Unraveling The Complexities Of Cybersecurity, Compliance And Bitcoin Wallet Security

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Craig (00:03):
Morning everybody.
I'm Blake Ray.
Hello, welcome to anotherpodcast.
We're going to talk about sometop news cybersecurity and
compliance.
We're going to talk about CMMC,a little bit healthcare, a
little bit about what you can doon your own for compliance,

(00:26):
rolling your sleeves up if youshould to dare to dive into that
rabbit hole.
And then obviously, we'realways here to help.
Blake, you want to take it withthe hospital?

Blake (00:36):
situation.
Yeah, so obviously we like totouch up on some of the news,
get the podcast going and, funnyenough, the cybersecurity firm
has pled guilty to hacking twohospitals to boost his company's
business.

(00:56):
I don't really know how you getaway with stuff like this, but
I mean, maybe he saw low hangingfruit and was looking for extra
money.
I don't know, but it was GMChospitals and Duluth and
Lawrenceville, I'm assumingthat's in Georgia, and this was

(01:23):
an attack that happened in 2018.
He hacked into their phonesystem and their printer
services, and he also stolepersonal information for more
than 200 patients.
Wow, he somehow connected sometype of digitizer to like a

(01:46):
mammogram machine as well.
So, yeah, and also he usedthere's over 200 printers in the
hospital and he printed stoleninformation out on those
printers and then he had amessage on it that says we own

(02:10):
you.
Oh, my goodness, it just getsworse.
And then he promoted the hackon Twitter, tweeting like names,
dates of birth, sexes of 43patients and other data that had
been stolen.

(02:31):
And now they're trying to givehim 57 months of probation, but
they estimated that this hackcost the hospital over $800,000
in losses.

Craig (02:51):
I always think it would be even higher than that.

Blake (02:54):
Yeah, I mean 200 printers , 200 patients.

Craig (02:59):
Well, they probably had to declare a HIPAA breach with
the Office of Civil Rights.
So you know, because it was allkind of fabricated and that guy
, you know, leaked information,so wouldn't that kind of class
or count as a breach.
I mean, I'm not a lawyer, buthe exposed their information
right.
So I mean that's there'stechnical PHI involved, I don't

(03:22):
know.
I mean I'm sure there's aninvestigation happening, but
yeah, that's a mess.
I mean you trust a provider andthen they go rogue on you and I
don't even.

Blake (03:33):
Blackmail them if they were the IT provider for them.
They didn't state anything likethat Interesting, but the
company was Securolytics was thename of his company, and yeah,
yeah, I mean the maximum termfor something like this is 10

(03:57):
years, you know.
So he could go down and do hardtime for this, you know.
Wow.

Craig (04:06):
Whenever?
How did they find it Like?
How did they figure it out?

Blake (04:10):
I have no idea.
There's nothing stated hereabout, like you know, the
investigation that led to this.
I mean, it seems like, you know, posting on Twitter, you know,
like your own data, like thatyou've recovered in the breach,

(04:33):
seems to be a little silly andand yeah, I mean just doing this
in general, you know.
I mean, obviously this was in2018.
You know, obviously, like thecybersecurity landscape was a
lot different than it is now,you know, it was a lot more

(04:54):
challenging.
I would say maybe, but, butyeah, it just seems like
something that would be from amovie more than it would be from
real life, you know.

Craig (05:06):
Yeah, agreed.
Yeah, that's pretty crazy.
I mean obviously out-care ingeneral.
What's that?

Blake (05:16):
He has agreed to pay back the $817,000 plus interest Wow.

Craig (05:24):
Yeah, I would say healthcare organizations in
general are somewhat from acybersecurity and compliance
landscape challenging for theorganizations because they have
a lot of medical equipment andsometimes that equipment is
dated and not necessarilyfocused on cybersecurity.

(05:48):
Some of that equipment runs oldoperating systems, so it's it's
a challenge for healthcareorganizations to run that
equipment and keep it secure, sothey need different.
You know we talked aboutdifferent layered technologies
and not trusting a single vendor.
So you know one of the thingsthat I recommend when doing like

(06:10):
a pen test, for example, is notnecessarily alerting your IT
provider of the test and kind ofseeing if they find something
wrong, you know and alert you.
It's kind of like a checks andbalance approach.
And the same with your vendors.
You know you might have acybersecurity vendor that's
doing I don't know securityoperation center service or

(06:33):
something, or maybe you haveyour own soccer.
My point is that hiring trustedthird parties to test your
people, process and technologyis a good idea not necessarily a
bad idea and trying to figureout and constantly drill and
hone on your weaknesses and gapsand you know continuous

(06:55):
improvement is a good thing todo and that's what we teach in
tabletops and our pen testingmethodology and things like that
.
So it would be interesting tosee what would happen in this
kind of scenario If they were tofollow that would they, you
know who would have detectedthis kind of thing?
So that's why I was curiouslike how they didn't it sounds
like they didn't disclose how itwas discovered.

(07:19):
But, yeah, anyway, that's.
Yeah something that.

Blake (07:24):
I just finally got to the end that he was diagnosed with
like a rare and curable form ofcancer and some type of
dangerous like heart condition.

Craig (07:37):
This is the IT company.

Blake (07:39):
The IT guy.
Oh, the IT guy, Like there'sone, I think there's one IT guy
behind it.
So something that kind of spinsback to me is like, was he like
treated at that hospital?
Like, was he like did he getthe news from that hospital?
Like?

Craig (08:00):
Yeah, like what was the trigger right.

