November 28, 2023 • 38 mins
What if you could protect your cryptocurrency from hackers with just a few simple security measures? That's what we're diving into today in our exploration of the fascinating yet terrifying world of SIM Swaps and cryptocurrency security. We'll shed light on a real-life cautionary tale of a victim who lost his cryptocurrency to these cunning cyber con artists and the ingenious way they laundered the stolen funds. Discover why you should never use your phone numbers for authentication and what you can do to protect yourself.
As we journey further, we'll unravel the complex web of crypto regulations and vendor risk management. With the SEC guidelines causing confusion, we'll debate the need for a more regulated crypto environment. Learn about the critical process of vendor vetting in industries dealing with confidential data. We'll also reveal the SPRS scoring system for assessing vendor security and why you must be assertive with vendors that don't prioritize security. Remember, when it comes to securing your crypto assets, the mantra should be "don't trust, verify." So, gear up for an enlightening episode that will help you navigate the murky waters of cryptocurrency security.
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
Hey guys, welcome to another podcast.
We've got Blake Ray Hello.
Today we're going to talk aboutSIM Swaps, top cybersecurity
and compliance news, and therewas another story.
Speaker 2 (00:16):
Third party risk vendor management.
Speaker 1 (00:19):
Yes, third party vendor risk management.
So SIM Swaps.
What is a SIM Swap?
A SIM Swap is when a bad actorimpersonates you to the
telecommunications or phonecompany.
So they pick up the phone, usesocial engineering and basically
(00:41):
steal your identity to persuadethe caller or representative at
the carrier to send you a new,or send the bad actor a SIM card
a new SIM card with your phonenumber tied to it.
So one of the things thatpeople do, or that's recommended
(01:02):
, to prevent a SIM Swap attackis, first and foremost, try to
avoid using your telephonenumber, your cell phone mobile
number, for SMS tokens, and whatI mean by that is, when you go
to a website and use themulti-factor authentication, try
to avoid using your phonenumber to get the pin, because
(01:23):
if that gets in the wrong handsAKA a SIM Swap well then they
can get into those accounts andthis is what has happened
hundreds, if not thousands, oftimes especially targeting
people that hold cryptocurrencyor Bitcoin, and as those
cryptocurrency values go up, sodo SIM Swap attacks.
So SIM Swap attacks they lookfor lists and people that hold
(01:48):
crypto, and they know thatpeople in mass generally do not
adopt.
Not saying you guys, yourlisteners, yours are smart ones.
I'm saying that most peopledon't take cybersecurity
seriously enough minimumeffective dose of security on
their own personal devices andsystems.
So the hackers know it'sessentially low hanging fruit.
(02:11):
So they go after the carrier.
They try to figure out whichcarrier first.
They do recon on social media,figure out their victim list and
then they figure out who theywant to target and impersonate.
And it's happened so many times.
There's been cases alldifferent carriers have been
(02:31):
attacked with this, and it's anongoing problem.
So you, as a consumer, the bestthings that you could do is try
to protect your phone number asbest as possible.
And what does that mean?
That means that you can callyour mobile carrier.
Stop what you're doing rightnow.
Tell them that you wantadditional security on your
account.
Set up a unique pin number forwhen you call the carrier, ask
(02:55):
for any additional securitycontrols that they can offer you
to prove your identity.
So just make it more hoops togo through.
I know it might be inconvenientfor you, but I mean really, how
often do you call your carrieranyway?
So I mean nowadays, too, withthe new iPhones and I'm sure
(03:16):
that the new phones, droiddevices, things like that they
use what's called eSIM, sothere's no physical SIM chip
anymore, which helps.
So but still there's risk thereand it's still possible to move
your.
You know people can go get anew iPhone or a new device and
still activate and move yourphone number if they have enough
(03:37):
information about you as thetarget.
So all that, blake, you cancomment.
Speaker 2 (03:42):
Yeah, yeah, I especially.
Once you get a new eSIM it'llcancel your old SIM.
So this actually happened to mydad, ironically, and his crypto
got stolen.
Yeah, essentially they werethey were migrating his phone
number to Google voice and thenso anytime you would call his
phone, it would say the Googlesubscriber, whatever, leave a
(04:05):
message.
And then he started getting, Iguess they got text messages to
his Google voice number for hisBinance or whatever whatever
crypto wallet, coinbase, andthen they sent the money to
themselves through Coinbase orBinance or whatever.
And of course, you know me beingthe forensics guy I essentially
(04:30):
kind of traced the breadcrumbstrail from wallet to wallet and
essentially what they were doingwas they were taking crypto and
then they were dividing it.
So, like they would take let'sjust say it was you know a
thousand US dollars, they wouldsend like 700 to one account and
then 300 to another account,and then that 300 would be 100
(04:52):
there, 200 there, and then the700 would be like 500 here, 300
there, and they just kept doingthat, you know, pretty much
infinitely.
I mean, I think it took memaybe 20 or 30 like layers, and
(05:14):
then it actually went to thebiggest whale wallet in the
world.
So I find that superinteresting.
So the person who has thelargest you know, that I was
aware of and of course I lookedon the coin.
Speaker 1 (05:31):
So so so that big whale wallet could be on an
exchange somewhere though.
So it's kind of so when you saythat it's probably not an
individual that owns that wallet.
It's probably some exchangesomewhere.
Speaker 2 (05:43):
Could be.
But you know you can go to likeI think it's the coin exchange
or whatever, and it shows youlike the most held the largest
wallets and it traced right backto that wallet.
So I found that a littleinteresting and, yeah, it
(06:04):
happened multiple times to him.
The second time they got intoit they already tapped all of
this crypto out and then, ofcourse, there's nothing you can
do.
I mean the money's gone.
Speaker 1 (06:16):
Yeah, I mean I don't know if you've done this or not,
but you can certainly fill outa report with the US cert and
CISA and report it, which youshould do.
And if you've been a victim ofthat, you can certainly keep
digging and keep digging deeperand try to kind of triangulate
where I know you said big whalewallet, but it most likely is
(06:39):
some exchange somewhere.
But yeah, it takes a lot oftime, like you said.
I mean they do these, I'll putit, I guess money laundering,
kind of looping kind of thingsto kind of keep moving the money
and in different numbers, likeyou mentioned, and then they
keep kind of how many layers ofthat deep right.
(07:01):
And then you said that it endedup in some large whale wallet
somewhere.
So I suspect that it's probablyat some exchange somewhere or
dumped there somewhere and thenfurther got distributed from
that point or converted orsomething Just got to keep.
Like you said, the breadcrumbtrail.
(07:22):
I mean it could be a reallylong trail, sometimes take
countless hours.
That's why this work is sospecialized and it takes so much
time.
It could take years.
Law enforcement is still usingnew technology to crack cases
from 30, 40, 50 plus years agowith DNA and different kinds of
tools that are new and they'recatching criminals.
(07:44):
So I mean, I'm sure, as timeprogresses and the tools get
better, hopefully one day you'llbe able to track it down.
But yeah, I know that the shortanswer is there's nothing you
can really do, but there is somethings that you can do, and
reporting it should be one ofthem.
You can certainly reach out toan attorney and explore those
(08:07):
options too.
Sometimes they have access todifferent experts that can help.
It really just boils down to Idon't know how much money it was
, but it boils down to is itworth it or not?
Because you're going to end uppaying for some of this stuff
and sometimes it's not worth it.
But I think the learning lessonand not talking down on you or
(08:29):
anything, I'm just saying thelearning lesson here is don't
keep your money on, don't keepcrypto on exchanges, keep them
on cold wallets.
We've talked about that before.
I don't know if you guys areaware with the whole.
People say Binance and thensome people say Binance.
I say Binance, but there's awhole crackdown happening with
CZ, the CEO of Binance, and howhe has stepped down and paid
(08:54):
over.
