Preview Mode Links will not work in preview mode

Thanks for joining us! Let me know if there are any topics you'd like us to cover by sending an email to me at craigpeterson . com!

  1. All Episodes
  2. Are You Ready For "Shields Up"?

Are You Ready For "Shields Up"?

Feb 19, 2022

Conservative/libertarian host Craig Peterson is heard throughout New England every week giving his opinion on Cybersecurity, new Technologies, and Government involvement.

This week, Craig talks about the latest announcement from the Feds: "Shields Up!" They're warning about Cyber attacks against the US. Coming from Russia, they expect untold carnage. But how likely is it?

Also this week: Senators trying to spy on all our digital information (including a RINO Republican). The "Right to Repair" backfires. Six reasons Meta/Facebook is failing. The top Cyber problems in 2021. More malware attacking Apple Mac computers. The five things businesses need to do for Cyber Security right now.

We've got a big alert from this CISA. That's our cybersecurity and infrastructure agency to come down about a week or so ago. It's been going up and down and of course the tensions out there are causing problems. So let's talk about it. 

[The following is an automated transcript.]

[00:00:17] CISA is an agency of the federal government. And it's one that I follow frankly, pretty closely, because they are the ones that are supposed to be helping us in industry, as well as helping the federal government keep their security stuff in order now, are they well, yeah, they are. They are, but the bottom line is they've got a whole bunch of rules.

[00:00:44] Cool new things. And I'm going to show that to you here. This is called shields up over at CISA. For those of you who are watching online, you'll be able to see it right here. So let me just switch over. You've got it up now. Let me just go full screen on that so you can see the whole thing, but this is see.

[00:01:06] C I S A.gov and they have a whole ton of cybersecurity resources there. One of the things I hear the most from people is just how freaking difficult it is to try and keep track of things, even understand the regulations, let alone learn all of this stuff, but you can see on their site that.

[00:01:28] Training and exercises summit, that's coming up, combating cyber crime, and many other things. So what we're concerned about right now is. But this whole thing with Russia. Now you've heard about Russia or a lot, of course we've caught the germ report talking about Russian fake collusion, frankly. And we have Russians who have been hacking us.

[00:01:53] In fact, I've got an article on that today. Let me pull that up as well. You'll be able to see it. It is an incredible thing when you get right down to it. What Russia has been trying to do is attack and steal things directly from our agencies, right? The DOD as well. If you are a contractor, You are in a great deal of trouble.

[00:02:18] I don't have that article handy, but they are going after all of our friends at the DOD and all of their contractors and subcontractors. So what happened? There was technology that was supposed to believe be implemented at all of the contractors that of course did not get implemented. So that's a problem if you ask me, but it's now changed.

[00:02:43] Okay. 2022, what has happened? 20, 20, 22, they decided that the regulations that were in place were not tough enough. Not even close to being tough enough. So what. Is they added teeth, incredible teeth to these what are called CMMC regulations, which are the regulations that are about the cyber security maturity, if you will, of these DOD contractors.

[00:03:12] So now we're looking at this article, I'll pull it up on my screen again here that this has particular ones from security Boulevard, but it is warning about the risk of the Russians really hacking us. Now that's nothing new. We've known about that for a long time. We've known that the Russians and the Chinese are both trying to get in.

[00:03:34] I have customers who I picked up after they'd been hacked. And in fact, in most cases they didn't even know they'd been hacked was just something weird that was going on. So this alerts highlighting several cybersecurity vulnerabilities that these nation states and cybercriminals are likely to be leveraging.

[00:03:56] And they've outlined certain steps that organizations can take to reduce the risk. So what are those steps? I'm going to bring them up right now for those of you who are watching, but I may make it a little. How do you do this while they're saying let's break it down. We want you to reduce the likelihood of a damaging cyber intrusion.

[00:04:19] Again, sisa.gov. If you want to follow along at home, cis.gov, validate that all remote access to the organization's network and privileged or administrative access. Requires multi-factor authentication. We're setting that up for a company right now. In fact, ensure that software is up-to-date prioritizing updates, that address known exploited vulnerabilities identified by CISA.

[00:04:44] So you see that link that's right there. That brings us to this massive. Database, if you will of known vulnerabilities just 38 pages, 377 known vulnerabilities. So how does this work? When you get right down to it, you can look at the CVS. CVS over here on the left. If you cook on one of the CVS.

[00:05:07] It gives you some really good information, including some information about how to fix it, how to patch it and what the severity is. So what you want are those that are being actively exploded in the wild, basically 10 or a nine. There is a scale of zero to 10. Probably not even zero, but that's where the scale is.

[00:05:31] You notice here, by the way I add Dole bay is their top one. They are terrible when it comes to a lot of their software. So you can start. By whatever you might want to sort it by when it was added the action and the due date, which is for again, federal government people and federal government contractors and there's notes there as well.

[00:05:55] So this is something, if you are responsible for the cybersecurity in your business, you might be the office manager. That's so common in small companies and as the office manager, you are supposed to be. In charge of the computers. I can tell you with a great deal of assurance that most of the companies that are providing computers service are not providing these types of updates in a timely manner.

[00:06:25] Why because it's difficult to do so you have to do it. You have to track it. Okay. So shields up, let's go right back to that. They're talking about the other things that you should do. If you're using cloud services, this is just incredible because there's more. To do Microsoft. I had to put this in a proposal this week because the company didn't realize you're using all of this Microsoft 365 thing.

[00:06:53] You've probably heard about that. They've got email, they've got SharePoint, they've got all these other wonderful services and it's nice in an expensive to use, but here's your. The problem is that these particular services don't provide you with backups. It's not a guarantee, data, integrity, any data loss is your problem.

[00:07:15] And Microsoft has been sued on this unsuccessfully so far I might add. So just because it's in the cloud, not only does it mean it's not safe, it is just another word for someone else's computer and it can be completely. Unsafe. So you gotta watch it. You gotta be careful. So CSUs warning about that.

[00:07:35] They've got this free hygiene service. Now I applied for this. I'm going to pull this up again on my screen here for those who are watching live. But. The hygiene services. Very interesting because they say, Hey, listen, we'll go ahead and do it. And these CSUs cyber security assessment services are available at no cost, so who can receive them.

[00:07:58] Now, remember, I'm involved with the infra guard program. I put together their training for two years, I established that whole program training thousands of government and business sector people on cybersecurity. So you'd think they would respond to me. This is a huge program. There are people have probably even been on my webinars that I've held.

[00:08:23] They didn't get back. They say, okay, you can receive these free services while federal state, local tribal territorial, government, public, and private sector, critical infrastructure organizations will that to me, my clients, every last one of my clients is in a critical infrastructure service.

[00:08:43] Now it can be a dentist office. That's pretty critical. Just ask someone, who's got an infection. It, I have other people who are in the DOD. Base or providing materials and also products, manufactured products to government contractors, et cetera. So did these people get ahold of me return my email? No, nothing.