Blake (08:03):
Yeah, yeah, I mean, I can't think of it being
financial.
I mean, a lot of the stuff isalways financially motivated,
but how does that?
That's the missing piece.
Like, if he was the IT provider, like were they going to hire
him, you know, and then he's ohcool, easy, you know, click the

(08:25):
box and undo all he did.
Or did he get, you know,diagnosed at that hospital and
you know he just was having ahard time coping with it and
took it out on the hospital.
You know, which again, would bethe motive, right, Like what's
the motive?
You know?
Right, A lot of times in crime,you know, you never know the

(08:47):
motive, you know, and butanyways, found that one to be
pretty interesting.

Craig (08:54):
Yeah, that's definitely an interesting one, for sure.
I was going to talk a littlebit about this new bug Well, not
necessarily new, but thisdiscovered bug called the
Randstorm bug, and how itaffects millions of people.
It affects millions ofcryptocurrency wallets.
These are software wallets thatwere created pretty long time

(09:17):
ago, but most of the ones thatare affected with this
vulnerability we're using what'scalled Bitcoin JS and
leveraging a secure randomfunction in the software to
generate the seed phrase.
So basically, in short, thepeople back in it says the

(09:41):
easiest wallets to attack werethose that are generated before
March of 2012.
So, basically, the earlyadopters of Bitcoin
cryptocurrency that createdthese wallets, which would be
created with software leveragingthe secure random.
We're trusting that the securerandom functionality was truly

(10:04):
creating random seed phrases.
Well, what happened was asecurity researcher using the
handle ketamine back in 2018 haddiscovered this in his research
that they weren't truly randomand the seed phrases were
weakened based on this creation.

(10:25):
So, in the short answer isthese folks that if there's
anyone listening that hasBitcoin on a wallet a software
wallet that was created before2012 of March, you really need
to move that to a ideally a coldstorage wallet, and not

(10:46):
necessarily.
I don't like to recommend aspecific brand maker model, but
the popular ones.
I know Ledger's been underscrutiny recently, but Ledger,
trezor, handjump Engrave thoseare all cold wallets that are
much, much more secure than anykind of hot wallet or a soft

(11:09):
wallet, and you never want toleave anything on an exchange
either.
So, anyway, I thought that wasa good one.
So, basically, wallets thatwere generated between 2011 and
2015 are quite vulnerable tothis type of attack.
So you could, according to theresearcher, just have your
wallet just wiped out, checkyour wallet balance and it's

(11:31):
just gone.
So that's really, really scary.
So I just want to touch on thatand kind of put an alert there I
also wanted to talk about.
There was like a question orsomebody posted somewhere asking
about more advice around.

(11:53):
How do listeners roll up theirsleeves and actually become
compliant?
We talk about all thesestandards like CMMC and NIST and
healthcare with HIPAA and allthese compliance regulations,
but it sounded like there was anask about, well, how do we do

(12:14):
this, like what are the actions?
And it's kind of a difficultquestion to answer because it's
different for everyone.
So you've got frameworks.
You can go to NISTgov, nistgovand you can download these
regulations.
So if you're in healthcare, forexample, if you go and search
NIST 866, that's the version ofpublication from NIST of what

(12:38):
you need to.
That's your playbook, forexample, of what you need to
follow for your healthcareorganization.
Now, some of this, or most ofthis, is gonna be very
complicated.
It's long, it's dry material,but it does give good
information on what needs to bedone across your people, process
and technology.

(12:58):
And if you don't know where tostart, my recommendation is to
start with some type ofassessment or a gap assessment.
Now, I don't, I mean you can dowhat's called a self-assessment
if you want to start there.
If you don't have budget, it'salways best to hire a certified
third party, but you can roll upyour sleeves and do it yourself

(13:20):
a self-assessment.
That is a possibility.
There are documents on NIST andthere are new documents on the
CMMC what's called a assessor'sguide, or assessor's guidebooks
that tell you what a third partycertified assessor would look
at like.
What are they gonna focus on?
And they're broken up intodifferent controls and you just

(13:42):
you chip away at them.
You look at each control andyou figure out do you have this,
do you not have this?
And as far as actions, I thinkmost IT folks are quite hands-on
.
They know their operatingsystems and they probably know
some software to put on, likeantivirus or something like that

(14:02):
.
And I think that's part of theask part of this question.
It's like what do we need to do, what do we need to put on and
that's why I was saying thatit's challenging because it's
different for everyone.
Like I don't wanna say you needto go buy this brand maker
model software for everyonebecause it's not a fit for
everyone.
And I mean, like you can havein certain situations Microsoft

(14:24):
Defender, that's Microsoft'santivirus product is that gonna
get you compliant witheverything?
Absolutely not.
We talked about layers anddifferent things, but just to
kind of throw out examples, thatcould be a layer for addressing
that specific control.
And another layer that wouldcome to mind would be like

(14:46):
Microsoft, on a pro-leveloperating system, has what's
called BitLocker, that's diskencryption, hard disk encryption
.
In the Apple world it'sincluded.
You don't have to buy anything,you just turn it on.
So these are examples ofspecific controls and actions
that listeners and people cantake to make sure that they have

(15:08):
these controls turned on.
And if you're listening in yourin a regulated environment, you
should have something likeBitLocker or Mac OS disk
protection.
In regards to hard diskencryption, you should have
these on as a minimal, like youshould absolutely.
If you're noticing you do not,then that's a problem, that's a

(15:29):
gap.
But there are other brand makesand models of software as well
as hardware to address these.
I know there are severalcompanies that have like
physical hard drives that haveencryption built into the
hardware, which is, in myopinion, a step up from software
.
So it uses not just softwarebut hardware and software

(15:51):
working together to give youeven more security at the disk
encryption level.
Then you've got your traditionalfirewalls, for example.
Firewalls used to be the goldstandard in protecting your
network.
Think of a firewall as kind oflike a traffic cop what packets
are good, what packets are bad,block all the bad stuff.

