Are You Ready For "Shields Up"?
01:21:45 Share

We've got a big alert from the CISA. That's our cybersecurity and infrastructure agency. It's come down about a week or so ago. It's been going up and down. And of course, the tensions out there are causing problems. So let's talk about it.

CISA is an agency of the federal government, and it's one that I follow, frankly, pretty closely because they are the ones that are supposed to be helping us in industry as well as helping the federal government keep their security stuff in order.

Now, are they? Well, yeah, they are and they aren't. But the bottom line is they've got a whole bunch of very cool new things. And I'm going to show that to you here. This is called Shields Up over at C-Cell. For those of you who are watching online, you'll be able to see it right here. So let me just switch over here.

You've got it up now. Let me just go full screen on that so you can see the whole thing. But this is CISA, C-I-S-A dot gov. And they have a whole ton of cybersecurity resources there. One of the things I hear the most from people is just how freaking difficult it is to try and keep track of things, even understand the regulations.

let alone learn all of this stuff. But you can see on their site, they've got training and exercises summit that's coming up, combating cyber crime and many other things. Well, what we're concerned about right now is this whole thing with Russia.

Now, you've heard about Russia a lot. Of course, we've got the Durham report talking about Russian fake collusion, frankly. And we have Russians who have been hacking us. In fact, I've got an article on that today. Let me pull that up as well. You'll be able to see it.

But it is an incredible thing when you get right down to it. What Russia's been trying to do is attack and steal things directly from our agencies, right? The DOD as well. If you are a contractor, you are in a great deal of trouble. I don't have that article handy, but...

They are going after all of our friends at the DOD and all of their contractors and subcontractors. So what happened? There was technology that was supposed to be implemented at all of the contractors that, of course, did not get implemented. So that's a problem, if you ask me. But it's now changed. Okay, this year.

2022, what has happened? In 2022, they decided that the regulations that were in place were not tough enough, not even close to being tough enough. So what they did is they added teeth, incredible teeth to these, what are called CMMC regulations, which are the regulations that are about the cybersecurity maturity, if you will, of these DOD contractors.

So now we're looking at this article. I'll pull it up on my screen again here. This particular one's from Security Boulevard, but it is warning about the risk of the Russians really hacking us. Now, that's nothing new.

We've known about that for a long time. We've known that the Russians and the Chinese are both trying to get in. I have customers who I picked up after they'd been hacked. And in fact, in most cases, they didn't even know they'd been hacked. It was just something weird that was going on. So this alert's highlighting several cybersecurity vulnerabilities that

that these nation states and cyber criminals are likely to be leveraging. And they've outlined certain steps that organizations can take to reduce the risk. So what are those steps? I'm going to bring them up right now for those of you who are watching. But let me make it a little bit bigger.

How do you do this? Well, they're saying, let's break it down. We want you to reduce the likelihood of a damaging cyber intrusion. Again, CISA.gov. If you want to follow along at home, CISA.gov.

Validate that all remote access to the organization's network and privileged or administrative access requires multi-factor authentication. We're setting that up for company right now. In fact, ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA. So you see that link that's right there. Well, that brings us to this massive database, if you will, of

of known vulnerabilities, 38 pages, 377 known vulnerabilities. So how does this work? When you get right down to it, you can look at the CVEs. The CVEs over here on the left, if you click on one of the CVEs,

It gives you some really good information, including some information about how to fix it, how to patch it and what the severity is. So what you want are those that are being actively exploited in the wild, basically 10 or nines. There is a scale of zero to 10, probably not even zero, but that's where the scale is. You notice here, by the way, Adobe is their top one.

They are terrible when it comes to a lot of their software. So you can sort it by whatever you might want to sort it by when it was added, the action and the due date, which is for, again, federal government people and federal government contractors.

And there's notes there as well. So this is something if you are responsible for the cybersecurity in your business, you might be the office manager. That's so common in small companies. And as the office manager, you are supposed to be in charge of the computers.

I can tell you with a great deal of assurance that most of the companies that are providing computer service are not providing these types of updates in a timely manner.