[00:09:07] So you can have look at this if you want to. But I got to tell you, it really turned me off from some of these CSUN people. So anyways, you can sign up, but you can't get it right. Take steps to quickly detect a potential intrusion. There's a lot of subsets here. You can see on my screen, or you can just go to sisa.gov/shields-up.

[00:09:29] I'll try and put a link to this in my newsletter this week ensure the organization is prepared to respond. If an intrusion occurs, that's a very big. As well, you have to have people, you have to have drills. You have to know what's happening when to do it. This is everybody right? This is HR. This is your public relations people.

[00:09:47] This is your it people. This is everybody all the way through the business. They've all got to be involved in this maximize the organization's resilience to destructive cyber incident. What is the. What has been happening lately? Coming out of Russia, isn't just ransomware it's they destroy your data.

[00:10:07] A very bad thing. If he asked me, and if he asked a lot of other companies out there, so you got to understand this, you got to be careful with this. Make sure you are following this rather closely, frankly, and this type of alert it's there. It's going to be there for a long time. No question about it.

[00:10:25] Shields. I liked that. I think it's neat. Obviously we got some star Trek fans in the work, so I don't know, just star wars have the, they have shields, but I don't remember them saying chills up. That was a card thing. Wasn't it? So there you go. Every organization is at risk. This is a big worry.

[00:10:42] It comes and goes. It's like. Orange and green and yellow or whatever those colors were over on the other side, right from our friends at Homeland security. 

[00:10:53] We've been legitimately concerned for years about the government, watching what we're doing, listening into what we are saying while there's ways that they've been monitoring us for a very long time. And the senators now want even more.

[00:11:09] Senators, right? What are you going to do about them?

[00:11:12] It is back. I'm going to put this up on the screen for those watching live, but people don't want outsiders reading their private messages, not physical mail, right? Not texts, not DMS. Great little article here from the electronic frontier foundation. These guys are just amazing. I have agreed with most of what they've done and.

[00:11:35] Some of what they've done, but basically what they're saying is we have a right to privacy and it is enshrined in the U S constitution. It's something we're supposed to be paying attention to. Isn't it. And what we're supposed to be secure in includes our papers done. Which papers are we talking about here?

[00:11:58] I've got some paper here. This is an index card, right? I've got some paper here. There's some notes on it. So I'm supposed to be secure in this. So I guess that means that the file cabinet over there is a secure, right? We don't have to worry about the government breaking into my file cabinet.

[00:12:14] How about these things? How about our smart devices, our smartphones? How about our computers, our laptops, et cetera, always supposed to be secure in those, the constitution doesn't mention those things. It's funny how some people look at the second amendment to say, oh, it only covers a blunder buses, it just, It doesn't cover any modern weapons. And yet at the same time, they'll argue the exact opposite way when it comes to being secure in our papers, because we are supposed to be secure with all of our communications. Senator Richard Blumenthal and Lindsey Graham. One's a rhino and one's a dyno, right?

[00:12:54] Richard Blumenthal, a Democrat from Connecticut and Senator Lindsey Graham Republican from South Carolina have re-introduced what they're, what's called the Ernie act, earn it act and incredibly unpopular bill from 2020. Now it had a lot of opposition, which I think is fantastic, frankly. And it whole thing got through.

[00:13:19] But what the eff is concerned about is that in fact, this could end up being a massive new surveillance. It would be run by private companies. You saw what happened with the filings in Washington, DC from the germ investigation, right? Private companies were being used by the Democrats to spy on the sitting president of the United States.

[00:13:46] Incredible way. So Ernie. I have a surveillance system run by private companies would roll back some of the most important privacy and security features in technology that are used by people around the globe. So it's things like using signal, which is generally thought to be the best end to end private communications app out there, signal WhatsApp, which is questionable because it's owned by Facebook.

[00:14:13] But they say it's end to end encrypted, just, be careful about those things. I message on apple is end to end encrypted, but apple does respond to subpoenas and provides information, which again is supposed to be able to do. But should the government be able to go to third parties to get into your private papers?

[00:14:35] That's a completely separate thing, but the earnings act could ensure that hosts. Anything online, we're talking about backups, websites, cloud photos, your voice messages, all kinds of stuff is captured and scan. This is really scary. Now I'm going to put this back up on the screen because it's also talking about how this bill empowers the states and territories to put their own sweeping internet regulations into place and they strip away.

[00:15:14] The critical legal protections for websites, apps, things like social media. That's the whole thing. Section two 30 was about when we talked about two 30 on my Shelby. And two 30 is double-edged you got social media sites saying while section two 30, lots of us limit what people can say on our platform.

[00:15:38] I would tend to think that it actually says the opposite that they're not being held. They can't be held liable for what a third party says on their platform. So it's definitely not the same. And in fact, since they can't be held liable for what set on Facebook or Twitter, et cetera, they should not be censoring it because if they started censoring it now, all of a sudden aren't they a publisher they've got editorial.

[00:16:08] So liability comes into play here. Yeah. They don't want that, but that's what section two 30 is all about. And there's been a lot of debate about that over the last five or 10 years. And there's arguments on the far left and the far right. End in the centers to why it should go away and why it should stay.

[00:16:27] All right. So I tend to be on the, I think it should stay side. I don't like what some of these companies are doing by censoring speech, particularly, libertarian or conservative speech, they sensor like crazy. But the bottom line is if the, they didn't have that, then how about the good sites that are out there?

[00:16:48] The rumbles of the world, et cetera, that are trying to get a good message out to everybody. And are protected by section two 30. If 2 31 away a company like Facebook that has billions of dollars. Would remain the only major social media site, because nobody else could go in. They'd all be sued out of existence and they could not conform to all of these government regulations.

[00:17:14] That's part of the reason big companies love big government. It makes it so they don't have big competition. Absolutely amazing. The, so this document here. Earn it, bill is saying. And another document that came out from the bill sponsors. Amazon is not scanning enough of its content. Now, Amazon is the host of Amazon web services and I've used them before.

[00:17:42] I still use some of their services. For instance, for transcribing this show, I wrote some code that uses API APIs that go into Amazon and upload it and download transcripts and then reformat it for me. So I use some of those, but Amazon. Has the lion share of what's called the cloud data services.

[00:18:07] So they're storing a lot of data for people. Long-term data in a glacier, for instance, and short-term data and ask three. But they're complaining a huge number of websites are hosted there. And this Bill's aim is to ensure that anything hosted online gets scanned and the bill creates this is just, you couldn't make this up a 19 person, federal commission dominated by law enforcement agencies, which are late.

[00:18:36] Best practices for attacking the problem of online child abuse. It's for the children, everybody, regardless of whether state legislatures take their lead from that commission or the bill sponsors themselves, we know where the road will end says CFF. Absolutely. True government approved software, like photo DNA.