(16:12):
Well, what happened was, withthe landscape changing, a lot of
the bad traffic was coming overthe internet, so the firewall
wasn't really doing anything, itwas just letting that
information through.
Back in the old days it wasport 80 for insecure, now it's
mostly port 443.
For secure SSL traffic, thefirewall is not looking and

(16:35):
doing what's called deepinspection, unless you have a
specific firewall that has thatfunction.
And that function istechnically different.
It's intrusion detection,intrusion prevention, so IDS,
ips.
So those filtering technologiesare again another layer and
another discussion point andreference point for a control in
these frameworks, for example,nist.

(16:58):
For example, if you're in theDOD or Defense Industrial Based
World and you're subject to NIST800171 and the new CMMC 2.0,
which is supposed to be signedinto law any day now, you have a
requirement for what's called aPEN test or a penetration test,
and the controls for that are3.12.1, 3.12.2 and 3.12.3, and

(17:26):
they require you to performtests of these controls and
implementation and to make surethat there's any corrective
actions if there's any gaps.
So in order to pass your auditand become NIST 800171 or the
new version of that would beCMMC 2.0, maturity level two in

(17:49):
order to get your pass you needto have a PEN test done, and we
could certainly help you withthat.
There are other companies thatcan help you with that too.
But you want to have a thoroughthird party PEN test and
evidence of that and then youhave what's called a report that
shows all your gaps and thenyou need to fix all your gaps.

(18:09):
If you can't fix them in theNIST world, you need to do
what's called a plan of actionin Milestone or a PoAM.
You only got one time to PoAMand you got six months.
Now in the NIST world you cankeep PoAMing, but they got rid
of that in the CMMC.
So currently with the law youcan PoAM and then PoAM again.

(18:34):
Well, they took that away withCMMC, so you can only PoAM once.
So my recommendation is try notto PoAM at all, because you got
to fix it anyway.
So try to fix whatever you canpermanently and get your points
for your SPRS in the NIST worldand then get your double scoring
for CMMC's world.

(18:55):
But my point here is these aresome action items that everyone
can do, whether in the CMMCworld or in the HIPAA world or
any kind of really regulatedworld.
I mean, all these things reallywould be good things to do.
Right?
The same thing with trainingTraining, security, awareness,
training is so important.

(19:15):
I think it's the mostunderlooked item.
I think most people assume ohyeah, yeah, yeah, we got
training, we're good, but theydon't take training and testing
and drilling seriously enough inmy opinion, and they don't
actually have the evidence toprove that fact.

(19:35):
And we find this time and timeagain with advanced training
like tabletop exercises.
So my point is with training,you've got different levels
again, different control pointsthat reference whichever
regulation you're subject to.
But in the CMMC world you'vegot three.
You got 81, 82 and 83, andthat's in the NIST 800-171.

(19:58):
In the CMMC world Now mostpeople have the first one, which
is your generic anything on theweb cybersecurity and awareness
training, but very rarely dothey have the second and third
one.
And the second and third onetalk about role-based training.
So if you're a small company,you probably have your typical

(20:19):
users.
You might have managers in yourcompany, you might have C
levels in your company.
So the role-based trainingmeans you have that different
training modules for each ofthose groups of people, because
the training for your IT adminguy is gonna be different than
your typical user training andthey're gonna use different
software and they're gonna needto be trained on those software

(20:42):
packages.
And the same for C levels.
C levels they're moreinterested in the executive side
of things.
If the CFO, for example, shouldget different training than
your users and differenttraining than your IT guy, so by
having these different trainingpieces and then different
testing and drills, it's superimportant to have all the

(21:05):
evidence for that because that'show you pass the training
pieces.
And in the NIST world you've got110 different controls that you
need to address and it'sactually quite higher than 110
because you have what's calledNFO controls and then you have
controls that have what's calleddependencies.
So it's way higher than 110.

(21:26):
I mean, 110 is a lot, I think,for a small business.
But to encapsulate everythingmeaning policies, procedures,
different software, hardware torun on things, trainings if you
add all that together it's wellover 110.
So my point is there's still alot of work to do for most
people.

(21:47):
We're here to help on any or allof it, but yes, there are
things that people can dothemselves.
Those are some examples.
There's many, many more ofthose examples and I encourage
listeners to go on the trustedwebsites like the NISTgov and
the CMMC.
There's a page there from theDepartment of Defense and you

(22:09):
can download these documentsthere's no charge.
You can read them yourselfthey're mostly PDFs or HTML
versions and just browse throughthem.
I mean, some of them are superlong 300, 400, 600 pages.
There's supplements to some ofthem, so you need to have all
pieces.
But dive deep and, yeah, ifthere's things that you can do,
by all means go ahead and dothem.

(22:29):
But if you're looking for thecatalyst, if you're looking to,
if you're sitting therelistening thinking this is just
too much, I don't know how I'mgonna do this.
I mean, we're here to help you.
We're not here to shame you oranything.
We're here to support youwherever you are in your journey
and our promise to you is toget you compliant as quickly as

(22:51):
we can and as reasonably as wecan at a budget that you can
afford, and just keep chippingaway at it until we get you
there and give you all theevidence so that you can pass
the audit on the first try.
That's our promise to you andthat's why we do this.
We do this for you guys, sothat you can continue to do what

(23:12):
you do best, which is focus onyour business.