Why? Because it's difficult to do. So you have to do it. You have to track it. Okay. So shields up. Let's go right back to that. They're talking about the other things that you should do if you're using cloud services. This is just incredible because there's more you have to do. Microsoft, I had to put this in a proposal this week because

because the company didn't realize they're using all of this Microsoft 365 thing. You've probably heard about that. They've got email, they've got SharePoint, they've got all these other wonderful services and it's nice and inexpensive to use. But here's your problem.

The problem is that these particular services don't provide you with backups. It's not a guaranteed data integrity. Any data loss is your problem. And Microsoft has been sued on this unsuccessfully so far, I might add. So just because it's in the cloud, not only does it mean it's not safe, it is just another word for someone else's computer and it can be completely unsafe.

So you got to watch it. You got to be careful. So CISA is worrying about that. They've got this free hygiene service. Now I applied for this. I'm going to pull this up again on my screen here for those who are watching live, but the hygiene service is very interesting because they say, Hey, listen, we'll go ahead and do it. And these CISA cybersecurity assessment services are available at no cost.

So who can receive them? Now, remember, I'm involved with the InfraGard program. In fact, I put together their training for two years. I established that whole program, training thousands of government and business sector people on cybersecurity. So you'd think they would respond to me. This is a huge program. Their people have probably even been on my webinars that I've held. They didn't get back to me.

They say, okay, you can receive these free services while federal, state, local, tribal, territorial government, public and private sector, critical infrastructure organizations. Well, that's me.

My clients, every last one of my clients is in a critical infrastructure service. Now, it can be a dentist's office. That's pretty critical. Just ask someone who's got an infection. I have other people who are in the DOD space. They're providing materials and also products, manufactured products to government contractors, etc. So did these people...

Get a hold of me? Return my email? No, nothing. So you can have a look at this if you want to, but I got to tell you, it really turned me off from some of these CESA people.

so anyways you can sign up but you can't get it right take steps to quickly detect a potential intrusion there's a lot of subsets here you can see on my screen or you can just go to cisa.gov shields dash up i'll try and put a link to this in my newsletter this week ensure the organization's prepared to respond if an intrusion occurs that's a very big one as well you have to have people

You have to have drills. You have to know what's happening, when to do it. This is everybody, right? This is HR. This is your public relations people. This is your IT people. This is everybody all the way through the business. They've all got to be involved in this.

Maximize the organization's resilience to destructive cyber incident. What has been happening lately coming out of Russia isn't just ransomware. It's they destroy your data. A very bad thing if you ask me and if you ask a lot of other companies out there. So you got to understand this. You got to be careful with this. Make sure you are following this rather closely, frankly.

And this type of alert, it's there. It's going to be there for a long time. No question about it. Shields up. I like that. I think it's neat. Obviously, we got some Star Trek fans in the work. So I don't know. Does Star Wars have that? Yeah, they have shields, but I don't remember them saying shields up. That was a Picard thing, wasn't it?

So there you go. Every organization is at risk. This is a big worry. It comes and goes. It's like the orange and green and yellow or whatever those colors were over on the other side, right? From our friends at Homeland Security. We've been legitimately concerned for years about the government watching what we're doing, listening in to what we are saying.

Well, there's ways that they've been monitoring us for a very long time. And senators now want even more senators, right? What are you going to do about them? It is back. I'm going to put this up on the screen for those watching live. But people don't want outsiders reading their private messages. Not physical mail, right? Not text, not DMs. Great little article here from the Electronic Frontier Foundation. These guys are crazy.

Just amazing. I have agreed with most of what they've done and disagreed with some of what they've done. Basically, what they're saying is we have a right to privacy and it is enshrined in the U.S. Constitution. It's something we're supposed to be paying attention to, isn't it?

and what we're supposed to be securing includes our papers which papers are we talking about here i've got some paper here well this is an index card right i've got some paper here there's some notes on it so i'm supposed to be secure in this so i guess that means that the file cabinet over there is secure right we don't have to worry about the government breaking into my file cabinet

How about these things? How about our smart devices, our smartphones? How about our computers, our laptops, etc.? Are we supposed to be secure in those? The Constitution doesn't mention those things.