[00:18:59] I don't know if you've heard about what happened with photos and with Metta Facebook, but they just lost a huge lawsuit where they were sued by a few different states about you remember the, it would automatically tag people in photos. So it was doing photo recognition, the photo DNA thing. And they got sued because.

[00:19:23] Obeying the law. Yeah. Talk about that one for an hour as well. So earn it. Not something you want, but apparently these senators wanted as well. 

[00:19:36] We've got a problem with our cars nowadays. Have you tried to turn a wrench on one of these things? They're all computerized. I don't mean a computer. Some of the cars nowadays have dozens of computers in them. How about repairing them? We're going to talk about right to repair.

[00:19:53] A great article in ARS Technica that you'll find, and this is about the flight.

[00:20:00] For the right to repair. Now, there have been a few right to repair bills that have been released over the years. And the idea behind this is well, having a big fancy car is wonderful. You can drive it all over. But how about when it's time to get that car repaired? What are you going to do? How are you going to do it right?

[00:20:26] Does that make sense to you? It can be a real problem. And this article is fascinating because it talks about this chief Morelli who had a Subaru SUV. Now she bought this in 2018. A lot of people buy Subarus because that engine is incredible. There's nothing like a boxer engine. That's where I'm on. My motorcycle has, and I have 160 something thousand miles on my motorcycle.

[00:20:53] These super engines last, no, the electronics, the motors, the electric motors. I had different story. Are there problems with Subaru's? But it made her feel safe. So off she goes, right? Like Volvos. People buy those for perceived safety as well. I have some issues with those, but her husband mark decided to purchase his own car last summer.

[00:21:18] So they went to the Subaru dealer near their home in south east, Massachusetts. Now here's the catch to all of this Massachusetts passed a right to repair ballot measure that was approved overwhelmingly in 2020. So what that means is that all of the vehicle manufacturers have to use a standard.

[00:21:47] Computer interface in order to do anything on the car, the idea being that you can take it to a regular mechanic that can read from that wonderful little port under your dashboard can maybe do a little bit of reprogramming of the car and not have something different that they have to buy. Like for almost every car.

[00:22:10] I know I have. Oh, for quite a few years, I'll a Honda dealer as a customer of mine on the cybersecurity and computer side. And I ended up having to have help Honda's headquarters in Japan, fix major problems that they had with this little computer device that they were using to fix the car. So they're there.

[00:22:37] They are trying to fix them and the device just isn't working and the device has to be constantly upgraded because there's bugs in their software and there's new features in the cars. So it has to be upgraded and updated and everything. So the idea behind right to repair is we can't have everybody out there constantly trying to upgrade their hardware in order to talk to the car.

[00:23:04] And they shouldn't have to buy multiple pieces of hardware for a single family of cars, let alone multiple pieces of hardware to cover all cars. So Massachusetts voters did the right thing, right? Cause they said. We want the right to repair our cars. You can't keep us out of them anymore. So that's when she and mark, I had a bit of a surprise.

[00:23:30] Because they went and bought a Subaru in mass, another one. And then they found out that the Subaru telematics system and the app that went along with it, and that includes remote engine start, it gets cold up here. New England, no emergency assistant, no automated messages. Tire pressure was low oil needed, changing.

[00:23:56] What's available now, if they had remembered they were living in Southern mass Southeastern mass, but they could have gone just over to Rhode Island or up to New Hampshire. And Bob that same car and would have had all of those features. You see what happened is Subaru said we cannot support this right to repair because that means we have to have a, basically a different car format.

[00:24:28] Now this isn't the first time we've seen this type of problem before California and Massachusetts have both had crazy. If you will laws on the books for a long time defining, oh wow. You can't have diesel. Cause it has this too many particulate matter pieces of matter in it. And it has to have this kind of mileage overriding federal regulations by.

[00:24:50] So let's not the first time now. I'm in New Hampshire, live for your die is our state motto. And all of the states around us, have we effectively banned diesel vehicles, New Hampshire hasn't we could get into this. But basically a diesel vehicle is every bit as clean and non-polluting as an electric car.

[00:25:13] In fact, it's less polluting when you consider the lifetime of the vehicle and the manufacturing of the cars. Okay. With the batteries and everything else. They were pretty upset about it. And this article of ARS Technica talks about this a little bit more. It says Subaru disabled, the telematic system, and the associated features on new cars registered in mass last year as part of a spat over a right to repair ballot measure.

[00:25:42] As I mentioned before, this open data platform that they're talking about here in the LA. It doesn't even exist yet. We've talked about laws before and how really the laws either a few steps behind technology or they try and get in front of technology and just mess it up. Like they have with nuclear power, right?

[00:26:06] The new nuclear, the fourth generation is just amazing stuff. And yet they really messed up. It says that it doesn't exist in automakers have filed suit to prevent the initiative from taking effect. So first Subaru and then Kia turned off telematic systems on their newest cars in mass, which has really gotten some people upset.

[00:26:26] And here's the quote from them. This was not to comply with the law compliance with the law. This time is impossible, but rather to avoid. Violating it now. Isn't that interesting because again, companies and people have to do things to avoid violating. Okay. I'm going to say it stupid laws. So interesting staff.

[00:26:49] This is just the latest dispute in this whole thing about the right to repair. What should you be able to do with your car? What shouldn't you now? I've got some really bad news if you're a right to repair advocate because. All of the newer cars that are coming up, particularly these electric cars that they love so much in Massachusetts, these electric cars are going to be sold as a base model.

[00:27:19] And then what's going to happen is you pay monthly. In order to have certain features turned on you. If you follow Tesla, Tesla has done this thing where it's okay. Six grand and you can get the auto drive. And the course they still don't have the fully autonomous driving. And then they raised it to eight grand.

[00:27:42] I think it's 10 grand now, or maybe even $12,000 for it. And they decide, okay let's step into that and we're going to change it. And some of these companies, I think it was, I'm not going to mention the name because I'm not absolutely positive, but some of these car companies have decided, oh, you, you know that remote start that you paid extra for them and you got your car.

[00:28:02] Unless you pay us $8 a month, you're not going to get the remote start. So think about that for a few minutes. Your car's going to have the ability to drive autonomously. It's going to have the ability to do all kinds of wonderful things, but you won't be able to use them. Unless you pay your monthly fees.

[00:28:22] Talk about right to repair. All right. Hey, I have a weekly newsletter and that newsletter has a little bits of training for everybody business or otherwise, but you have to sign up, go right now to Craig peterson.com.

[00:28:40] About Metta and that Metta has been busy making changes because Metta is really Facebook. And if you've been paying attention, the medicine. Huge stock drop.

[00:28:55] Metta oh my word. I, where to even begin? Mark Zuckerberg and company have known for a while that their company is going to be in trouble.