Blake (23:16):
Yeah, we've also talked about how we can make the
podcast educational as much aswe can, but there's no
one-size-fits-all I thinkeverybody has a different course
.
If you're trying to get fit andget healthy some people are
going to start running, somepeople are going to start

(23:37):
swimming it's hard for us to say, okay, here's everything you
need to do From the firstepisode to the last episode of
our podcast.
Okay, that's all you're goingto need to listen to, that's all
you're going to need to do.
No, there's more to it.
And also it crosses an ethicalperspective, whereas it's not

(24:05):
super ethical for us to talkabout how you can be compliant,
because it's different for everycompany, and we can't list out
and name certain vendors,because that's vendor bias and
that's unfair and that's why theNIST and the CMMC, that's why
they don't do that.

Craig (24:24):
That's why they don't say , oh, just go buy this, this and
that, and we, as your provider,don't want to do that either.
That's why we're vendorindependent.
We like certain vendors, we'vetested certain vendors and if
you want that information, we'rehappy to give that to you.
But we also want to give youoptions so that you can make the
choice yourself.

(24:45):
It's not our choice to make.
We can make suggestions, butagain, it would be our vetting
and testing and our opinion.
But ultimately you're signingyour name and your company at
the bottom of this.
So even if we were hired tohelp you or you hire somebody
else, they're not signing theirname.
At the end of this thing.
You are.

(25:05):
So you can't outsource thatresponsibility and that's very
important for people tounderstand.
You can't go buy Microsoft 365and think, oh, it's Microsoft's
problem now for you to becompliant and secure.
If you read Microsoft's termsand conditions, they don't back
you up, they're not responsiblefor your data.

(25:27):
If you don't have your ownbackups or you don't do your own
process to download your data,send it to a hard drive and
that's a process or hire acompany to do that for you, or
buy software to do that for you.
If you don't do those things,you're not going to pass an
audit against that, becauseyou're going to fail on that gap

(25:48):
.
And it's the same thing withmedical companies.
You can't just go buy Epic orsome EHR product and assume that
, oh, they're going to do allyour HIPAA compliance.
It doesn't work that way.
Yes, they have their part ofthe ecosystem.
However, you have your part too, and as you read through these

(26:08):
hundreds of pages, you'llrealize what's the company's
responsibility and ultimately,most of it's your responsibility
.
So the inner workings and themethodology of how you become
compliant are different foreveryone, as Blake said, and
everybody's risk tolerances andbudgets are different.
So one system or solution thatworks and a methodology that

(26:31):
works for a small company maynot work for another company
that's either even similar insize or maybe a little larger.
Everything's different.
But you cannot outsource theresponsibility of compliance and
you can't just go buy a productor a software service or a
piece of hardware and assumethat your job is done and then
you're done with this.

(26:51):
This is a continuous effort andfor most it's a.
I don't know if you rememberBlake, but we had a cartoonist
actually draw the journey ofcompliance for HIPAA and also
the mountain for CMMC that hasdifferent peaks on it and I feel
like that's a great graphicaldepiction of the journey and you

(27:11):
could be somewhere on thattrail of the mountain.
Everybody's on a different spot, but the point is that you're
not going to get to the top ofthat mountain without a lot of
hard work at the beginning.
Yes, your job will becomeeasier as you hit the peak and
you're compliant, and then tokind of coast, I guess, or

(27:34):
what's the best way to put itjust kind of your ongoing
maintenance of keeping you incompliance, because once you get
compliant you can fall out ofcompliance very quickly.
Like, let's say, you getcompliance and you've got your
110 perfect score for SPRS andyou don't have any poems anymore
and you're good.

(27:55):
And then now you switch gears toCMMC 2.0.
And maybe if you're in, ifyou're subject to NIST 800171
and you're handling CUI, nowyou're equivalent to CMMC 2.0,
maturity level two, if you're inthat world and that's, that's
your company.
You know what if your IT guy oryour cybersecurity analyst put

(28:15):
their two week notice in.
You know, now you've got a gap.
So if that person or thosepeople were a part of your
structure, of how you becamecompliant and job roles and
responsibilities, then you havethem named in your documents and
your policies and proceduresand you should, you should have
teams in there and they shouldall be.
You know responsibilities andthings like that, but now you

(28:37):
have a people or a human gap youneed.
You just dropped your score.
You were 110 and now, howevermany you know control levels
that are affected, your scorejust dropped until you find a
replacement.
And then, when you do find thereplacement, now you got to make
sure they're trained enough tospeed and then you got to test
them Right.
So if you, in order to get yourpoints back, you got to retest.

(28:59):
So my point is that this isnever a one in done.
It's a constant effort, but itaffects everything.
It affects people, process andtechnology.

Blake (29:12):
Yeah, I mean, I like to think of it as kind of like
hiking.
You know, like you're not ableto take the paved like dirt path
right, that it doesn't exist incompliance.
Like you are going through theforest.
If you have a service provideror consultant, like us, we're

(29:32):
the compass.
You know, if you don't have aservice provider, you're just
walking through the forest withaimlessly so compliance.
It doesn't really work likethat.
And something that I think thatCraig, like we can't really
overstate or you know it's superimportant is is we never really

(29:54):
talked about liability, likecompliance liability, like as
you who's taking, you know, thegrant or getting funding, or you
know you're always going to beliable.
You know, I think Craig kind oftouched on that, but not not

(30:14):
deep enough.
You know, like some peopleassume and we've had here's an
example like we've had a lot ofpeople that came to us for
healthcare, you know, for HIPAA,and they're like, oh, I'm using
this customer resourcemanagement software like insert,
you know name here right, ohyeah, they're HIPAA compliant.
Like I don't need to be.

(30:35):
It's like, no, does it reallywork like that?
You know, we've had so manydoctors and dentists and
chiropractors that have told usthat and there's, there's
misinterpretation of the law andit's like, you know, all these
doctor buddies or all thesedentist buddies, or all these
chiropractor buddies, one personthinks he's got the recipe and

(30:58):
then he tells all of his buddies, and then Well, and the part
that kind of adds on whatBlake's saying is that there's a
lot of misinformation out there.