I think it was $4 billion.
This was last week in fines,and then I heard a couple of
days ago that they're not goingto let him leave the United
States until his hearing.
So that's interesting.
So I guess the takeaway here,looping back to Simswap attacks,
(09:18):
is don't trust your phonenumber to keep you safe and
don't trust anyone.
Don't trust your carrier tokeep you safe.
Like I said, there's ongoingcases around.
Whose fault is this?
Is this the carrier's faultbecause you had cryptocurrency
and you were trusting thecarrier to not move your phone
number?
Could be.
I do agree that you shouldn'thave your phone number moved
(09:43):
without your authorization andthere should be safeguards from
carriers to make sure that youprove your identity and maybe
even make it so that youabsolutely have to go into a
store and you have to show twoforms of government ID.
My point here is that anybodyaround the world can call anyone
(10:05):
else and a bad actor can wakeup in a different country one
day and say, oh, I'm going toattack Blake or whomever, and
they can do that from anywherein the world.
And if we don't have carriersand companies that follow these
security and regulations thatare put in place, I mean, that's
(10:27):
why these things exist, becauseif people didn't put security
in place for anyone, I mean,look at that.
This reminds me of back in theday.
I don't know if you rememberBlake, do you remember phone
freaking?
Do you know what that is?
So phone freaking is?
This is back when, I mean, 2600is still around.
But my point is that phonefreaking was like the fun thing
(10:51):
to do for board teenagers.
Cyberpunks that wanted to hackinto.
This was kind of like beforethe internet, more in the BBS or
Bulletin Board system days.
That's a pretty good tip againboard teenagers, board kids that
wanted to break into carriers,phone companies, and the goal
(11:17):
was to set up party lines.
Back then cell phones weren't ineverybody's hand, so it was old
school pick up the phone, dialand call somebody.
And most companies hadcorporate accounts with carriers
, right.
So they'd call like the companymight have an account with AT&T
or whomever and they would havetheir business phone lines with
(11:39):
them.
And this was back when T1s weremore popular.
And anyway, you had these atrisk companies that were relying
upon the carrier to set uptheir company dial directory.
And sometimes these companiesneeded conference lines because
(11:59):
maybe they were a global companyand they needed people to dial
in, kind of like what we'redoing now with Zoom, right, only
this didn't exist then.
So they did it all by audio, allby phone.
So what hackers in that day andthat timeframe would do is they
would hack into the phonecarrier, break into the party
line and either just goof aroundor lock people out or kind of
(12:22):
like how, when COVID hit, a lotof people were hacking the Zoom
channels and kicking the peopleout and doing crazy stuff.
Well, they were doing thisstuff back in the day, only with
audio.
So my point is back then, kevinMitnick, you know, rest his
soul.
He passed away recently, right,but this was in a lot of his
books.
He used to do this kind ofstuff and he went to prison for
(12:44):
some of this that he did when hebroke into some of the carriers
.
But my point, in kind ofbringing this full circle, is
those were learning lessons forcompanies and carriers and
that's what caused regulationand regulation continues to
evolve, as we've seen with CMMCin different kinds of regulation
and there are different lawsand regulations that these
(13:06):
carriers need to comply with.
In my opinion, there's notenough being done for companies
and carriers, companies of allshapes and sizes around taking
cyber seriously enough andtaking compliance seriously
enough to protect the consumersand to protect the companies.
But I think the best thing thatyou and I can do as consumers
(13:28):
is advocate is push back at thecompany or the other person on
the other line and say, look, wewant more security, I want more
privacy, what are you doing toprotect me, what can I do, what
can you do for me and what can Ido to protect myself?
And then kind of bringing thisfull circle back to crypto.
Never put crypto, store it forlong periods of time in software
(13:51):
or hot wallets.
You know kind of best practiceswith crypto is.
You always want to make surethat you have a wallet ideally a
cold wallet and that you spendcoins, send and receive coins to
that wallet before making largepurchases and savings to those
wallets, because you don't wantto set up a brand new wallet and
then just go put your lifesavings in crypto or whatever.
(14:13):
I'm not recommending any ofthis.
This is not financial advice.
My point is that you don't wantto, in this case, trust a
wallet, a software wallet oreven a hardware wallet.
You don't want to trust thatthey're going to store
everything either.
So you need to do things onyour own, and what I'm saying to
do on your own is test thesethings, make sure that they work
properly.
(14:34):
Send and receive smalltransactions.
Always do that as a test beforestoring larger amounts.
Never trust one wallet, even ifit's a cold wallet.
Use multiple cold wallets,different vendors.
You know, for security I usemultiple vendors for cameras,
multiple vendors for differentlayers of the ecosystem, because
, again, I feel like we're insuch a trustless world.
(14:56):
You have to verify everythingand you can't, unfortunately,
trust a single person, companyor carrier.
So there's some things that youcan do on your own, as
listeners, to kind of takematters into your own hands,
because the fact of the matteris, all of our information is
out there and we're all targets.
(15:16):
So what are you doing today tomake it harder and becoming less
of a mark?
At least, that's my philosophyon it.
Speaker 2 (15:26):
Yeah, I mean it's like putting all your eggs in
one basket.
You know that's the easiest way.
I'm sure I mean your mom hastold you that, or your dad or
somebody in your family, youknow.
So spreading, you know, andwith my dad's story, you know,
obviously the hackers werespreading that money out, right,
you know, because having it allin one place is too risky.
Speaker 1 (15:49):
Yeah, and that goes for exchanges too.
You know, if you're tradingcrypto, like I said, try to
avoid using your phone numberfor an authentication layer.
You know, don't trade on asingle exchange.
You know, try to use multipleexchanges.
Try not to keep a large amountof money on an exchange.
Have a process to move it offthe exchange to several
(16:09):
different cold wallets, likeBlake was saying, kind of spread
things out so all your eggs arein one basket, because there
could be a day in the futurewhere one of those exchanges
gets hacked or what happens andthere's a government crackdown,
they find some shady stuffhappening, like what happened
with FTX.
You know.
And then you know, if you guyshave money on those exchanges,
(16:31):
they can lock it all up andfreeze it all up, and then it's
going to take months, if notyears, for you if you ever see
that money again.
So why would you put yourselfat those kinds of risks when
we've had so much corruption?
And this corruption iseverywhere.
It's all over the place atdifferent companies, different
levels.
It's just everywhere.
So we need to take matters intoour own hands and take security
(16:54):
more seriously and do our part.
Speaker 2 (16:58):
Yeah, I mean I think in my opinion, you know there's
probably going to get some heatfor this, but you know I
definitely want to see cryptoregulated for those reasons.
You know that it's kind of beenfor the past 10 years or so
like the wild, wild West, youknow like it.
(17:19):
Just it needs to happen.
I think you know that waypeople can feel secure.
You know, investing in thesecrypto coins and I mean the fact
is nothing, you know nothingreally happens to these
criminals, you know.
Speaker 1 (17:35):
I mean Well, I don't know if that's entirely true.
As far as that, I mean, look atwhat.
Do it agree?
Yeah, I think your point is thatand I think the speculation is
that it's too easy.
It's too easy for anyone tokind of create a crap coin and
make a bunch of money and thenrip people off and there's no
(17:56):
regulatory framework around.
You know the laws of the land,you know and I agree with that
and I support that.
I do think that there needs tobe more regulation and, again,
you know compliance around.
What can you, what can you do,what can't you do?
I do feel like our country inAmerica is is lagging behind.
(18:16):
I think that you know someother countries are more
advanced in that regulation.
I'm hopeful and optimistic withthe whole.
You know a lot of people areanticipating the Bitcoin ETF and
the, the Ethereum ETF.
Now, I don't know if you'veheard about those things, but
you know there are.