[00:29:08] Metta is the parent company. Of Facebook just like alphabet, right? The parent company of Google. So it's almost like a reverse merger, or they move them around. So Metta is now the company that owns Facebook as well as other properties. And what Facebook has been doing for years now.

[00:29:29] Over a decade is by. Potential competitors. If you have enough money in the bank, you can just go ahead and spend that money to buy competitors. Then you don't have to worry about competing with them. Look at the Insta. Look at WhatsApp. Look at many of these other things that Facebook has acquired over the years and what they're looking for of course, and always have been looking for is eyeballs.

[00:29:56] And they want to know what are those eyeballs really interesting. They've been doing a good job at that and have been really sucking a lot of data out of us. And I don't need to really say this, but Hey, listen, if you're not paying for it, you are the product. They suffered their biggest one day.

[00:30:18] Wipe out. Ever this year, this is an article from our friends at the New York times. So they're saying Mehta, the company formerly known as Facebook suffered its biggest one day. They called it a wipe out. I love that as that stock plummeted 26% and its market value plunged by more than $230 billion. So they had a really bad earnings report.

[00:30:51] They have been trying to transition from social networking towards what they're calling the virtual world of the metaverse. Now the metaverse has been a promise for a very long time. And you can think of it in a few different ways. One way is the, you have the goggles. I don't know if you've seen ready player one, a scifi movie where this kid is.

[00:31:18] Trying to solve this. Basically you're a riddle that was put in place by this guy, geeky guy that founded this company and they all played this video game against each other. And they had not only the goggles, but they had a whole suit, so they could feel what was going on. Ready player one. Very cool.

[00:31:40] So that's one idea of the metaverse, which is you don't have to live in the real world. You can just live in this virtual world and that's exactly what they did. So they reported some modest games and new users at over at Metta, which includes of course, Instagram messenger and WhatsApp, which are the core of their money.

[00:32:05] I lost about a half a million users over the fourth. How is that a quarter to quarter or half a million users? So that's the first time they've had a decline like that in the company's history. And frankly, Facebook was such a Darlene of the stock market because they were continually growing. It was like the perfect bet.

[00:32:31] There's no way you could lose money, investing it in Facebook. And yet, in fact, What did they do? They lost money. They lost a lot of the money. Now executives over at Facebook are saying, Hey, listen, we can grow this company more. We haven't even done anything with WhatsApp. The, the running that you might remember back in the day, WhatsApp used to charge a dollar a year.

[00:32:57] Now that doesn't sound like much, but when you have a hundred million members or more yeah, that's a fair amount of money to run a small company that has, I think it was like 50 employees at its peak here. So they're saying over at Facebook we could start inserting ads into WhatsApp.

[00:33:17] We could start monitoring communications. What. That's why I don't trust WhatsApp. There's a lot of things that we could, things we could do. We get generated a lot of revenue from WhatsApp users. They're also looking at weather metas, other top apps like Instagram might beginning getting to the top of their user growth.

[00:33:39] Now I've been talking with a couple of. That are in one of my mastermind groups. And they've been talking about how they've found their businesses have grown very well using. Instagram advertising and not just advertising, organic stuff where they post things and people find it on there, which I thought was kinda interesting because we're all pretty much in the business to business world and they really like it.

[00:34:06] So I'm going to try it out too. And if you've used Instagram, And the success been success with it for your business. I'd love to know. Just drop me an email Craig at Maine, or excuse me. me@craigpeterson.com. mainstream.net is my main business. Where I'm I do the CSO work the chief information security officer stuff.

[00:34:30] So apple introduced what they're calling. App tracking transparency. This is a pretty big deal. Put this up on my screens. You guys can see it, but apple made some changes to I O S and what it's doing is trying to wall off its safari browser from tracking software. The total. What does that mean, frankly, to somebody like Facebook?

[00:35:00] It's going to be very hard for marketers to be able to figure out who is doing what a win now to top that all off our friends at Google who also make money from us in our eyeballs, our friends at Google have said we're not going to use the pixels. Who used. And what Google is doing is incentive tracking you as an individual user.

[00:35:27] They're going to put you in a bucket with a whole bunch of similar users. So in other words, I'm not much of a change on Google's front, but enough of a change that it has made investors more than a little bit worried about what the future holds, because Apple's blocking their access people. You guys, right?

[00:35:49] How many of you guys attended those webinars? I did on how to disable tracking on your computer, on your browsers, et cetera. When you're going online, a lot of you guys did, so we don't want to be tracked. We don't want them to be tracking us. And again, how do they make their money? They make their money by tracking us.

[00:36:13] And that is precisely what they've been doing. No wonder that our friends at Metta had a terrible, no, get good, very bad week earlier this years. So Apple's limiting it. Google is stealing online advertising chair because remember Google has ads all over the place. They're on all kinds of platforms on.

[00:36:42] It's not just on the one Facebook site, for instance, for Facebook. So in Google's earning call the same week, Google reported record sales, particularly in e-commerce search advertising. No. Where you go to Google and you're searching for something that can be bought online. Yeah. That's particularly where they made money.

[00:37:04] Very same category that tripped up Mehta the last three months of 2020. So Google is not heavily dependent on apple for user data. You said it was like to do the Google had far more third-party data for measurement and for optimization purposes to Metis ad platform. All of this great information here in New York times article I've got it up on my screen so you can see it.

[00:37:28] Next one, ticked. They have been stealing young eyeballs, like crazy Tik TOK has been very popular. It is unfortunately owned by a Chinese company. And there has been a lot of talk lately about how tick talk, collects our data. And we don't actually know what they do with it, but we do. That it's in China and all of these businesses in China ties to what the people's liberation army, the Chinese communist party.

[00:38:02] They have more than a billion users on their site and the videos are addictive. Like one of my kids forwarded me one this morning. I was happy. I didn't have to download the Tik. Yeah. I was able to watch it on my web browser. It was actually quite funny, but it has been an amazing competitor for Meadows, Instagram, for eyeballs and attentions people, by the way, have also been a business friends.

[00:38:29] I know have been making some pretty good inroads using tick-tock advertising. So what does Mehta do? I can't buy, tick-tock not for sale, so they introduced something. They call real. And if you're on Instagram, you'll see reels ads been very prominent. R E L S. Yeah. It's currently the number one driver of engagement across the app.

[00:38:56] So reels is attracting users. It isn't making money as well as Instagram is stories in the main feed, make way more money for them and spending on the metaverse. According to the New York times popped up on my screen again. Is bonkers. So Zuckerberg is thinking that the Internet's next generation is this Metro versus this wonderful world of who knows what, that he's willing to spend big money on it. And I'm highlighting some this screen from New York times article because the spending a mounted apparently to more than $10 billion last year, and. Metta is going to spend even more than that in the future. And there's no evidence that it's really going to work, what's going to happen. Now we also have, of course, the specter of antitrust laws here in the us, various similar y'all laws in Canada. It's the anti combines act in Canada, but same thing in. They have already been sued. They're going to be sued again. So Metta is in meta trouble and we'll see what ends up happening with these guys.