Craig (31:08):
There's a lot of like.
We'll talk about dentists for aminute.
There's a lot of dental ITservice providers that all they
specialize in is dentists andthey're well known in dentists.
However, they are notcybersecurity experts.
They're not compliance experts.
So when the dentist goes tothem and says I need you to help

(31:29):
me with X, y and Z and theydon't, the dentist is trusting
that IT company to just do whatthey need to do because the
dentist doesn't understand thecompliance and the requirements.
Now the dentist should read upand understand what they're
getting themselves into becauseagain, like I said before, the
dentist at the end of the day issigning off on everything and

(31:50):
saying, yeah, yeah, we're HIPAAcompliant now because XYZ IT
provider said we did.
But here's the.
Here's the thing we're tryingto drive home.
The IT provider is great atdoing IT, but they're not a
cybersecurity and complianceprovider and they should not be
doing cybersecurity andcompliance.
It's actually a conflict ofinterest.

(32:11):
And if that IT provider issaying, oh, yeah, yeah, we do
your HIPAA compliant, we doeverything for you, we roll it
all up and it's this cheap priceof $500 a month or whatever it
is.
That's a red flag and, yeah,they might be doing some things
for you, but they're certainlynot doing everything and there's
liability there and I'm not alawyer, I'm not pretending to be

(32:33):
one, but my point is that as acustomer, you need to be doing
your own due diligence andhiring after that project's done
, hiring an expert incybersecurity and compliance and
doing the gap assessment and orpen test and checking all that
work, because I guarantee you'regoing to see gaps that you

(32:56):
didn't realize you had and youthought your IT provider covered
for you but did not.
You'll find real quick yourgaps and weaknesses on what
needs to be filled andoftentimes you should hire that
or a cybersecurity or complianceexpert to fix the gaps and then
retest, because there's alwaysgoing to be gaps.

(33:19):
Nobody's perfect and if you'reperfect at a certain period of
time, tomorrow you might havelost a guy or some software got
unwound or some hardware had anissue.
This is always an up and downthing.
That's what we were sayingbefore.
It's always continuousimprovement and continuous work
on this stuff.
But what came to mind whenBlake said that is I don't know
if you guys are aware, but withthe SolarWinds hack that

(33:42):
happened, that we talked aboutin several episodes ago, which
was software that a lot ofmedical as well as department of
defense clients were using tomanage their updates and their
patches At the time, a trustedvendor that these people were
paying to make their automationsand IT run more efficiently

(34:05):
Long story short, they gothacked and that's how malware
was dropped onto these endpointsand caused all sorts of
breaches and things like that.
Well, I saw an article recentlythat the authorities are
charging the CISO with fraud.
That's a game changer.
Now think about that for aminute.

(34:27):
If you are a medical company oryou are a department of defense
contractor and you've hired XYZIT company, or maybe you had an
IT guy for 20 years and youtrust that that person is doing
everything great for you andyou're just at the end signing
off saying yeah yeah, my SPURscore is 110, we're all great,

(34:47):
everything's all good.
Then an audit happens.
Or fast forward to CMMC 2.0 andyou need your audit.
You need to get your gold star.
C3pao comes in or, if you're alevel three, government led
assessor comes in, finds allthese gaps and weaknesses.
No man, you're not compliant.
You think you have a 110, butyou really got a 50.

(35:07):
When you're like what I thoughtBob in the corner had
everything going.
No, you can't say that you havethis control met, because here's
why, by the way, the auditordoesn't tell you what you did
wrong.
They just tell you here's yournew score, go fix it.
Pretty much, they're notallowed to tell you how to fix
it.
You get your fail and, by theway, you paid for that.

(35:30):
You got to pay for your audit.
It's expensive and if you failyou got to pay for another one
after you fix your gaps and yougot to keep paying until you
pass.
It's not easy.
This work is hard.
That's why we exist and we'rehere to help people.
But yeah, that CISO is gettingcharged with crime and prison

(35:53):
time, because I guess the caseagainst them is he should have
caught that and should haveknown the risks.
Before such a devastatingbreach one of the top breaches
of all time he or she let ithappen, or the team let it
happen.
That comes back to the listeneror the business owner or the

(36:15):
CTO or the CIO.
If you're signing off on thisstuff and you don't really have
the evidence to back up whatyou're signing, that's a red
flag because that could put youin hot water.

Blake (36:25):
I think something that this case proved is negligence,
and this is compliance, fortalking about, of course,
existing and compliance.
Negligence is fraud and fraudis criminal.
That's the connection that Itook from this.

Craig (36:44):
Well, I think the other part of that is you can't if you
know if you're taking contractsfrom the government or a grant.
They were grants that weregiven out in the medical world
from the push, from paperrecords to electronic medical
records.
The government was like oh yeah, we want to get you accelerated
to the digital world.
They gave grant money.

(37:05):
Well, part of the catch for thegrant money was you need to be
HIPAA compliant.
Well, what the government didwhen they did enforcements is
they found that a lot ofpractices were taking the grant
money but they weren't doing theaction.
They weren't moving from paperto electronic.
So guess what happened?
They had to give all that moneyback and pay multiple

(37:26):
Oftentimes up to three timesmultiple back.
So if they got 100 grand in agrant, they had to pay back
300,000 plus penalties.
And that happens in the defenseworld too, with the false claims
act.
Same kind of methodology there.
So if you signed off and yougot a million dollar grant over
three or five years from thegovernment and in your grant in

(37:48):
your details it says you have tobe NIST 871 or you're handling
CY.
If you don't have your evidenceto back all that up, they can
audit you and you'll have to payall that money back.
And I think that's the thingthat people don't realize.
They don't realize what they'resigning and their
responsibilities and they justdon't think it's going to happen

(38:09):
to them.
Well, I know for a fact thatthere's crackdowns and there's
audits happening.
There are NIST audits.
They are happening, there areCMMC audits and I think a lot of
these defense contractors,especially the subs, are it's
kind of a wake-up call.
I mean, if you know that you'renot compliant but you're not

(38:32):
doing anything about it I thinkthat's Blake's point You're
committing a crime.
It's not legal to do that andwe're not telling you how to run
your business.
But if you're signing off onsomething and you need to be
compliant with it, we're here tohelp you get the evidence and
do the right thing to becomecompliant.

