couple other ones. You know, there's been many other view, but I fully agree with them that, yo, you've got to audit your API's. You I just did a bug bounty I think I talked about on one of the other episodes, maybe never call but I'm not a bug bounty, but a penetration test on chilango, where I created my own app, and Microsoft deal just made up some stupid thing and sent it over and three of the the admins approved my application, and I had full domain rights into their tenant.

Shiva Maharaj:

Yeah, but why is the admin even allowing that that should be switched off?

Eric Taylor:

Well, I mean, you got to allow somebody got to allow it, but

Shiva Maharaj:

and that's where they should build in secondary approvals. Yeah, pipeline stuff. But then again, you kill out most of the msps out there. So what else about this new but old action on nest anything there we learn something else in the longtail. Now that's pretty much it for today. I

Eric Taylor:

think. I really feared that in a couple months, we're going to just be hashing up the same damn conversation again, and I'm just gonna get even more pissed off.

Shiva Maharaj:

Well, at least we can say Ladies and gentlemen, please refer to escalate exfiltrate and encrypt round four. Again.

Eric Taylor:

Episode 11. round four. We're talking about the

Shiva Maharaj:

top three things people should do right now regardless of compliancy regime to secure themselves and their companies and their clients

Eric Taylor:

incorporate MFA SSO and it's all do one up

Shiva Maharaj:

so expensive. We have to spend money.

Eric Taylor:

I mean, if you're an MSP, you know, you get that you get your NFR with them, but

Shiva Maharaj:

not the MSP. Let's talk about end consumers because you can't help msps they'll just keep doing it the cheapest way. Oh, wait, they're just like customers Never mind.

Eric Taylor:

You know what I mean? MFA. SSO if they will do go is go that route. Import scan your cut yourself and your customers find out what's open investigate it, is it really need to be open barricade? cyber.com,

Shiva Maharaj:

he'll do it for you. He will hold on for those looking like put up the records. He will help you or a fee to check your perimeter. The only thing on top of that I would add is at least start collecting your logs, whether it's an EDR or a SIM, even if you're not doing anything with it, at least post incident when you do get popped because of your lack security. You'll have something to refer to.

Eric Taylor:

Yeah, I can't I mean, we talked about in the last episode. So many times we get pulled into incident response situations where there's no logging in we go except for the threat actor. We know from trade, what they're doing. That's all we go off of right. So it pro

Shiva Maharaj:

just as they have to live off the land. So to you as an IVR. guy.

Eric Taylor:

Yeah. Now,

Shiva Maharaj:

if there's nothing there, it's spamming. If there's something there. Maybe it's feast.

Eric Taylor:

Thanks again, so much everybody for tuning in. We really do appreciate y'all. If you made it to the this episode. Please LIKE subscribe on either YouTube or your audio podcast version of your choice. And please spread the word. Let everybody you know know about us and help this crazy, crazy show that we're putting together for you grow. Until next time, we really do appreciate Thank you so much.