[00:40:11] But this is really interesting because frankly. Even though Zuckerberg says they're not a monopoly, regulators are disagreeing. And I agree with the regulators for once. All right. Hey, visit me online. Sign up for that newsletter. Get all of those free little trainings every week and a whole lot more.

[00:40:31] Craig peterson.com.

[00:40:33] And data breaches are a very big problem. So what do we do about them? What are they? That's the first step, right? You got to know what you're protecting and you got to know what the attacks are. So we're going to talk about that. What has been the case in the last 12 months?

[00:40:50] The three most common causes of data breaches in 2021 were.

[00:40:58] This is according to dark reading number one, cyber attacks. And we're going to talk about those different types of cyber attacks. Number two, human errors and system errors. Those are very big ways to get attacked and get breached. And physical attacks was the third one. Now what do all of those things mean?

[00:41:19] And what are they doing? We know the Russians and the Chinese are trying to get our information. In both cases, it's espionage. In both cases, they want to see the information about our military, what the military is doing and how. Can really steal our secrets. Look at the newest fighter in the Chinese air force.

[00:41:44] That fighter looks a lot like our fighter. In fact, they beat us to the punch and making it. Here's what we can tell. Still got some things to work out, but they made it from our designs, which they stall that's the allegation. And certainly looking at the two planes. I think that's probably exactly what happened.

[00:42:07] That's what they're doing. So that's on one end of the scale, right? Way, way up there, where it's major industrial espionage, it's worth billions of dollars. And then there's you and me. So from the you and me standpoint, what are they looking to get? On one end, they just want to cause chaos and confusion.

[00:42:30] We know, for instance, during the 2020 election cycle, there were all. Of social media posts that were not legitimate. They weren't real, they were all fabricated. We know that they were trying to do it, particularly the Russians, just to confuse the issue entirely same thing in 2016, we can expect a lot more of that as elections go forward.

[00:42:56] So that's one thing, how can they do that effectively while they need a lot of computers? How do they get their hands on a lot of computers? Simple, they steal them. So what they want to do is get their hands on your computer, on my computer. And once they've got their hands on our computers, now they can use them in order to do posts online.

[00:43:21] So they it's going to look like it's in 1, 2, 3 main street, downtown USA, because of. They're using your computer to do these posts. Now, the other thing they'll use your computer for is to hack other people and other people's computers. So you've seen it for years. I remember. The Matthew Broderick movie war games, and they were trying to go through, remember back then it was dial up modems going through the network in order to hide where they were and to get around blocks that were in place.

[00:43:56] That sort of thing is continuing to happen today, where they can hop between the computers, but some businesses, for instance, have been hosting videos of just horrific things that are being shared by. Bad guys jihadists over in the middle east, the people all around the world, the using our computers as store and forward.

[00:44:19] The biggest thing right now is what's called fishing. Now fishing has a few different categories and if you're watching this, you can see right now, The eighth, the growth in fishing over the last three years. So in 2019, it was 928 cases. Again, this is reported right to 2020. It went down slightly.

[00:44:45] Yeah. The vid, and then 2021, it doubled to 1600. Isn't that amazing. It doubled. So there's fishing, there's smishing and there's email compromise that amounts to the biggest amount of hacking that's happening. So what does that mean? What is this big hacking that's going on? It's pretty simply put, we're talking about hackers who are trying to fool us into doing things.

[00:45:16] So you've heard about phishing attacks. I'm sure. Before. P H I S H I N G. And that's where a bad guy sends you an email. It looks like it's from some legitimate sores and it might be a bank. It might be the FBI, PayPal, you name it. So you open it up and when you open it up, what ends up happening? Wow. Click on the link inside there.

[00:45:39] There are bugs in various email programs. There haven't been over the years. We're just having that headline show up in the summary, caused your machine to be compromised. But nowadays, most of the time you have to in fact, click on something, doing that. So that's fishing. I just prepared a video for our clients.

[00:46:02] One of whom was having a real bad problem with phishing attacks, using specifics for their business, it's okay, now one of our vendors got hacked and they're using their email server, defend fish, send phishing emails that happens with. So I put together a training video for their people. Okay.

[00:46:23] Here's the vendor. Here's what these things look like. Here's how you report it. Here's what to do about it. The next one is Smith. This is effectively the same thing as fishing, but it's using SMS. It's using text messages to try and get you to do something. So again, it might be a link that sent to you in a text message, or it might be a message saying, call me, I get almost every day I'm asking.

[00:46:52] On WhatsApp. We use WhatsApp for one of my masterminds. I'm not a fan of WhatsApp, you know that, but that's what everybody else is using. It's not the worst thing in the world, but I get I would say at least weekly, maybe every twice a week, who knows, but I get a message saying is this Brian?

[00:47:10] Of course I'm not Brian, right? I'm Craig Peterson. So the normal response from somebody would be. No, this isn't Brian's number, but the problem is that now you have engaged with them. They know there's a real person, they start a conversation, they try and get a little bit of information about you, and then use that against you to get into bank accounts, to steal money, et cetera, which is the third.

[00:47:37] Fishing, which is called BEC, which is the business email compromise. This is absolutely huge. According to the FBI, there have been billions of dollars stolen using BEC I know one company that got really nailed and their operating account got emptied because of a business email compromise. So what is that?

[00:47:59] That's where you get an email. At your business email address and that email again, just like a regular phishing email looks legitimate. So you look at that email and it looks legitimate. You open it up. Okay. So far it's the same thing, but what they're trying to do with the business email compromise is get you to do something that's going to hurt the business.

[00:48:24] In these cases that I've been talking about, what happens is it looks like it's from the CEO or looks like it's from the CFO. We could talk about a lot of the different compromises that have happened. Probably one of the most famous is with Barbara Cochran. She of course, on shark tank and she had about $400,000 almost stolen from her because in the email was.

[00:48:51] To basically her bookkeeper accountant saying, Hey, we need to pay 400 grand. Here's the account number, because remember she's in real estate. So there, rehabs happened in all of the time and the assistant, I think caught it and they were able to stop the transaction, which is amazing because you only.

[00:49:10] Second is quite literally in order to stop those types of transactions. So she stopped it, but that's an example of a business, email compromise. There are fancier ones that happen to this is the problem with having your email addresses or names even on your website. So people can just go to the company website and say who's the CEO, who's the CFO who.

[00:49:37] This person who's that person. And so they go through all of that information and they've now got something they can use against you. So what do they do? They know who the CEO is, so they chum up to the CEO, Facebook or other social media, LinkedIn. Where'd they go to school and then they send us a note on, let's say LinkedIn or Facebook saying, Hey, I want to follow you.