Blake (38:53):
So I think there's also a misconception for service
providers like ours.
We're not here to police thelaw.
We get a lot of people that arescared to communicate with us,
it seems like because they feellike we're going to turn them
around and put some handcuffs onthem.
We're not here to police thelaw.

(39:15):
We are here genuinely to help.
So, yeah, I mean there's reallyonly I could say about that.
If you're considering goinginto healthcare or complex

(39:35):
regulated industry, you shouldprobably look at compliance
first before you even startabout getting your business
together or what.
One of us can hop on a call withyou.
We also can do some consultingand tell you what you're going
to have to face.
It's like summiting MountKilimanjaro or Mount Everest.

(40:01):
People that go to Mount Everestwill tell you what it took for
them to get to the top of MountEverest.
It's not like, oh no, you gofigure it out yourself.
Meanwhile, people die on thesummit.
That's not what we're here for.
We are here as genuineconsultants to help, to assist,

(40:26):
to navigate, because we foundchallenges.
We have summited Kilimanjaro orEverest or whatever, and it's
not easy.
A lot of clients aren'tprepared and they get into it
and they're just realizing howminute and mundane everything is

(40:48):
for this adventurer.
A lot of people get halfway upand some people stop.
Or we've had instances wherepeople they don't listen to what
they say because they readsomething on the internet or
that misinformation.

(41:09):
Oh, my friend's a dentist or myfriend's a chiropractor.
He told me this is all I needto do.
Okay, but you're paying us totell you and help you and you're
listening to your friend whoyou feel like has gone on that
summit.
No, he watched it from thetelevision, like no?
There's been a lot of instanceswhere people push back on what

(41:33):
we advise.
Obviously that's a differenttopic, right?

Craig (41:38):
Yeah, but to stem off of that, though, we exist for you
guys, we exist to help you guys.
We're always vetting andtesting different product
services, software, hardware,whatever.
We are here to give you thebest security possible.
We're often asked you're asmaller company, how could you

(42:00):
protect us?
Xyz is a bigger company?
Well, guess what?
All of the most of the biggercompanies are all in the
headlines.
We're not saying to be arrogantor to just kind of.
Our point is that we have amethodology that we've developed

(42:20):
over two decades now and it'sextremely effective For the
clients that listen to us, thattruly don't want to experience
being hacked.
We help you, we help protectyou, but you need to listen to
our advice.
We are the experts in thisindustry and we work super hard
to stay at that high level andprotect our clients.

(42:43):
It's not a simple solution andit's not the same solution for
everyone.
Everyone's different,everyone's workload's different,
everyone's climb up thatmountain is different or that
hike.
My point is that it just startswith a phone call to ask us
some simple questions aroundyour situation and how we can

(43:07):
help you.
One thing that comes to mindwhen the CMMC came out is they
allowed what's called enclaves.
Enclaves are small areas thatare security hardened.
If you're a company of 100 andyou have an enclave and you've
only got five people or 10people in your organization that
handle the CUI the sensitiveinformation, a cheaper way to

(43:31):
get you compliant is to leverageenclaves Instead of you doing
top security for everyone all100, that could get costly and
out of budget real fast.
A way that the government inthe defense industrial base or
the CMMC world has said you canleverage what's called enclaves

(43:52):
and secure only those that arehandling CUI, separate them from
the rest of the network andshow evidence of that.
We are experts in building andmaintaining enclaves and that in
turn saves you a ton of money.
Another competition willactually hide enclaves from you

(44:13):
and just want to get the biggerpayout of the project.
We don't exist for that.
We're in it for the long haul.
We want to build relationships,we want to be your partner
forever and we don't want anykind of quick project payout.
Like Blake said before, it'sdifferent for everyone.
It all starts with a call andwe're not here to just check the

(44:37):
box.
We're not here to give you thatminimum effective dose so that
you can just say yes to thatquestionnaire and move on.
We're here to make sure that ifyou say yes to something, you
have multiple forms of evidenceto back it up, and we're here
looking through an auditor'slens of will that pass the
muster and will it pass it today?

(44:58):
That's continuous effort andevidence building needs to
happen for it to continue topass, and that's why we're here.

Blake (45:07):
And there's two different types of doctors.
You know, obviously we use thisdoctor analogy a lot.
But there's doctors that you goto the doctor and you're hey,
here's your pill, get out.
You know they're treating yoursymptoms right.
And then there's another doctorthat's more thorough, that

(45:30):
addresses the underlying cause.
You know that's us.
You know we're like okay, whyaren't you compliant?
Like was holding you back frombeing compliant?
We're not just saying installthis software, get out of here,
you know, and then taking Xthousands of dollars or X

(45:50):
thousands of dollars, you know,like that's not who we are.
You know, and we get a lot ofpeople that want that pill and I
don't feel like and I knowCraig, I mean Craig, obviously
we have the same goals Like weboth don't feel like that's very
ethical.

(46:10):
It's an ethical approach.
You know Everybody wants thequick.