It's funny how some people look at the Second Amendment and say, oh, it only covers blunderbusses. It just doesn't cover any modern weapons. And yet at the same time, they'll argue the exact opposite way when it comes to being secure in our papers, because we are supposed to be secure in

with all of our communications. Senator Richard Blumenthal and Lindsey Graham, one's a rhino and one's a dino, right? Richard Blumenthal, a Democrat from Connecticut and Senator Lindsey Graham, Republican from South Carolina have reintroduced what they're what's called the EARN IT Act, EARN IT Act, an incredibly unpopular bill from 2020.

Now it had a lot of opposition, which I think is fantastic, frankly, and it whole thing got dropped. But what the EFF is concerned about is that in fact, this could end up being a massive new surveillance system. It would be run by private companies. You saw what happened with the filings in Washington, DC from the Durham investigation, right? Private companies were being used.

by the Democrats to spy on the sitting president of the United States. Incredible, eh? So, EARNET would have a surveillance system run by private companies, would roll back some of the most important privacy and security features and technology that are used by people around the globe. So, it's things like using Signal, which is generally thought to be the best end-to-end private communications app out there, Signal.

WhatsApp, which is questionable because it's owned by Facebook.

But they say it's end to end encrypted. Just be careful about those things. iMessage on Apple is end to end encrypted, but Apple does respond to subpoenas and provides information, which again, it's supposed to be able to do. But should the government be able to go to third parties to get into your private papers? That's completely separate thing, but the earn it act.

could ensure that hosting anything online, we're talking about backups, websites, cloud photos, your voice messages, all kinds of stuff is captured and scanned. This is really scary. Now, I'm going to put this back up on the screen because it's also talking about how this bill empowers the states and territories

to put their own sweeping internet regulations into place and strip away the critical legal protections for websites, apps, things like social media. That's the whole thing Section 230 was about. And we've talked about 230 on my show before.

And 230 is double edged. You've got social media sites saying, well, Section 230 lets us limit what people can say on our platform. I would tend to think that it actually says the opposite, that they're not being held. They can't be held liable for what a third party says on their platform. So it's definitely not the same thing.

And in fact, since they can't be held liable for what's said on Facebook or Twitter, et cetera, they should not be censoring it because if they start censoring it now, all of a sudden, aren't they a publisher? They've got editorials. So liability comes into play here. Yeah. They don't want that.

But that's what section 230 is all about. And there's been a lot of debate about that over the last five or 10 years. And there's arguments on the far left and the far right and in the center as to why it should go away and why it should stay. All right. So I tend to be on the, I think it should stay side. I don't like what some of these companies are doing by censoring speech, particularly libertarian or conservative speech. They censor like crazy.

But the bottom line is if they didn't have that, then how about the good sites that are out there, the rumbles of the world, et cetera, that are trying to get a good message out to everybody and are protected by Section 230. If 230 went away, a company like Facebook that has billions of dollars

would remain the only major social media site because nobody else could go in. They'd all be sued out of existence and they could not conform to all of these government regulations. That's part of the reason big companies love big government. It makes it so they don't have big competition. Absolutely amazing.

So this document here, that's the EARN IT bill is saying, and another document that came out from the bill sponsors that Amazon is not scanning enough of its content. Now, Amazon is the host of Amazon Web Services, and I've used them before. I still use some of their services.

For instance, for transcribing this show, I wrote some code that uses APIs that go into Amazon and upload it and download transcripts and then reformat it for me. So I use some of those. But Amazon has the lion's share of what's called the cloud data services.

So they're storing a lot of data for people, long-term data in Glacier, for instance, and short-term data in S3.

But they're complaining. A huge number of websites are hosted there. And this bill's aim is to ensure that anything hosted online gets scanned. And the bill creates, this is just, you couldn't make this up, a 19-person federal commission dominated by law enforcement agencies, which will lay out best practices for attacking the problem of online child abuse. It's for the children, everybody.

Regardless of whether state legislatures take their lead from that commission or the bill sponsors themselves, we know where the road will end, says EFF. Absolutely true. Government-approved software like PhotoDNA. I don't know if you've heard about what happened with photos and with Meta, Facebook, but they just lost a huge lawsuit where...