[00:50:01] I want to talk whatever you don't remember me because you put on LinkedIn that you went to Harvard business school. So yeah, you remember me? We were in class together. This is Joanne. And we took econ 1 0 1 at Harvard. So now a conversation starts up, they get LinkedIn to you, they get your Facebook start following you and see, oh, they're going to be in The Bahamas this week.

[00:50:26] That means they're out of touch. So during that week, they go ahead and send an email to the CFOs saying, Hey, we've got this new vendor. And if we don't go ahead and pay this vendor, we're going to lose. Because we haven't paid them in three months. So the CFO then wires the money. Now you might think, oh, that's just too much work.

[00:50:45] First of all, a hundred thousand dollars will support families in Eastern Europe for about three to five years. Okay. Secondly, that particular tactic didn't just get them a hundred thousand dollars. It got them $45 million. Oh. And it wasn't them. It was a, her a single. That was able to do that. So business, email, compromise, you've got to watch it.

[00:51:11] And then of course, all of the normals, right? Ransomware, malware, a unsecured cloud environment, credential stuffing, et cetera, et cetera. All right. Hey, I want you guys to take a minute right now. Go to Craig peterson.com one cheer there. You'll see right at the top of the page, I'm going to pull this up here for those watching on video.

[00:51:34] Subscribe for email updates. You'll get my updates. You'll get my trainings as well. Craig peterson.com.

[00:51:41] I'm a Mac fan and being a Mac fan means that I like max and a lot of people like max, because they are typically safer than a windows computer, but now that they become so popular, Hey, they're a target, too.

[00:51:57] So here's your problem. As it might say, Macs are starting to see the heat. In this case, the heat they're seen is something called update agent. It has been around a while. And many people have downloaded it. And I've known about various types of Mac malware over the years. Some of them worse than others.

[00:52:22] The one in particular that I'm thinking of a friend of mine paid for this stuff that was supposed to keep his Mac clean. So first of all, If you're looking for some anti-malware software for year Mac, I prefer what Cisco has as very nice advanced stack that you can use. But in addition, here, you can use, if you can't get the advanced Cisco stuff, you can use Malwarebytes.

[00:52:49] It is quite good. Now, historically, one of the main reasons you want to protect your Mac against viruses, including. Windows viruses is that your Mac can potentially spread a virus to a windows machine. So let's say the virus is sitting there inside of an Excel file, a word file. Some other document exec, whatever it might be.

[00:53:14] So that virus is sitting inside of there. It's not going to hurt your Mac. It's a windows virus, right? So now you send the file to somebody else and now they are on a windows machine and they are susceptible. They get nailed with it. Okay. So that's been the main reason historically. You want to make sure your Mac machines are clean.

[00:53:36] Cisco on the Mac, advanced mow, worse platinum. Does look for windows malware. Okay. As well as something that might be affecting a Mac, but what we're looking@hererightnowoverondarkreading.com is a piece of malware that is specifically aimed at max. And it's interesting too, because it isn't just max.

[00:54:03] It actually has multiple versions that included. Our friends over on the windows side. So it's called update agent or wizard update. And it is malware that I, as always, it seems is pretending as legitimate software, right? Support agents, video software. It's been around for a couple of years now. Adobe flash.

[00:54:29] Not only was it a serious security problem, but Adobe flash, as it turns out, was shoes to spread a whole lot of malware here over the years. So they've constantly updated this thing. They came up with a new version in October. They've been sending it around using Amazon and cloud front in order to do it.

[00:54:52] So instead of using zip files or. Apple uses, which are called DMGs, which are basically compressed file systems. The new version can use zip files or Mac DMGs. It's not good. Again, be very careful. Now apple has had for quite a while, and a signature based thing where software developers register with apple, they sign the software, they send out, but there are ways around it.

[00:55:24] And some of the hackers have been exploiting those ways. In fact, this version is the fifth version. Of this update agent and wizard software. Okay. So be very careful with it. Don't think that because you have a Mac, you are guaranteed safe because you're not, but they're also talking in this article about jam.

[00:55:49] Now. Jam is a great. Of software for managing your Macs. We use IBM's mass 360 for our clients, and it lets us do mobile device control as well as for desktops. If you're a CSO, how valuable, something like that really can be apple has their own thing built in. If you have Meraki equipment, they have their own lightweight.

[00:56:15] Controller as well, but jam is very well known in the industry and it's one of the better ones out there jam was showing in research last year, that ad where is continuing to be a much bigger threat to Mac users than most other types of malware. Now, what is that? What are we talking about here? Add where is where a piece of software.

[00:56:41] Gets onto your computer and shows you ads. That's one type, right? There's other types of ad wares as well. The most malicious types being, they will run as JavaScript inside your browser. Or sometimes they'll add, they'll run as an extension. That happened to one of the extensions I loved for. And I used it all the time and someone bought it and turned it into ad where spyware.

[00:57:09] Okay. So on the Mac front, it's very hard to get a legitimate piece of nastiness, like ransomware on your. You actually have to go out of your way to allow it to get installed, but this ad where some of it even minds Bitcoin, we've talked about that before, but what will happen is there's just an added in ad network, right?

[00:57:34] So if I pull up my screen again here, this is just the regular webpage here for dark reading. It's the article we're talking about. Here's some sponsors. Content is actually from one password, which is, something. I really if you look down at the very bottom of the screen is kinda hard to see, but it's the link to this takes you to ad click.g.doubleclick.net.

[00:57:58] That down there on my screen. So that particular URL now is going to track. You see how long that URL is. It has all of this other you ID type stuff. That's an ad. And then ad was probably delivered via a network of some sort, these editor choices, things. These are not ads that are purchased.

[00:58:21] These are probably coming from dark reading itself, who knows. But this Menlo security ad is an ad. You click on it. You can see, again, this is doubleclick.net. These ones here are not doubling. Those are direct on this paper. So what is that double click is what we call an ad network. So if I'm an advertiser and I want to get in front of people who really liked technology, maybe the visited the one password page, which I've done, right?

[00:58:53] So I go to the one password page. It deposits a cookie on my browser. Now I'm on dark reading and on the dark reading site, what's it going to do? The ad network is going to show me an ad for things that thinks I'm interested in one password. The guys who bought through paid for the ad to double-click.

[00:59:14] So that's how double clicks making money. They show the ad to me on dark reading. So that's how dark readings making money either by showing the ad or potentially by being paid. When I click on the ad, if I do click on that ad. All right. So if it's a company you liked, don't click on the ads because it's going to cost them money.

[00:59:34] If it's a company you don't like, then click on the ads, there's actually plugins by the way, that will click on every ad on every page you go to. But not really, it's not going to take you to all these sites. It's just going to look like you clicked on it. So these ad networks. Are being used by bad guys to put an ad in that is actually some form of malware.

[00:59:57] So just seeing the ad might cause some JavaScript to start. And you've probably seen this before. All of a sudden your computer screen shot is full of all of this crap. Where did that come from? It probably came from a small window hidden window, but came from some of this ad stuff that's happened.