Craig (46:15):
They all want the quick version that doesn't cost much
money.
What's the cheapest way I cando this so I can check the box
and move on with my day, and itjust doesn't work that way.

Blake (46:23):
Yeah, and a lot of times too, like from the health and
doctors perspective.
Like, you know, before a doctorprescribes you medication, you
know sometimes they'll test youLike, oh, like what's your?
They'll do blood work, you know, to see if you have some
reaction or maybe you havesomething in your blood that
would react or negatively impactthis drug.

(46:46):
Or they'll look at you knowwhat other drugs you're taking.
You know, I mean, come on, youknow, like, let's be real, like
that's what needs to happen forsafety reasons, like we need to
look at what's going on, youknow, with your business
internally before we can say,hey, here's a path.
You know, here's what we wouldsuggest.

(47:08):
Like we just can't, we can't doit, you know, and you know the
podcast has been, it'sinformational and, to a degree,
is educational.
But how can we put all that ina podcast?
You know, like, if you have asuggestion, please write us,
please call us.
You know we just can't, wedon't feel like that we could

(47:32):
figure.
I mean that just doesn't exist,right, you know.
I mean it's like you buying alock for your door, you know,
and just, oh, just, let me gobuy a random key, you know, let
me just see if it works.
And then, you know, you go toHome Depot 85,000 times, you
know, to get that key, you know.
And until you finally get it,you know.

(47:54):
Imagine the time, effort,energy, right, I mean, obviously
we know that's not how it works, right, you know.
But that's essentially the samething that you know some
companies are asking for us todo.
You know, from that perspective, like, oh, here's a paragraph
about my business.
Tell me how I can be compliant,you know.

(48:17):
Or we go to their website.
Tell me how I can be compliant.
I don't know.
I really don't have the answersfor you, because I need to get
hands on.
Craig needs to get hands on.
Like, we need to figure out, youknow, gap assessment.
You know we need to figure outwhere you're lacking, right,

(48:38):
what's wrong.
You know we need to do sometests and that is our form of a
checkup.
You know, a physical orwhatever, you know, health check
.
That's just what we need to do.
So hopefully that addresses,you know, sorry for the rant,
but hopefully that addressessome of the comments that we've

(49:00):
been getting.
You know, I mean, please feelfree to, you're free to reach
out to us, you know, you neversaid it to us directly, you know
, if there's questions you havethat you feel like we're not
addressing on the podcast, Ithink it'd be cool for us in the
future to collect questions.

Craig (49:18):
You know, maybe on our website we could put you know,
or maybe in the podcastdescription, you know, we could
have a submission section, orjust yeah, for you know, until
we kind of build that out, justgo to our website and just reach
out and put your questionsthere and we'll just collect
them each week, you know, andthen we'll just, you know, try
to answer them live on thepodcast.

(49:39):
You know, I mean we, you knowthis podcast.
It takes a lot of time andeffort and money to make this
work and we're doing this forour listeners to understand a
glimpse into the cybersecurityand compliance world, to get
caught up quickly with news andupdates in our industry and
different regulations.

(49:59):
But it's definitely not to putanybody down or instill fear or
anything.
I mean we truly are here tohelp and we work really hard for
our customers, you know, dayand night.
And you know, like I saidbefore, we're not vendor-tied.
We're not, you know, justlooking to use or sell you

(50:21):
something that we make a quickcommission off of.
That's just not how we operate.
We work really hard over thepast two decades to build
partners and good relationshipswith our customers because we
truly want to make them asunhackable as possible, and
that's just our, that's ourmission, you know, and our
promise with compliance is tohelp you pass your audit so that

(50:41):
you're not sideswiped and hitwith something that you just
completely just missed.
You know we're here to show you, as an auditor would or a
hacker, how they view yourcompany and that company
viewpoint, that vantage point.
It could start with yourwebsite.
It could start with socialmedia, it could start with how

(51:02):
are they doing recon on you, andit could also be with social
engineering and impersonations.
You know we've talked about itin other episodes where we've
done testing for major financialinstitutions, and you know we
want all of the legs of thestool across people, process and
technology to be the strongestthat they can be and we want you

(51:25):
and your company to be thestrongest that it can be so that
you can grow.
And in turn, you know a lot ofpeople, I think, view
regulations and compliance askind of like the storm in their
side.
But I think the fact thatremains is that if you guys do a
lot of this stuff that you'resupposed to be doing, if you're
in a regulated industry, itmakes you better, it makes you

(51:46):
stronger, it gives you thefoundation, the organization, so
that you guys can grow at afaster pace and have that
competitive advantage, and Ithink that that's really the
takeaway from all this.

Blake (52:00):
Yeah, and something too that we never really addressed
on air.
But obviously, like when wefirst started our podcast, it
was more to address our currentcustomers, right.
Obviously, that has wildlychanged after we saw the data.
You know we have a lot ofpeople that are listening.
So then we're like all right,we wanna give our take on

(52:23):
cybersecurity, right?
You know, that is where that'sthe niche we fill in the podcast
world.
And you know, obviously we talkabout compliance because we are
a compliance focused company,but it's hard for us to cross
that threshold.
So the podcast has evolved a lot.

(52:44):
You guys have made it evolve,you listeners, and we appreciate
everybody who listens, leavescomments, reaches out, you know.
But, yeah, you know, that'ssomething that you know, as I'm
sure you've probably listened,you've heard the evolution,
right, and that's just reallythe only way that it can evolve.
That only evolves in thisdirection.

(53:05):
You know, if we had the abilityto be 100% compliance focused,
I mean, we'd probably have nolisteners for one, because
unfortunately it's not a hottopic.
You know, nobody wants to hearyour parents scream at you or
whatever you know for cleaningup your room.