Those are some real big players, like BlackRock and Fidelity
(18:42):
Investments, and they're all now, you know, turning the corner
on supporting Bitcoin andwanting to be the first to make
it easy for people to buyBitcoin on New York Stock
Exchange, for example, andthrough traditional financial
measures that are regulated.
So right now we have, like, thegrayscale Bitcoin trust right,
(19:06):
and that's an easy way forpeople to get exposure to
Bitcoin through the normalfinancial channels, like on the
stock market, for example.
You know you can buyMicroStrategy.
You know they're a bigsupporter of Bitcoin.
My point is that there's thetraditional financial regulatory
frameworks that exist now, withpeople trading stocks and
(19:26):
derivatives and things like that, and then there's the Bitcoin
and crypto world and, like Blakesaid, yeah, I do think that
there needs to be moreregulation and more you know of
a blueprint of what you can andwhat you cannot do.
Now I think that there's also Iknow Coinbase, for example,
(19:46):
which is a popular exchange inAmerica, has requested clarity
from the SEC on you know whatare the rules, you know what can
we do, what can't we do, andthey're getting a lot of
friction and not getting clearanswers back.
So I think there's a lot offrustration there.
So I don't know why it's takingso long to get the clarity that
(20:07):
these companies need.
I think that a lot of companies, especially exchanges, have
moved out of America, which issad to see, in my opinion.
I mean, I think that America isa great country to start a
business and I think, at leaston the crypto side of things,
it's become very difficult andpeople are scared that they're
(20:28):
going to get cracked down by theSEC and get fined, you know.
So I think that you know,people don't know what they can
and can't do.
There's not a lot of claritythere.
So I 100% agree that thereneeds to be some clarity there,
and I think that that is in theworks, especially with this new
Bitcoin ETF and Ethereum ETF,which is, you know, blackrock's,
(20:48):
if not the biggest financial, Ithink they are the biggest
financial company in the world.
So you're talking just tons ofmoney that is on the sidelines
right now.
So, anyway, that's the kind ofthe.
I guess we went off in a littletangent, but you know, the point
is, you know, for SIM swaps atleast, you know, try to protect
(21:09):
yourself, take matters into yourown hands, and we'll, you know,
kind of shift gears into vendorrisk management from here, and
it goes back to the don't trustverify methodology.
You know, when you have avendor that you want to do
business with, or that vendorwants to do business with you,
whatever, you should have a pot,a process around.
(21:31):
How do you vet the security ofthat vendor?
Are you exchanging confidentialinformation?
You know, in the, in the, theDib or the defense industrial
base and in the CMMC world youhave typically the prime vendors
and then you have the subvendors and it's called a
trickle down effect.
So in our world with NIST andIST, 800171 and now 800172, and
(21:56):
then you've got DeFarscompliance and CMMC compliance.
Now the point is the big primesthat you know, the Boeing, the
Lockheed Martin, you know thereal big company names that
you've heard of in aerospaceengineering and defense.
Those guys have a framework tofollow, which is what I just
mentioned with NIST and CMMC.
(22:18):
And if you are a small companythat helps the big company,
you're considered a sub.
And if there's what's calledCUI or controlled unclassified
information, or maybe it's evenclassified information, if
there's some information flowthat's sensitive, there's what's
called a flow down from theprime to the sub.
(22:38):
The sub they don't care ifyou're one person working out of
your house or a thousand peopleworking in a corporate building
across different locations.
You have to take all that samesecurity of NIST, 800171, 172,
cmmc.
All that stuff you have to dojust like the big prime.
So there's no more.
(22:58):
Oh, I'm this small company, wedon't need to do all this stuff.
No, if you want to participatein the ecosystem and have that
supply chain and that vendorrelationship and get that money,
that grant money or whateverthat business.
You need to take that securityjust as seriously as that big
company.
So, going back to vendor riskmanagement, you want to make
(23:19):
sure that, at least on an annualbasis, you're going through all
the vendors you do businesswith and you're going through a
framework like NIST 800171 andyou're following along with.
Do I have all these policies andprocedures in place?
Are they up to date?
Are they customized for mycompany?
What am I asking of my vendors?
Are you asking for proof of apen test?
(23:41):
Are they allowed to do theirown pen test or they have to do
a third-party pen test?
We recommend third-partytesting because it's not, in our
opinion, Like a tunnel visionapproach.
It's very fresh approach andthere's teams that are doing
this all day long and you know,using different team members and
(24:02):
different expertise to exploitgaps in the system, so it's much
more effective.
But there are things that smallcompanies can do on their own.
They can do the policy work ontheir own.
They can do the, the mappingsor the adaptation of those
policies and procedures on theirown.
So a lot of the heavy liftingcan be done by the small company
(24:23):
or even the larger company, butthere should still be a
professional that's hired totest it in the end, when you're
done and you know, I think thatthe, the SPURS or the SPRS
system, was a good way that thegovernment, with the DFAR 70, 19
and 70, 20 and 70 21 that cameout a few years ago now For
(24:44):
defense contractors, theybasically were like hey, we know
that you guys are supposed tobe compliant with NIST 800 171,
but fact of the matter is weknow most of you are not,
because we're seeing all theseheadlines with hacks in the
supply chain.
So let's see how compliant youare.
And that's where the whole SPRSscoring system came into play.
And if you did not have asystem security plan, you were
(25:06):
automatically failed and you hada score of negative 203.
And if you were Doing a greatjob, your perfect score is 110.
And if you had any gapswhatsoever, you had to document
them into what's called a poem,plan of action and milestone and
you had a time frame of how andwhen you were going to fix that
(25:26):
gap.
And when you're done, then youget the points and there's a
whole DOD methodology on howthey calculate the score, then
you're supposed to be uploadingyour score into the SPRS system
on a regular basis and yourscore may change.
You may lose an employee or akey stakeholder and Maybe that
unwinds some of the security andyou have to go back and rewrite
(25:48):
your policies and remap thingsand and maybe you were A 110 at
one point and now you drop backto an 80 and now you got to do
some extra work and get yourselfback up to.
You know the speed.
But my point is you can use thismethodology to score your
vendors.
You can ask your vendors andput pressure on your vendors on.
Hey look, can you show me yourpolicies and procedures?
(26:09):
Can you show us evidence of apen test?
When was your last securityrisk assessment?
When was your lastVulnerability assessment?
What did what was tested?
What was not tested?
What, what, what did theremediation look like?
You know what I mean like.
So if you get a vendor thatyou're doing business with and
they're looking at you like theydon't know what any of this
stuff is, obviously that's a redflag.
They're not doing anything forsecurity, pretty much or very,
(26:32):
you know, minimal.
So and for the hills, yeah.
So I mean that you know thatthese are things that you can do
to kind of Essentially raisethe bar, because if you do
business with companies thattake security more seriously,
well then you're at a lesslikely risk of a breach, because
(26:53):
a breach hurts everybody.
So if one of your vendors has abreach and you're in a
Financial or businessrelationship with them, it
affects you too and you can getpulled into it, so you know.
So it can get messy, especiallyin healthcare too, like.
So if you're like a you know asoftware as a service vendor in
healthcare and you're collectingpatient health information and
(27:16):
you're subject to HIPAAcompliance and Something happens
and there's a breach, well you,you're affecting clients that
you do business with that couldbe hospitals, that could be
clinics, so it just gets messy,and it gets messy really fast.
So you definitely want to becareful with what vendors you do
business with and how you'revetting them, and you want to do
(27:38):
the vetting process at least onan annual basis.
And you want to push back andyou want to.
You know a lot of these smallercompanies especially.
The quick answer is, oh, wecan't afford to do that, we
can't.
You know, that's too expensive.
Well, I mean, like I said, alot of this stuff you can do on
your own, and it doesn'tnecessarily always cost money
either.