They were sued by a few different states about, you remember the, it would automatically tag people in photos. So it was doing photo recognition, the photo DNA thing. And they got sued because they weren't obeying the law. Yeah. We can talk about that one for an hour as well. So earn it, not something you want, but apparently these senators want it as well.

We've got a problem with our cars nowadays. If you tried to turn a wrench on one of these things, they're all computerized. I don't mean a computer. Some of the cars nowadays have dozens of computers in them. How about repairing them? We're going to talk about right to repair. A great article in Ars Technica that you'll find, and this is about the fight between

for the right to repair. Now there have been a few right to repair bills that have been released over the years. And the idea behind this is, well, having a big fancy car is wonderful. You can drive it all over. But how about when it's time to get that car repaired? What are you going to do? How are you going to do it?

Right? Does that make sense to you? It can be a real problem. And this article is fascinating because it talks about this Chi Ferrelli who had a Subaru SUV. Now she bought this in 2020.

A lot of people buy Subarus because that engine is incredible. There's nothing like a boxer engine. That's what my motorcycle has. And I have 160 something thousand miles on my motorcycle. These Subaru engines last. Now the electronics, the motors, electric motors are a different story. Other problems with Subarus.

But it made her feel safe. So off she goes, right? Like Volvos, people buy those for perceived safety as well. I have some issues with those. But her husband, Mark, decided to purchase his own car last summer. So they went to the Subaru dealer near their home in Southeast Massachusetts.

Now here's the catch to all of this. Massachusetts passed a right to repair ballot measure that was approved overwhelmingly in 2020. So what that means is that all of the vehicle manufacturers have to use a standard computer interface in order to do anything on the car.

The idea being that you can take it to a regular mechanic that can read from that wonderful little port under your dashboard, can maybe do a little bit of reprogramming of the car and not have something different that they have to buy, like for almost every car. I know I have, for quite a few years, a Honda dealer as a customer of mine on the cybersecurity and computer side.

And I ended up having to help Honda's headquarters in Japan fix major problems that they had with this little computer device that they were using to fix the cars.

So there they are trying to fix them and the device just isn't working. And the device has to be constantly upgraded because there's bugs in their software and there's new features in the car. So it has to be upgraded and updated and everything. Right.

So the idea behind right to repair is we can't have everybody out there constantly trying to upgrade their hardware in order to talk to the car. And they shouldn't have to buy multiple pieces of hardware for a single family of cars, let alone multiple pieces of hardware to cover all cars. So Massachusetts voters did the right thing, right? Because they said no.

We want the right to repair our cars. You can't keep us out of them anymore. So that's when Chi and Mark, I had a bit of a surprise because they went and bought a Subaru in mass, another one. And then they found out that the Subaru telematic system and the app that went along with it, and that includes remote engine start, it gets cold up here in New England, no emergency assistant.

No automated messages, tire pressure was low, oil needed changing. None of that was available. Now, if they had, remember, they were living in southern Mass, southeastern Mass, but they could have gone just over to Rhode Island or up to New Hampshire,

and bought that same car and would have had all of those features. You see what happened is Subaru said, we cannot support this right to repair because that means we have to have a basically a different car for mass. Now, this isn't the first time we've seen this type of problem before. California and Massachusetts have both had

crazy if you will laws on the books for a long time defining oh wow you can't have diesel because it has this too many particulate matter pieces of matter in it it has to have this kind of mileage overriding federal regulations by the way so that's not the first time now i'm in new hampshire live free or die is our state motto and all of the states around us have effectively banned

diesel vehicles. New Hampshire hasn't. We could get into this a lot, but basically a diesel vehicle is every bit as clean and non-polluting as an electric car. In fact, it's less polluting when you consider the lifetime of the vehicle and the manufacturing of the cars, okay, with the batteries and everything else.