(53:25):
You know, I mean, unfortunately, that's the role it seems like
we have to take in compliance.
But no, no, it's spun into ouropinion on the direction of the
cybersecurity industry.
You know, it's never been a DIYhow-to podcast.
You know, imagine, you knowhere's, imagine trying to learn

(53:50):
how to build a house from apodcast.
You know, not seeing anything,not having blueprints, you know,
I mean, it's just that's thechallenge that we face, you know
, and of course, we're trying tobe better.
You know we're always trying toprogress the information we
disclose, and you know, so allit takes is for you to call us.

(54:12):
You know, and I see the data,you know, and we definitely
don't get as many calls as we dolisteners, you know.
So, yeah, I mean, we're nothere just to talk, we're here to
help, you know.
So, yeah, for some of you thatare our clients, thank you, and

(54:33):
for some of you that arelistening, that aren't our
clients, we're here.

Craig (54:39):
Yeah, One thing to just add to that too is that we're
very well connected in our world, in our space.
We've, for over two decades now, have strong partnerships.
One case that came to mind is acustomer that is looking to get
SOC2 type 2 compliant.
We can help with all thereadiness consulting and the

(55:02):
prep work but we can't do theformal audit.
But we have a great partnerthat does the formal audit.
A formal audit for SOC2 type 2requires a certified public
accounting firm, a CPA firm thathas to have the certification
to be able to do the SOC audit.
We work closely with them forthat readiness consulting.

(55:26):
We work before the audit theformal audit and we work after
for remediation to help ourclient.
If you're a listener and youhave an issue that you're not
really sure, if it's somethingthat we can handle, reach out
anyway, because there's still ahigh chance that we know a
partner that we could refer youto if you're not a fit for us.

(55:47):
Last thing I'll say is it'sclose to Thanksgiving, so
everybody likes a Black Fridaydeal.
We've got a secret Black Fridaything going on If you just
reach out to us and you putsecret in the description or in
the body of the subject line ofthe email.
Then we'll let you know inthose details.

Blake (56:10):
Wow, I didn't know we were doing this for Black Friday
.

Craig (56:13):
That's because it was a secret.
I see that as an insider.

Blake (56:18):
I didn't even know that I'm sitting here shopping for
Black Friday stuff.

Craig (56:22):
Also, it's everybody else .
But I figured well, why not tryto give our listeners something
that is on their radar, to getthis stuff done and a starting
point right Nobody wants to.
Nobody wakes up and says I wantto do compliance today, but
hopefully we'll make it worthyour while.
So reach out to us.

Blake (56:44):
Yeah, I've been looking at all the Black Friday deals
this year and it seems likepost-COVID.
All the Black Friday deals arejust nothing.
I used to be super excited forBlack Friday and now I'm just
like, nah, not for me.
Maybe I'll pick up something, avideo game or something, who
knows right, but that's it.

Craig (57:04):
Yeah, I mean our Black Friday deal is pretty awesome.
Like I said, it's a secret, butthe reality for you, blake,
most of the deals they eitherexclude certain brands or
whatever and then you don't getthe deal.
It's pretty rare that youactually get something that's

(57:25):
worth it.
There was some deals I heardgoing on at Trezor's website not
an endorsement, I don't have acommission or anything from
there for a cold wallet.
I think Ledger's got some stuffthere if you're looking for
something like that.
So I think there are some legitdeals there.
Again, with those kind ofthings, go direct to the
manufacturer.
Never go to a reseller.
Again, I'm not vendor-tied withthem.

(57:47):
I don't get a commission.
I don't have a special link foryou to use.
I'm just saying that as I wasbrowsing around, I did see some
legit deals like that.
Certain companies, likesoftware companies they do have
some legit deals.
I know one of the tools that weuse for certain things like
Snagit.
I think that I saw a prettygood deal on their software Just

(58:11):
depends.
I think it depends, like thewhole Amazon Prime Day, things
like that.
I could never find really gooddeals on anything there.
I think maybe they had deals onan Amazon branded thing like a
Kindle or something like thatthey might have had a deal on.
But Apple I don't think Applereally does anything for Black
Friday, do they?
Or Microsoft?
I don't think any of the bignames, I don't think they really

(58:34):
do anything like that.
It just depends on what you'relooking for, I think.
I think it depends on what kindof niche or vertical the item
if you're looking for giftsfalls into.
I think most software probablyhas a Black Friday deal, because
software has a pretty goodmarkup.
I think it just depends.

(58:54):
But yeah, I think everybody'slooking to see if there is a
legit deal.
So that's why I put out the onefor our listeners there.
But I think that's probably agood endpoint.

Blake (59:06):
Yeah, I did see unrelated , but I did see some of the Bose
.
I think their QC35 IIs werelike $150.
And I was like, okay, thatmight be something I pulled a
trigger on.
But happy Thanksgivingeverybody.

Craig (59:23):
Absolutely happy Thanksgiving.
We're very thankful for ourlisteners and for our customers
for sure.

Blake (59:29):
Thank you for our continued support.
You know, obviously we wouldn'thave kept doing this without
you.
So yeah, I guess reach out toCraig and he'll have to send me
off stream what that BlackFriday deal is.
So would you call?
I'll know.
Absolutely Well thanks guysTill next time.

Craig (59:51):
See ya.

All Episodes

Episode Transcript

Popular Podcasts

Are You A Charlotte?

Dateline NBC

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Unraveling The Complexities Of Cybersecurity, Compliance And Bitcoin Wallet Security

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Are You A Charlotte?

Dateline NBC

Stuff You Should Know

All Episodes

Unraveling The Complexities Of Cybersecurity, Compliance And Bitcoin Wallet Security

Are You A Charlotte?