So there are things that can bedone that are more secure than
(28:01):
doing nothing.
Speaker 2 (28:04):
Yeah, I think that's a great point to hammer home.
You know, obviously it'sdominoes, right, like if your
vendor falls, you fall, andunderstanding that.
And you know we have a lot ofpeople that approach us that
don't agree with that, butthat's the truth, you know.
Oh, I'm trusting this data withthe vendor.
(28:25):
I don't need to do this becausethe vendor does this.
You know, it doesn't work likethat.
Speaker 1 (28:31):
Well, look at the biggest misconception.
Yeah, and look at you know, oneof the common misconceptions
that I hear is around passwordmanagers.
A lot of people are scared touse a password manager because
their belief is oh well, thatvendor is, if they get breached,
then I'm screwed, and there issome truth to that.
(28:51):
However, if you're doing yourown due diligence and you're
doing your own methodology andprotecting yourself, let's say
you've got 10 different places,10 different accounts, and you
store those 10 differentaccounts on something like a
last pass and those 10 differentaccounts almost every company
(29:12):
supports multi-factorauthentication.
If you took those 10 accountsand you and you used an
authenticator app with each ofthose accounts, well, if
somebody got your password,they're still not getting in
your account right, because theydon't have your authenticator
token.
So my point is that if you makeit harder Now, if you use a
dumb password like password 123,and you reusing that password
(29:33):
at multiple accounts, maybe fiveor seven of those 10 accounts
well you're your own worst enemyYou're making.
Obviously you don't want yourpasswords to get exposed.
I'm not saying that that's goodor that's even tolerable.
What I'm saying, though, isthat, as a consumer, you can do
more to protect yourself byusing complex, unique passwords
(29:54):
in addition to multi-factor, andchoosing a multi-factor method
not an SMS, not text message aauthenticator app that is known
to be more secure, like Googleauthenticator, microsoft
authenticator, et cetera.
Those are ways that you cantake matters into your own hands
that, yes, it does make itharder for you to log into your
(30:16):
sites that you need to dobusiness with or bank or
whatever, but you're protecting,you're doing your part, you're
taking advantage of the securitythat's being offered to you.
If you're the type of personthat's just you, minimum
effective.
Hey, give me theeight-character password or
whatever, and I'm using the sameone for the past 10 years.
Well, I mean, now is the timeto change that habit.
(30:37):
But my point is that it is amyth that using a password
manager is not as secure,because we're all human.
I don't even know what mypasswords are.
My point is I have a provenmethodology of complex passwords
, tokens using software anddifferent.
I even use proximity tokens forcertain things, or hardware
(30:59):
tokens in addition to a software.
My point is that you choose themethodology and the layers
dependent upon what you're goingto protect, and use all of the
controls that are given to youand take advantage of them to
protect yourself.
Because if everybody were tofollow this which I don't think
will ever happen but my point isthat if most people were to use
(31:23):
what's given to them and thedepth of what's given to them,
then when a breach because it'snot a matter of if it's when a
breach happens, then you won'tbe suffering the damages from
that, because, think about,let's kind of fast forward and
play a game where, let's say,all your passwords were in last
pass If you followed what I justsaid, who cares?
(31:45):
Everybody's got your informationanyway, right.
But the point is that if youput in multiple layers to
protect yourself, well, yeah,that one layer got compromised
and that's bad.
And then you just go and youmove on about your day.
You choose a better solution,you go back, you change your
passwords, but you're the onethat's still in control, you're
the one that still has access toyour account, because you took
(32:07):
it seriously and because you hadthese extra layers in place, so
you didn't suffer damages,whereas most people that were
not doing that, yeah, now theysuffered big time and maybe they
even lost something like crypto, because they again weren't
possibly using all themethodology around securing
their accounts as best theycould.
Speaker 2 (32:29):
Yeah, I agree 100%.
You need to stay diligent.
Obviously, look, it helps toreflect in words.
Look at yourself, look at yourcompany, look at your brand,
look at yourself as a victim,like what would I do?
Obviously, you know yourvulnerabilities.
(32:50):
I could tell you I'm not thebest, strongest bodybuilder,
right.
So use those in yourunderstanding of your company to
help progress your security,right.
Take that with if you're usinga third party company
(33:11):
consultants like us to help.
Hey, I know I'm weak here.
I know I'm weak there.
You know, don't get defensivein that strategy.
Don't be ignorant, becausecommunicating that to, let's
just say, you're seeking help tosecure your business, like with
(33:31):
companies like ours Justknowing that you know we can
help streamline things a littlequicker as well.
So, yeah, I'm ignorant.
Speaker 1 (33:43):
The other thing just to add to that too is don't
assume that big company or bighealthcare vendor, hospital
doctors, whomever don't assumethat if they're a prime, oh,
they got all this covered.
No, that's not how it works.
Again, we're trying to drivehome the fact that when you do
business with a vendor or ahospital, whatever, ask for the
(34:08):
secure portal.
If they don't have one, givethem a secure portal that you
manage and maintain from atrusted vendor.
Don't send information viainsecure text message or
insecure email.
Use an encrypted email platform.
These are different, justexamples of just.
I'm not saying that they'resilver bullets or cure-alls.
(34:29):
I'm just saying that these arethings that to look out for.
If your law firm is sending youa questionnaire to fill and
this questionnaire is prettydetailed around your first name,
middle name, last name, socialsecurity number, birth date you
know there's some stuff in therethat's private Don't send it
back to them via insecure email.
(34:50):
Say, look, do you have a lawfirm dashboard that's encrypted
where I can send this to you?
Or if they are like, no, wejust do this by email, then you
need to be educated enough as asmart listener of our podcast
and be like, no, I'm not goingto do that.
What other methods do you have?
If they don't have one, youneed to be one to give them a
(35:13):
method and say look, we're goingto use this.
Simple things that are free,like signal.
You could exchange encryptedmessages with signal.
There's all different platforms, different capabilities of each
of these platforms.
Not necessarily all of themcost money.
The point here is that don'ttrust that big company or
(35:36):
whomever has all this covered,because they don't.
It's a common myth that, oh,they're a huge company or
they're a big bank, they got allthis taken care of, whatever.
No, not necessarily they don't.
We're here to educate you thatmost often they do not and that
you should take matters intoyour own hands, especially when
you're dealing with any kind ofsensitive information.
(35:57):
These extra safeguards thatyou're doing yeah, they put a
hurdle in place, but they makeit more difficult.
In the event that something isexposed and there's a breach, it
pays back dividends andprotections to you.
Look at what happened withEquifax.
Equifax, all of us wereaffected.
Now, if Equifax was encrypting,then the payload would have
(36:20):
been encrypted to the bad actors.
Again, I'm sure there's more toit in the investigation.
I wasn't part of theinvestigation.
My point, though, is that,again, big company.
I think the knee jerk reactionis oh big companies got our back
, they're securing us.
Well, we find, more often thannot, that the big companies, as
(36:41):
well as the small companies, arestill not doing enough for
cyber and protection andcompliance.
Speaker 2 (36:48):
Yeah, I know this one also.
Don't give them moreinformation than they need, even
if it's on the form push back.
Speaker 1 (36:59):
Say look, why do you need my social security number?
Why do you need this?
There's information that youshould push back on.
Just because it's on the form,don't fill it.
Speaker 2 (37:10):
Yeah, same thing.
Let's just say, for example,you're collecting information
from your clients and thenyou're storing that information
in X, y, z software.
If you don't need their socialsecurity numbers and that
software, that vendor doesn'trequire that that they have the
social security number, why areyou collecting it and why are
(37:31):
you storing it there?
I know that sounds obvious, butpeople do that.
They try and make their lifeeasy.