[01:00:14] All right. Big problem. And it is right now, the biggest problem in the Mac world, according to jam, and it's called malvertising. You got all these cute names for everything malvertising in this case. Hey, thanks for spending a few. Today, if you would, please go right now, go to Craig peterson.com. You'll see at the top subscribe for email updates.

[01:00:43] When you subscribe, you're going to get my top special reports on passwords and other things, and you'll get my weekly emails and trainings stick around.

[01:00:54] Cloud security. Wow. What a mess. If you are using any of these services online, you probably have a cloud security issue. That means your websites, too.

[01:01:09] Security pros like myself are very frustrated by what we loosely call the cloud.

[01:01:19] So the cloud is just a name, frankly, for somebody else's computer. So you might be using a cloud for instance. Salesforce.com system you might be using your email, Hotmail, Yahoo, right? You might be using Microsoft mail. There's a lot of them out there and they're all cloud systems. Being a word for somebody else's computer.

[01:01:48] That doesn't necessarily mean that's somebody else's backing it up or that they're providing adequate cyber security for it. So we've got an article right here. Again, from our friends at dark reading, Robert limos about why security professionals are frustrated with cloud security. So more and more companies are moving their operations to the cloud.

[01:02:16] And because there are so few people available for cyber security. They're really getting in trouble. Okay. They're really getting in trouble. There's a lot of security data that does never get looked at. It's full-time jobs for people, depending on again, how much cyber security they need so many false alerts and we've got warnings from the feds now that are probably going to continue forever.

[01:02:48] Cybersecurity breaches that they're seen and they're thinking they're going to come. So security data they're saying is wasting more than half of the time spent on security issues. That is not a good thing because there are so many false positives when it comes to cyber security. So how does the basic cybersecurity work?

[01:03:13] For instance, if we were to look at one of the firewalls that we maintain for our. Or our clients, you would see attacks coming up every few seconds. I can show two on just one little machine. If you're talking about a bigger company or a contractor for the department of defense or a subcontractor for the government in any angle, you will see.

[01:03:40] Sometimes dozens of attacks per second. So they're pinging. They are trying to connect to services like Microsoft, remote desktop. They're trying to break in any way they can. That is frankly, a pretty huge problem. Are those legitimate security alerts? Yeah, I guess they are. I have stuff set up so that if someone is trying to, for instance, log in remotely on one of these remote type protocols and they fail three times in a row, they are automatically added to the firewall automatically.

[01:04:22] And they are. Now it removes that ban after a while, but if they do it again, they get banned again. So we know who the bad guys are. And let me tell you, there are a lot of bad guys out there. I don't know if I can get on that machine right now, because I think you might find that. Interesting. Yeah. It's not going to let me on right now, so I'm not going to do that, but it is a very big problem.

[01:04:53] Should I be looking at each one of those security alerts about somebody trying to remotely connect to one of these connection services, right? Desktop services, SSH services. Probably not, it's probably not the best use of my time. So what we have is other canaries, if you will, in the networks. So other points that, okay, they're trying to get in from the outside, but people are always trying to get in past the gate.

[01:05:23] But if they are not successful getting past the gate, I don't really care so much about. Okay. So how do we tell if they're inside the network? So we have other security probes inside the network. We have probes in the switches themselves. We have every network segment. Firewall from each other.

[01:05:46] And in some cases we have absolutely zero trust. So every connection to any machine is checked and firewalled depends on how much cybersecurity you need. So this is a report from a Cod automation firm called Lacework and they talked to 500 security practitioners, blah, blah, blah. They are saying that the vast majority of respondents regularly have to deal with at least a 20% false positive rate and a third deal with a 50% false positive rate.

[01:06:25] The analysts are not alone. Only a third of developers believe that the time spent on security is meaningful. According to the survey and frankly, that's what we have found as well. And that's why we have automated systems and the automated systems say, whoa, this looks really bad. And that's when a person gets involved.

[01:06:48] So it's a real problem. Now here's the next step. And the next step is while we had so many people who were working from home. And because of the lockdowns. Following the start of the Corona virus pandemic, according to this article or dark w reading organizations quickly moved operations to the cloud, we know that's true. We've seen it. We've helped companies secure themselves from their hasty moves to the CRA the cloud. But after two years, companies still have a long way to go before moving. All of the operations to a cloud is less than half of respondents consider the most important applications to be cloud native.

[01:07:34] Now, this is really important because some companies have been moving in, particularly some of the larger ones moving critical applications back in house. Now the cloud is wonderful. A lot of vendors love the cloud because it's MRR monthly recurring revenue. Yeah, you can use my software, but you have to pay me every month.

[01:07:57] Oh. And by the way, I don't want to support you guys anymore. I don't want to have to get onto your servers and take this apart girls. So I'm going to do all of this on my servers. We'll call it the cloud. Maybe it's on Amazon or Azure. Maybe it's in my data center, whatever. And I'm going to charge you a premium.

[01:08:14] What's happening with your data when it's sitting on their computer or Amazons or Microsoft's computers out there, right? It's a very legitimate question and a very concerning question, frankly, cloud apps, particularly those that aren't specifically security related. Won't have the types of details on security that are really needed.

[01:08:41] So you talk about all of the false positives that you have as a business in your own networks. How about false positives that these guys would have in the cloud? The bottom line is forget about. You can't see any of those security breaches. You don't know if your data has been stolen, et cetera, et cetera.

[01:09:04] And that's why we use a cloud lock in front of all of these cloud apps. Now, this is fascinating too. This is from our friends. Over at a glass. What is it about burning glass technologies? Only professionals with application security experience are expected to be in greater demand with a five-year growth rate of 164%.

[01:09:29] Okay. Yeah. And they're talking about 115% growth as well. Hey, visit me online, get all of this information and more put in a little bit of training right at Craig. Peter saw. Calm go there right now at the very top, you can sign up, get my newsletters and get my special reports. Craig peterson.com.

[01:09:54] So we know already hackers went wild. So what are the things we should be doing to help keep ourselves safe? Five things. We're going to go through. Right now how to stay safe.

[01:10:09] This whole thing with hackers is it's just so annoying. I got hacked back in. I'm trying to remember.

[01:10:19] 91 92, something like that. And I, it. It really sent me for a loop to go about three days to figure out what was going on. So I had a couple of deck servers. You might remember those digital equipment corporation. I was working for them as a contractor. So I had purchased those systems and I had them in my data center that I had built in the building that I bought.

[01:10:44] And it was down on the ground floor. It was something I was really proud of. Cool. It was so neat. So I was down there in the computer room trying to figure out what had happened because my customers were calling and complaining that the email wasn't working, it wasn't going through what was the. I had banked some dial up modems.