So they were pretty upset about it. And this article in Ars Technica talks about this a little bit more. It says Subaru disabled the telematic system and the associated features on new cars registered in mass last year as part of a spat over a right to repair ballot measure. As I mentioned before, this open data platform that they're talking about here in the law

Doesn't even exist yet. We've talked about laws before and how really the laws, either a few steps behind technology or they try and get in front of technology and just mess it up like they have with nuclear power, right? The new nuclear, the fourth generation is just amazing stuff.

And yet they've really messed. It says that it doesn't exist. And automakers have filed suit to prevent the initiative from taking effect. So first Subaru and then Kia turned off telematic systems on their newest cars in mass.

which has really gotten some people upset. And here's the quote from them. This was not to comply with the law. Compliance with the law at this time is impossible, but rather to avoid violating it. Now, isn't that interesting? Because again, companies and people have to do things to avoid violating. Okay, I'm going to say it's stupid laws.

So interesting stuff. This is just the latest dispute in this whole thing about the right to repair. What should you be able to do with your car? What shouldn't you? Now I've got some really bad news. If you're a right to repair advocate, because all of the newer cars that are coming up, particularly these electric cars that they love so much in Massachusetts, these electric cars are

are going to be sold as a base model. And then what's going to happen is you pay monthly in order to have certain features turned on. If you follow Tesla, Tesla has done this thing where it's okay, six grand and you can get the auto drive system. And of course, they still don't have the fully autonomous driving. And then they raised it to eight grand. I think it's 10 grand now or maybe even $12,000 for it.

And they decided, okay, instead of that, we're going to change it. And some of these companies, I think it was, I'm not going to mention anything because I'm not absolutely positive, but some of these car companies have decided, you know that remote start that you paid extra for when you got your car? Unless you pay us $8 a month, you're not going to get the remote start.

So think about that for a few minutes. Your car is going to have the ability to drive autonomously. It's going to have the ability to do all kinds of wonderful things, but you won't be able to use them unless you pay your monthly fees. Talk about right to repair.

All right. Hey, I have a weekly newsletter and that newsletter has a little bits of training for everybody, business or otherwise. But you have to sign up. Go right now to Craig Peterson dot com.

About Meta and that Meta has been busy making changes because Meta is really Facebook. And if you've been paying attention, the Meta is in big trouble. Huge stock drop. Meta. Oh my, where do we even begin? Mark Zuckerberg and company have known for a while that their company is going to be in trouble.

Meta is the parent company of Facebook, just like Alphabet, right? The parent company of Google. So it's almost like a reverse merger. They move them around. So Meta is now the company that owns Facebook as well as other properties.

And what Facebook has been doing for years now, over a decade, is buying potential competitors. If you have enough money in the bank, you can just go ahead and spend that money to buy competitors. Then you don't have to worry about competing with them. Look at Insta. Look at WhatsApp. Look

Look at many of these other things that Facebook has acquired over the years and what they're looking for, of course, and always have been looking for is eyeballs and they want to know what are those eyeballs really interest. They've been doing a good job at that and have been really sucking a lot of data out of us. And I don't need to really say this, but Hey, listen, if you're not paying for it, you're

You are the product. They suffered their biggest one day wipeout ever this year.

This is an article from our friends at the New York Times. So they're saying Meta, the company formerly known as Facebook, suffered its biggest one day. They called it a wipeout. I love that. As its stock plummeted 26% and its market value plunged by more than $230 billion. So they had a really bad earnings report.

They have been trying to transition from social networking towards what they're calling the virtual world of the metaverse. Now, the metaverse has been a promise for a very long time. And you can think of it in a few different ways. One way is that you have the goggles. I don't know if you've seen Ready Player One, a sci-fi movie where this kid is...

trying to solve this, basically a riddle that was put in place by this guy, geeky guy that founded this company.

And they all played this video game against each other. And they had not only the goggles, but they had a whole suit so they could feel what was going on. Ready Player One. Very cool. So that's one idea of the metaverse, which is you don't have to live in the real world. You can just live in this virtual world. And that's exactly what they did.

So they reported some modest games and new users over at Meta, which includes, of course, Instagram, Messenger and WhatsApp, which are the core of their money, lost about a half a million users over the fourth quarter.