Oh, I'm just going to get asmuch information as I can.
I'm just going to put it all inone place.
If you don't need your clients'social security numbers, like,
don't collect it, don't store it.
(37:51):
I know that sounds reallyobvious, but it happens and
people do that surprisingly.
They're like oh what if I needit later?
No, no, don't do it.
Yeah, I should probablydefinitely wrap up on that note.
It's a good ending point,agreed.
Speaker 1 (38:13):
All right, thanks guys.
Speaker 2 (38:15):
See you in the next one.
Hey guys, welcome to another podcast.
We've got Blake Ray Hello.
Today we're going to talk aboutSIM Swaps, top cybersecurity
and compliance news, and therewas another story.
Speaker 2 (00:16):
Third party risk vendor management.
Speaker 1 (00:19):
Yes, third party vendor risk management.
So SIM Swaps.
What is a SIM Swap?
A SIM Swap is when a bad actorimpersonates you to the
telecommunications or phonecompany.
So they pick up the phone, usesocial engineering and basically
(00:41):
steal your identity to persuadethe caller or representative at
the carrier to send you a new,or send the bad actor a SIM card
a new SIM card with your phonenumber tied to it.
So one of the things thatpeople do, or that's recommended
(01:02):
, to prevent a SIM Swap attackis, first and foremost, try to
avoid using your telephonenumber, your cell phone mobile
number, for SMS tokens, and whatI mean by that is, when you go
to a website and use themulti-factor authentication, try
to avoid using your phonenumber to get the pin, because
(01:23):
if that gets in the wrong handsAKA a SIM Swap well then they
can get into those accounts andthis is what has happened
hundreds, if not thousands, oftimes especially targeting
people that hold cryptocurrencyor Bitcoin, and as those
cryptocurrency values go up, sodo SIM Swap attacks.
So SIM Swap attacks they lookfor lists and people that hold
(01:48):
crypto, and they know thatpeople in mass generally do not
adopt.
Not saying you guys, yourlisteners, yours are smart ones.
I'm saying that most peopledon't take cybersecurity
seriously enough minimumeffective dose of security on
their own personal devices andsystems.
So the hackers know it'sessentially low hanging fruit.
(02:11):
So they go after the carrier.
They try to figure out whichcarrier first.
They do recon on social media,figure out their victim list and
then they figure out who theywant to target and impersonate.
And it's happened so many times.
There's been cases alldifferent carriers have been
(02:31):
attacked with this, and it's anongoing problem.
So you, as a consumer, the bestthings that you could do is try
to protect your phone number asbest as possible.
And what does that mean?
That means that you can callyour mobile carrier.
Stop what you're doing rightnow.
Tell them that you wantadditional security on your
account.
Set up a unique pin number forwhen you call the carrier, ask
(02:55):
for any additional securitycontrols that they can offer you
to prove your identity.
So just make it more hoops togo through.
I know it might be inconvenientfor you, but I mean really, how
often do you call your carrieranyway?
So I mean nowadays, too, withthe new iPhones and I'm sure
(03:16):
that the new phones, droiddevices, things like that they
use what's called eSIM, sothere's no physical SIM chip
anymore, which helps.
So but still there's risk thereand it's still possible to move
your.
You know people can go get anew iPhone or a new device and
still activate and move yourphone number if they have enough
(03:37):
information about you as thetarget.
So all that, blake, you cancomment.
Speaker 2 (03:42):
Yeah, yeah, I especially.
Once you get a new eSIM it'llcancel your old SIM.
So this actually happened to mydad, ironically, and his crypto
got stolen.
Yeah, essentially they werethey were migrating his phone
number to Google voice and thenso anytime you would call his
phone, it would say the Googlesubscriber, whatever, leave a
(04:05):
message.
And then he started getting, Iguess they got text messages to
his Google voice number for hisBinance or whatever whatever
crypto wallet, coinbase, andthen they sent the money to
themselves through Coinbase orBinance or whatever.
And of course, you know me beingthe forensics guy I essentially
(04:30):
kind of traced the breadcrumbstrail from wallet to wallet and
essentially what they were doingwas they were taking crypto and
then they were dividing it.
So, like they would take let'sjust say it was you know a
thousand US dollars, they wouldsend like 700 to one account and
then 300 to another account,and then that 300 would be 100
(04:52):
there, 200 there, and then the700 would be like 500 here, 300
there, and they just kept doingthat, you know, pretty much
infinitely.
I mean, I think it took memaybe 20 or 30 like layers, and
(05:14):
then it actually went to thebiggest whale wallet in the
world.
So I find that superinteresting.
So the person who has thelargest you know, that I was
aware of and of course I lookedon the coin.
Speaker 1 (05:31):
So so so that big whale wallet could be on an
exchange somewhere though.
So it's kind of so when you saythat it's probably not an
individual that owns that wallet.
It's probably some exchangesomewhere.
Speaker 2 (05:43):
Could be.
But you know you can go to likeI think it's the coin exchange
or whatever, and it shows youlike the most held the largest
wallets and it traced right backto that wallet.
So I found that a littleinteresting and, yeah, it
(06:04):
happened multiple times to him.
The second time they got intoit they already tapped all of
this crypto out and then, ofcourse, there's nothing you can
do.
I mean the money's gone.
Speaker 1 (06:16):
Yeah, I mean I don't know if you've done this or not,
but you can certainly fill outa report with the US cert and
CISA and report it, which youshould do.
And if you've been a victim ofthat, you can certainly keep
digging and keep digging deeperand try to kind of triangulate
where I know you said big whalewallet, but it most likely is
(06:39):
some exchange somewhere.
But yeah, it takes a lot oftime, like you said.
I mean they do these, I'll putit, I guess money laundering,
kind of looping kind of thingsto kind of keep moving the money
and in different numbers, likeyou mentioned, and then they
keep kind of how many layers ofthat deep right.
(07:01):
And then you said that it endedup in some large whale wallet
somewhere.
So I suspect that it's probablyat some exchange somewhere or
dumped there somewhere and thenfurther got distributed from
that point or converted orsomething Just got to keep.
Like you said, the breadcrumbtrail.
(07:22):
I mean it could be a reallylong trail, sometimes take
countless hours.
That's why this work is sospecialized and it takes so much
time.
It could take years.
Law enforcement is still usingnew technology to crack cases
from 30, 40, 50 plus years agowith DNA and different kinds of
tools that are new and they'recatching criminals.
(07:44):
So I mean, I'm sure, as timeprogresses and the tools get
better, hopefully one day you'llbe able to track it down.
But yeah, I know that the shortanswer is there's nothing you
can really do, but there is somethings that you can do, and
reporting it should be one ofthem.
You can certainly reach out toan attorney and explore those
(08:07):
options too.
Sometimes they have access todifferent experts that can help.
It really just boils down to Idon't know how much money it was
, but it boils down to is itworth it or not?
Because you're going to end uppaying for some of this stuff
and sometimes it's not worth it.
But I think the learning lessonand not talking down on you or
(08:29):
anything, I'm just saying thelearning lesson here is don't
keep your money on, don't keepcrypto on exchanges, keep them
on cold wallets.
We've talked about that before.
I don't know if you guys areaware with the whole.
People say Binance and thensome people say Binance.
I say Binance, but there's awhole crackdown happening with
CZ, the CEO of Binance, and howhe has stepped down and paid
(08:54):
over.
I think it was $4 billion.
This was last week in fines,and then I heard a couple of
days ago that they're not goingto let him leave the United
States until his hearing.
So that's interesting.
So I guess the takeaway here,looping back to Simswap attacks,
(09:18):
is don't trust your phonenumber to keep you safe and
don't trust anyone.
Don't trust your carrier tokeep you safe.
Like I said, there's ongoingcases around.
Whose fault is this?