[01:11:07] I had my T1 lines going to the internet, which costs a pretty penny and all in all, just trying to figure out what's what, and how did this happen? And it turned out it was a back door that was purposely built into the male applicant. So with the mail application and was send mail. I was using at the time, still a great mail program, but I tend to use postfix now.

[01:11:33] And then of, I use again, Cisco's advanced mail filters and I often will use Microsoft email for businesses and then put the additional mail filters in front of that. Send mail had this feature so that you could get onto someone else's mail server that was misconfigured and reconfigured. Which was really a cool idea.

[01:11:57] It worked great for years when the internet was a safe place when it was just us online, a bunch of wonderful people, libertarians trying to spread the word and the gospel of libertarianism and sending jokes back and forth and using Usenet and everything. This is before websites even existed.

[01:12:21] And. It was a shock to me to see what had happened. And it was something called the Morris worm. And one of these days where we should probably talk about that whole worm thing, but it nailed me and my machine was spreading it to other machines on the internet. And the reason it all slowed down in the mail stop was it was so busy, spinning off new processes to find other machines to infect.

[01:12:49] But the machine just ran out of gas. So it was very frustrating. And although my business was a technology business at the time, I've always almost always had technology businesses. But it was not an internet security business. Who was dealing with that then, nobody, because it was barely legal to do business on the internet.

[01:13:10] I think I was doing it before. It was actually. To do business on the internet. There was just Al gore in me back then. At that problem really got to me. And none of my customers understood what had happened. And there was no reason to even try and explain what a worm was and stuff. I just said, some hacker got in and of course, Back then hacker was a term disused for people that were not professional computer programmers, a hacker where somebody that sat there and hacked code and tried to figure it out and trying to put it together.

[01:13:44] That was a. What do you do? You'd tell them the basics of what happened and you continue on your way. So I almost lost the business, frankly. I ended up losing some customers over the next few months, but not very many. So it worked out okay. But then in talking to friends of mine, I found out even more of them that had been hacked and that it was a a serious problem for.

[01:14:09] What do they do? They turn to me cause I knew I'd been hacked before I was a techie guy and I went on and I built some big. Systems. I built the largest website in the world at the time. And it was, you might be familiar with it, big yellow or yellow pages.com. Any of those sorts of platforms.

[01:14:33] The first one of those and got that up online, built the whole data center and even had to make our own routers at the time and firewalls. We actually designed one of the world's first firewalls, and that was my design. And I had a couple of guys that helped to implement it with me. We had to do everything back.

[01:14:53] And ever since then, I've had a focus on this because one of my clients had a million dollar, a day lottery system down in New York city. You got to keep that safe. And they were sending out millions of emails. So I had to learn about the email security, all of that stuff. So I mentioned all of that to you guys, because think about the position you're in now.

[01:15:16] I don't think it's much. And then the position I was in 30 years ago, but you don't want to spend all of the time that I've had to spend the last 30 years to understand this better and to learn how to protect it better. So that's why I do what I do. I try and get this information out to you. Here's this another article from our friends at dark reading and it's a Leche, I think they invite people to come on and write things for them, but he's talking okay. He's the product strategy manager over at UConn to can canonical they've been around quite a while. Been to was a Linux distribution. What's happening. We know about the colonial pipeline, right? We know the hack that happened and how bad that hack was.

[01:16:08] They was absolutely huge. And it affected all of the east coast for fuel. Every kind of fuel you can think of a real big problem. Russian linked. The hackers that broke into this. Okay. Probably the largest hack ever on a U S utility system. I'm pretty sure it was solar winds, another big hack. They hacked companies that were providing.

[01:16:34] Services to businesses, including security services, right? That's why we don't use them. And we reported serious security problems to them a year and a half before they were hacked. Did they fix them? No, they did not. So this article goes on to talk about how through September in 2021, there were about 1300 breaches in the U S.

[01:16:59] These are reported breaches and K and they're broke the all-time record last year. No two ways about it. And then president Biden in 2021. With an executive order that is forcing now the federal government to eventually become secure and department of defense and the department of defense contractors.

[01:17:24] Okay. Very big problem. He's trying to fix it. Of course, Trump tried to fix it. And president Obama tried to fix it. Everybody's tried to fix it. And so far it just hasn't happened. And our typical, I teach teams really are struggling, trying to stop some of these intrusions, including the more sophisticated ones, which are the intrusions that tend to be coming from nation states.

[01:17:50] The intrusions that are coming from China, Russia, North Korea, and Iran, those are the main. That are coming after us. So what are the things you can do? And I'm going to explain these kind of briefly you can, of course, look this article up yourself, but it is on dark reading. And if you're watching this on video, you can follow along.

[01:18:13] Zero trust is the first thing that is the new, if you will kid on the block or new, where, when it comes to cybersecurity, because what it does now is it assumes all traffic on your network needs to be monitored closely because it could be. So at the very least you're monitoring all the traffic. We do that for our clients as well.

[01:18:39] And you can get into very sophisticated firewall rules, which again, we have to stop certain applications from being reachable from machines. They should not be reachable from. Okay. So there's no silver bullet to. Put zero trust in place, or even to make it work, but you need to do it. So if you're responsible for cyber security in your business, to some degree, checkout, zero trust, next one.

[01:19:07] What data assets do you have because you need to protect them. This particular article is calling them a software bill of materials. But you need to know what you have to protect. What software are you running? What data do you have? What data is controlled by regulations, federal regulations, et cetera.

[01:19:29] You have to know all of that. You have to secure it properly. You need automated vulnerability management. That's why we tie into. Fingers real time, database of hacks going on in the world. And we use that in real time, again, to protect endpoints and to protect network points, secure configuration. That's another thing we do.

[01:19:54] I'm going to probably have this as part of a webinar, if you will, or at least a course, there's about 250. Yeah, that many changes you have to make to windows to try and secure. In fact, I have behind me, this book is probably about five inches thick. It's a binder on how to secure windows 10 and it has gotten even bigger with windows 11.

[01:20:19] Okay. And you have to be aware of the regulations you have to comply with now at the very least. Every last business out there needs to comply, which is called the NIST CSF. I'm helping another company right now, gain compliance with this. This is the national Institute of standards and technology, consumer security, not consumer computer security framework, NIST CSF.

[01:20:50] It is the basics out there. There's others that get more complicated. The CMMC the PCI DSS HIPAA. Hi-tech right. We can go on and on, but those are the five things. Zero trust. No, what data you have, what software you have to protect of my automatic vulnerability management. I'm telling you're not getting that.

[01:21:12] Buying something from best buy or from a big box retailer, online, secure configuration and regulatory. Hey, thanks for being with us today. It has been fun. I enjoy sharing this and I really realized that this morning, even more, this is a blessing for me. Hopefully it's been a blessing for you.

[01:21:34] Check me out, go online and get my newsletter. Craig peterson.com and have a great week ahead. Take care. Bye-bye.