Is this the carrier's faultbecause you had cryptocurrency
and you were trusting thecarrier to not move your phone
number?
Could be.
I do agree that you shouldn'thave your phone number moved
(09:43):
without your authorization andthere should be safeguards from
carriers to make sure that youprove your identity and maybe
even make it so that youabsolutely have to go into a
store and you have to show twoforms of government ID.
My point here is that anybodyaround the world can call anyone
(10:05):
else and a bad actor can wakeup in a different country one
day and say, oh, I'm going toattack Blake or whomever, and
they can do that from anywherein the world.
And if we don't have carriersand companies that follow these
security and regulations thatare put in place, I mean, that's
(10:27):
why these things exist, becauseif people didn't put security
in place for anyone, I mean,look at that.
This reminds me of back in theday.
I don't know if you rememberBlake, do you remember phone
freaking?
Do you know what that is?
So phone freaking is?
This is back when, I mean, 2600is still around.
But my point is that phonefreaking was like the fun thing
(10:51):
to do for board teenagers.
Cyberpunks that wanted to hackinto.
This was kind of like beforethe internet, more in the BBS or
Bulletin Board system days.
That's a pretty good tip againboard teenagers, board kids that
wanted to break into carriers,phone companies, and the goal
(11:17):
was to set up party lines.
Back then cell phones weren't ineverybody's hand, so it was old
school pick up the phone, dialand call somebody.
And most companies hadcorporate accounts with carriers
, right.
So they'd call like the companymight have an account with AT&T
or whomever and they would havetheir business phone lines with
(11:39):
them.
And this was back when T1s weremore popular.
And anyway, you had these atrisk companies that were relying
upon the carrier to set uptheir company dial directory.
And sometimes these companiesneeded conference lines because
(11:59):
maybe they were a global companyand they needed people to dial
in, kind of like what we'redoing now with Zoom, right, only
this didn't exist then.
So they did it all by audio, allby phone.
So what hackers in that day andthat timeframe would do is they
would hack into the phonecarrier, break into the party
line and either just goof aroundor lock people out or kind of
(12:22):
like how, when COVID hit, a lotof people were hacking the Zoom
channels and kicking the peopleout and doing crazy stuff.
Well, they were doing thisstuff back in the day, only with
audio.
So my point is back then, kevinMitnick, you know, rest his
soul.
He passed away recently, right,but this was in a lot of his
books.
He used to do this kind ofstuff and he went to prison for
(12:44):
some of this that he did when hebroke into some of the carriers
.
But my point, in kind ofbringing this full circle, is
those were learning lessons forcompanies and carriers and
that's what caused regulationand regulation continues to
evolve, as we've seen with CMMCin different kinds of regulation
and there are different lawsand regulations that these
(13:06):
carriers need to comply with.
In my opinion, there's notenough being done for companies
and carriers, companies of allshapes and sizes around taking
cyber seriously enough andtaking compliance seriously
enough to protect the consumersand to protect the companies.
But I think the best thing thatyou and I can do as consumers
(13:28):
is advocate is push back at thecompany or the other person on
the other line and say, look, wewant more security, I want more
privacy, what are you doing toprotect me, what can I do, what
can you do for me and what can Ido to protect myself?
And then kind of bringing thisfull circle back to crypto.
Never put crypto, store it forlong periods of time in software
(13:51):
or hot wallets.
You know kind of best practiceswith crypto is.
You always want to make surethat you have a wallet ideally a
cold wallet and that you spendcoins, send and receive coins to
that wallet before making largepurchases and savings to those
wallets, because you don't wantto set up a brand new wallet and
then just go put your lifesavings in crypto or whatever.
(14:13):
I'm not recommending any ofthis.
This is not financial advice.
My point is that you don't wantto, in this case, trust a
wallet, a software wallet oreven a hardware wallet.
You don't want to trust thatthey're going to store
everything either.
So you need to do things onyour own, and what I'm saying to
do on your own is test thesethings, make sure that they work
properly.
(14:34):
Send and receive smalltransactions.
Always do that as a test beforestoring larger amounts.
Never trust one wallet, even ifit's a cold wallet.
Use multiple cold wallets,different vendors.
You know, for security I usemultiple vendors for cameras,
multiple vendors for differentlayers of the ecosystem, because
, again, I feel like we're insuch a trustless world.
(14:56):
You have to verify everythingand you can't, unfortunately,
trust a single person, companyor carrier.
So there's some things that youcan do on your own, as
listeners, to kind of takematters into your own hands,
because the fact of the matteris, all of our information is
out there and we're all targets.
(15:16):
So what are you doing today tomake it harder and becoming less
of a mark?
At least, that's my philosophyon it.
Speaker 2 (15:26):
Yeah, I mean it's like putting all your eggs in
one basket.
You know that's the easiest way.
I'm sure I mean your mom hastold you that, or your dad or
somebody in your family, youknow.
So spreading, you know, andwith my dad's story, you know,
obviously the hackers werespreading that money out, right,
you know, because having it allin one place is too risky.
Speaker 1 (15:49):
Yeah, and that goes for exchanges too.
You know, if you're tradingcrypto, like I said, try to
avoid using your phone numberfor an authentication layer.
You know, don't trade on asingle exchange.
You know, try to use multipleexchanges.
Try not to keep a large amountof money on an exchange.
Have a process to move it offthe exchange to several
(16:09):
different cold wallets, likeBlake was saying, kind of spread
things out so all your eggs arein one basket, because there
could be a day in the futurewhere one of those exchanges
gets hacked or what happens andthere's a government crackdown,
they find some shady stuffhappening, like what happened
with FTX.
You know.
And then you know, if you guyshave money on those exchanges,
(16:31):
they can lock it all up andfreeze it all up, and then it's
going to take months, if notyears, for you if you ever see
that money again.
So why would you put yourselfat those kinds of risks when
we've had so much corruption?
And this corruption iseverywhere.
It's all over the place atdifferent companies, different
levels.
It's just everywhere.
So we need to take matters intoour own hands and take security
(16:54):
more seriously and do our part.
Speaker 2 (16:58):
Yeah, I mean I think in my opinion, you know there's
probably going to get some heatfor this, but you know I
definitely want to see cryptoregulated for those reasons.
You know that it's kind of beenfor the past 10 years or so
like the wild, wild West, youknow like it.
(17:19):
Just it needs to happen.
I think you know that waypeople can feel secure.
You know, investing in thesecrypto coins and I mean the fact
is nothing, you know nothingreally happens to these
criminals, you know.
Speaker 1 (17:35):
I mean Well, I don't know if that's entirely true.
As far as that, I mean, look atwhat.
Do it agree?
Yeah, I think your point is thatand I think the speculation is
that it's too easy.
It's too easy for anyone tokind of create a crap coin and
make a bunch of money and thenrip people off and there's no
(17:56):
regulatory framework around.
You know the laws of the land,you know and I agree with that
and I support that.
I do think that there needs tobe more regulation and, again,
you know compliance around.
What can you, what can you do,what can't you do?
I do feel like our country inAmerica is is lagging behind.
(18:16):
I think that you know someother countries are more
advanced in that regulation.
I'm hopeful and optimistic withthe whole.
You know a lot of people areanticipating the Bitcoin ETF and
the, the Ethereum ETF.
Now, I don't know if you'veheard about those things, but
you know there are.
Those are some real big players, like BlackRock and Fidelity
(18:42):
Investments, and they're all now, you know, turning the corner
on supporting Bitcoin andwanting to be the first to make
it easy for people to buyBitcoin on New York Stock
Exchange, for example, andthrough traditional financial
measures that are regulated.
So right now we have, like, thegrayscale Bitcoin trust right,
(19:06):
and that's an easy way forpeople to get exposure to
Bitcoin through the normalfinancial channels, like on the
stock market, for example.
You know you can buyMicroStrategy.
You know they're a bigsupporter of Bitcoin.
My point is that there's thetraditional financial regulatory
frameworks that exist now, withpeople trading stocks and
(19:26):
derivatives and things like that, and then there's the Bitcoin
and crypto world and, like Blakesaid, yeah, I do think that
there needs to be moreregulation and more you know of
a blueprint of what you can andwhat you cannot do.
Now I think that there's also Iknow Coinbase, for example,
(19:46):
which is a popular exchange inAmerica, has requested clarity
from the SEC on you know whatare the rules, you know what can
we do, what can't we do, andthey're getting a lot of
friction and not getting clearanswers back.
So I think there's a lot offrustration there.
So I don't know why it's takingso long to get the clarity that
(20:07):
these companies need.
I think that a lot of companies, especially exchanges, have
moved out of America, which issad to see, in my opinion.
I mean, I think that America isa great country to start a
business and I think, at leaston the crypto side of things,
it's become very difficult andpeople are scared that they're
(20:28):
going to get cracked down by theSEC and get fined, you know.
So I think that you know,people don't know what they can
and can't do.
There's not a lot of claritythere.
So I 100% agree that thereneeds to be some clarity there,
and I think that that is in theworks, especially with this new
Bitcoin ETF and Ethereum ETF,which is, you know, blackrock's,
(20:48):
if not the biggest financial, Ithink they are the biggest
financial company in the world.
So you're talking just tons ofmoney that is on the sidelines
right now.
So, anyway, that's the kind ofthe.
I guess we went off in a littletangent, but you know, the point
is, you know, for SIM swaps atleast, you know, try to protect
(21:09):
yourself, take matters into yourown hands, and we'll, you know,
kind of shift gears into vendorrisk management from here, and
it goes back to the don't trustverify methodology.
You know, when you have avendor that you want to do
business with, or that vendorwants to do business with you,
whatever, you should have a pot,a process around.
(21:31):
How do you vet the security ofthat vendor?
Are you exchanging confidentialinformation?
You know, in the, in the, theDib or the defense industrial
base and in the CMMC world youhave typically the prime vendors
and then you have the subvendors and it's called a
trickle down effect.
So in our world with NIST andIST, 800171 and now 800172, and
(21:56):
then you've got DeFarscompliance and CMMC compliance.
Now the point is the big primesthat you know, the Boeing, the
Lockheed Martin, you know thereal big company names that
you've heard of in aerospaceengineering and defense.
Those guys have a framework tofollow, which is what I just
mentioned with NIST and CMMC.
(22:18):
And if you are a small companythat helps the big company,
you're considered a sub.
And if there's what's calledCUI or controlled unclassified
information, or maybe it's evenclassified information, if
there's some information flowthat's sensitive, there's what's
called a flow down from theprime to the sub.
(22:38):
The sub they don't care ifyou're one person working out of
your house or a thousand peopleworking in a corporate building
across different locations.
You have to take all that samesecurity of NIST, 800171, 172,
cmmc.
All that stuff you have to dojust like the big prime.
So there's no more.
(22:58):
Oh, I'm this small company, wedon't need to do all this stuff.
No, if you want to participatein the ecosystem and have that
supply chain and that vendorrelationship and get that money,
that grant money or whateverthat business.
You need to take that securityjust as seriously as that big
company.
So, going back to vendor riskmanagement, you want to make
(23:19):
sure that, at least on an annualbasis, you're going through all
the vendors you do businesswith and you're going through a
framework like NIST 800171 andyou're following along with.
Do I have all these policies andprocedures in place?
Are they up to date?
Are they customized for mycompany?
What am I asking of my vendors?
Are you asking for proof of apen test?
(23:41):
Are they allowed to do theirown pen test or they have to do
a third-party pen test?
We recommend third-partytesting because it's not, in our
opinion, Like a tunnel visionapproach.
It's very fresh approach andthere's teams that are doing
this all day long and you know,using different team members and
(24:02):
different expertise to exploitgaps in the system, so it's much
more effective.
But there are things that smallcompanies can do on their own.
They can do the policy work ontheir own.
They can do the, the mappingsor the adaptation of those
policies and procedures on theirown.
So a lot of the heavy liftingcan be done by the small company
(24:23):
or even the larger company, butthere should still be a
professional that's hired totest it in the end, when you're
done and you know, I think thatthe, the SPURS or the SPRS
system, was a good way that thegovernment, with the DFAR 70, 19
and 70, 20 and 70 21 that cameout a few years ago now For
(24:44):
defense contractors, theybasically were like hey, we know
that you guys are supposed tobe compliant with NIST 800 171,
but fact of the matter is weknow most of you are not,
because we're seeing all theseheadlines with hacks in the
supply chain.
So let's see how compliant youare.
And that's where the whole SPRSscoring system came into play.
And if you did not have asystem security plan, you were
(25:06):
automatically failed and you hada score of negative 203.
And if you were Doing a greatjob, your perfect score is 110.
And if you had any gapswhatsoever, you had to document
them into what's called a poem,plan of action and milestone and
you had a time frame of how andwhen you were going to fix that
(25:26):
gap.
And when you're done, then youget the points and there's a
whole DOD methodology on howthey calculate the score, then
you're supposed to be uploadingyour score into the SPRS system
on a regular basis and yourscore may change.
You may lose an employee or akey stakeholder and Maybe that
unwinds some of the security andyou have to go back and rewrite
(25:48):
your policies and remap thingsand and maybe you were A 110 at
one point and now you drop backto an 80 and now you got to do
some extra work and get yourselfback up to.
You know the speed.
But my point is you can use thismethodology to score your
vendors.
You can ask your vendors andput pressure on your vendors on.
Hey look, can you show me yourpolicies and procedures?
(26:09):
Can you show us evidence of apen test?
When was your last securityrisk assessment?
When was your lastVulnerability assessment?
What did what was tested?
What was not tested?
What, what, what did theremediation look like?
You know what I mean like.
So if you get a vendor thatyou're doing business with and
they're looking at you like theydon't know what any of this
stuff is, obviously that's a redflag.
They're not doing anything forsecurity, pretty much or very,
(26:32):
you know, minimal.
So and for the hills, yeah.
So I mean that you know thatthese are things that you can do
to kind of Essentially raisethe bar, because if you do
business with companies thattake security more seriously,
well then you're at a lesslikely risk of a breach, because
(26:53):
a breach hurts everybody.
So if one of your vendors has abreach and you're in a
Financial or businessrelationship with them, it
affects you too and you can getpulled into it, so you know.
So it can get messy, especiallyin healthcare too, like.
So if you're like a you know asoftware as a service vendor in
healthcare and you're collectingpatient health information and
(27:16):
you're subject to HIPAAcompliance and Something happens
and there's a breach, well you,you're affecting clients that
you do business with that couldbe hospitals, that could be
clinics, so it just gets messy,and it gets messy really fast.
So you definitely want to becareful with what vendors you do
business with and how you'revetting them, and you want to do
(27:38):
the vetting process at least onan annual basis.
And you want to push back andyou want to.
You know a lot of these smallercompanies especially.
The quick answer is, oh, wecan't afford to do that, we
can't.
You know, that's too expensive.
Well, I mean, like I said, alot of this stuff you can do on
your own, and it doesn'tnecessarily always cost money
either.
So there are things that can bedone that are more secure than
(28:01):
doing nothing.
Speaker 2 (28:04):
Yeah, I think that's a great point to hammer home.
You know, obviously it'sdominoes, right, like if your
vendor falls, you fall, andunderstanding that.
And you know we have a lot ofpeople that approach us that
don't agree with that, butthat's the truth, you know.
Oh, I'm trusting this data withthe vendor.
(28:25):
I don't need to do this becausethe vendor does this.
You know, it doesn't work likethat.
Speaker 1 (28:31):
Well, look at the biggest misconception.
Yeah, and look at you know, oneof the common misconceptions
that I hear is around passwordmanagers.
A lot of people are scared touse a password manager because
their belief is oh well, thatvendor is, if they get breached,
then I'm screwed, and there issome truth to that.
(28:51):
However, if you're doing yourown due diligence and you're
doing your own methodology andprotecting yourself, let's say
you've got 10 different places,10 different accounts, and you
store those 10 differentaccounts on something like a
last pass and those 10 differentaccounts almost every company
(29:12):
supports multi-factorauthentication.
If you took those 10 accountsand you and you used an
authenticator app with each ofthose accounts, well, if
somebody got your password,they're still not getting in
your account right, because theydon't have your authenticator
token.
So my point is that if you makeit harder Now, if you use a
dumb password like password 123,and you reusing that password
(29:33):
at multiple accounts, maybe fiveor seven of those 10 accounts
well you're your own worst enemyYou're making.
Obviously you don't want yourpasswords to get exposed.
I'm not saying that that's goodor that's even tolerable.
What I'm saying, though, isthat, as a consumer, you can do
more to protect yourself byusing complex, unique passwords
(29:54):
in addition to multi-factor, andchoosing a multi-factor method
not an SMS, not text message aauthenticator app that is known
to be more secure, like Googleauthenticator, microsoft
authenticator, et cetera.
Those are ways that you cantake matters into your own hands
that, yes, it does make itharder for you to log into your
(30:16):
sites that you need to dobusiness with or bank or
whatever, but you're protecting,you're doing your part, you're
taking advantage of the securitythat's being offered to you.
If you're the type of personthat's just you, minimum
effective.
Hey, give me theeight-character password or
whatever, and I'm using the sameone for the past 10 years.
Well, I mean, now is the timeto change that habit.
(30:37):
But my point is that it is amyth that using a password
manager is not as secure,because we're all human.
I don't even know what mypasswords are.
My point is I have a provenmethodology of complex passwords
, tokens using software anddifferent.
I even use proximity tokens forcertain things, or hardware
(30:59):
tokens in addition to a software.
My point is that you choose themethodology and the layers
dependent upon what you're goingto protect, and use all of the
controls that are given to youand take advantage of them to
protect yourself.
Because if everybody were tofollow this which I don't think
will ever happen but my point isthat if most people were to use
(31:23):
what's given to them and thedepth of what's given to them,
then when a breach because it'snot a matter of if it's when a
breach happens, then you won'tbe suffering the damages from
that, because, think about,let's kind of fast forward and
play a game where, let's say,all your passwords were in last
pass If you followed what I justsaid, who cares?
(31:45):
Everybody's got your informationanyway, right.
But the point is that if youput in multiple layers to
protect yourself, well, yeah,that one layer got compromised
and that's bad.
And then you just go and youmove on about your day.
You choose a better solution,you go back, you change your
passwords, but you're the onethat's still in control, you're
the one that still has access toyour account, because you took
(32:07):
it seriously and because you hadthese extra layers in place, so
you didn't suffer damages,whereas most people that were
not doing that, yeah, now theysuffered big time and maybe they
even lost something like crypto, because they again weren't
possibly using all themethodology around securing
their accounts as best theycould.
Speaker 2 (32:29):
Yeah, I agree 100%.
You need to stay diligent.
Obviously, look, it helps toreflect in words.
Look at yourself, look at yourcompany, look at your brand,
look at yourself as a victim,like what would I do?
Obviously, you know yourvulnerabilities.
(32:50):
I could tell you I'm not thebest, strongest bodybuilder,
right.
So use those in yourunderstanding of your company to
help progress your security,right.
Take that with if you're usinga third party company
(33:11):
consultants like us to help.
Hey, I know I'm weak here.
I know I'm weak there.
You know, don't get defensivein that strategy.
Don't be ignorant, becausecommunicating that to, let's
just say, you're seeking help tosecure your business, like with
(33:31):
companies like ours Justknowing that you know we can
help streamline things a littlequicker as well.
So, yeah, I'm ignorant.
Speaker 1 (33:43):
The other thing just to add to that too is don't
assume that big company or bighealthcare vendor, hospital
doctors, whomever don't assumethat if they're a prime, oh,
they got all this covered.
No, that's not how it works.
Again, we're trying to drivehome the fact that when you do
business with a vendor or ahospital, whatever, ask for the
(34:08):
secure portal.
If they don't have one, givethem a secure portal that you
manage and maintain from atrusted vendor.
Don't send information viainsecure text message or
insecure email.
Use an encrypted email platform.
These are different, justexamples of just.
I'm not saying that they'resilver bullets or cure-alls.
(34:29):
I'm just saying that these arethings that to look out for.
If your law firm is sending youa questionnaire to fill and
this questionnaire is prettydetailed around your first name,
middle name, last name, socialsecurity number, birth date you
know there's some stuff in therethat's private Don't send it
back to them via insecure email.
(34:50):
Say, look, do you have a lawfirm dashboard that's encrypted
where I can send this to you?
Or if they are like, no, wejust do this by email, then you
need to be educated enough as asmart listener of our podcast
and be like, no, I'm not goingto do that.
What other methods do you have?
If they don't have one, youneed to be one to give them a
(35:13):
method and say look, we're goingto use this.
Simple things that are free,like signal.
You could exchange encryptedmessages with signal.
There's all different platforms, different capabilities of each
of these platforms.
Not necessarily all of themcost money.
The point here is that don'ttrust that big company or
(35:36):
whomever has all this covered,because they don't.
It's a common myth that, oh,they're a huge company or
they're a big bank, they got allthis taken care of, whatever.
No, not necessarily they don't.
We're here to educate you thatmost often they do not and that
you should take matters intoyour own hands, especially when
you're dealing with any kind ofsensitive information.
(35:57):
These extra safeguards thatyou're doing yeah, they put a
hurdle in place, but they makeit more difficult.
In the event that something isexposed and there's a breach, it
pays back dividends andprotections to you.
Look at what happened withEquifax.
Equifax, all of us wereaffected.
Now, if Equifax was encrypting,then the payload would have
(36:20):
been encrypted to the bad actors.
Again, I'm sure there's more toit in the investigation.
I wasn't part of theinvestigation.
My point, though, is that,again, big company.
I think the knee jerk reactionis oh big companies got our back
, they're securing us.
Well, we find, more often thannot, that the big companies, as
(36:41):
well as the small companies, arestill not doing enough for
cyber and protection andcompliance.
Speaker 2 (36:48):
Yeah, I know this one also.
Don't give them moreinformation than they need, even
if it's on the form push back.
Speaker 1 (36:59):
Say look, why do you need my social security number?
Why do you need this?
There's information that youshould push back on.
Just because it's on the form,don't fill it.
Speaker 2 (37:10):
Yeah, same thing.
Let's just say, for example,you're collecting information
from your clients and thenyou're storing that information
in X, y, z software.
If you don't need their socialsecurity numbers and that
software, that vendor doesn'trequire that that they have the
social security number, why areyou collecting it and why are
(37:31):
you storing it there?
I know that sounds obvious, butpeople do that.
They try and make their lifeeasy.
Oh, I'm just going to get asmuch information as I can.
I'm just going to put it all inone place.
If you don't need your clients'social security numbers, like,
don't collect it, don't store it.
(37:51):
I know that sounds reallyobvious, but it happens and
people do that surprisingly.
They're like oh what if I needit later?
No, no, don't do it.
Yeah, I should probablydefinitely wrap up on that note.
It's a good ending point,agreed.
Speaker 1 (38:13):
All right, thanks guys.
Speaker 2 (38:15):
See you in the next one.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.