How is that? Quarter to quarter, half a million users. So that's the first time they've had a decline like that in the company's history. And frankly, Facebook was such a darling of the stock market because they were continually growing. It was like the perfect bet. There's no way you could lose money investing it in Facebook. And yet, in fact, what did they do? They lost money. They lost a lot of the money.

Now, executives over at Facebook are saying, hey, listen, we can grow this company more. We haven't even done anything with WhatsApp. They're running it. You might remember back in the day, WhatsApp used to charge a dollar a year.

Now, that doesn't sound like much, but when you have 100 million members or more, yeah, that's a fair amount of money to run a small company that has, I think it was like 50 employees at its peak here. So they're saying over at Facebook, we could start inserting ads into WhatsApp. We could start monitoring communications. What?

That's why I don't trust WhatsApp. There's a lot of things we could do. We could generate a lot of revenue from WhatsApp users. They're also looking at whether Meta's other top apps like Instagram might beginning getting to the top of their user growth. Now, I've been talking with a couple of people that are in one of my mastermind groups and

And they've been talking about how they found their businesses have grown very well using Instagram advertising and not just advertising organic stuff where they post things and people find it on there, which I thought was kind of interesting because.

We're all pretty much in the business to business world and they really like it. So I'm going to try it out too. And if you've used Instagram and the success been success with it for your business, I'd love to know. Just drop me an email. Craig.

Mainstream.net is my main business where I do the CISO work, the Chief Information Security Officer stuff. So Apple introduced what they're calling app tracking transparency. This is a pretty big deal. Put this up on my screen so you guys can see it. But Apple introduced what they're calling app tracking transparency.

Apple made some changes to iOS and what it's doing is trying to wall off its Safari browser from tracking software. What does that mean, frankly, to somebody like Facebook? It's going to be very hard for marketers to be able to figure out who is doing what when.

Now, to top that all off, our friends at Google, who also make money from us and our eyeballs, our friends at Google have said, we're not going to use the pixels we used to. And what Google is doing is instead of tracking you as an individual user, they're going to put you in a bucket with a whole bunch of similar users. So in other words,

Not much of a change on Google's front, but enough of a change that it has made investors more than a little bit worried about what the future holds because Apple's blocking their access. People...

You guys, right? How many of you guys attended those webinars I did on how to disable tracking on your computer, on your browsers, et cetera, when you're going online, right? A lot of you guys did. So we don't want to be tracked. We don't want them to be tracking us. And again, how do they make their money? They make their money by tracking us. And that is precisely what they've been doing. So again,

No wonder that our friends at Meta had a terrible, no good, very bad week earlier this year. So Apple's limiting it.

Google is stealing online advertising share because remember, Google has ads all over the place. They're on all kinds of platforms online. It's not just on the one Facebook site, for instance, for Facebook.

So in Google's earning call the same week, Google reported record sales, particularly in e-commerce search advertising. You know where you go to Google and you're searching for something that can be bought online? Yeah, that's particularly where they made money. Very same category that tripped up Meta the last three months of 2021.

So Google's not heavily dependent on Apple for user data. He said it was likely that Google had far more third party data for measurement and for optimization purposes and Metis ad platform. All of this great information here, New York times article. I've got it up on my screen so you can see it. Next one, Tik Tok. They have been stealing young eyeballs like crazy.

TikTok has been very popular. It is unfortunately owned by a Chinese company. And there has been a lot of talk lately about how TikTok collects our data and we don't actually know what they do with it. But we do know that it's in China and all of these businesses in China ties to what? Yeah, the People's Liberation Army, the Chinese Communist Party.

They have more than a billion users on their site. And the videos are addictive. One of my kids forwarded me one this morning. I was happy I didn't have to download the TikTok app.

I was able to watch it on my web browser. It was actually quite funny. But it has been an amazing competitor for Meta's Instagram for eyeballs and attentions. People, by the way, have also been business friends, I know, have been making some pretty good inroads using TikTok advertising. So what does Meta do? They can't buy TikTok, not for sale. So they introduced something they call Reels.

And if you're on Instagram, you'll see Reels ads been very prominent. R-E-L-S. Yeah, it's currently the number one driver of engagement across the app. So Reels is attracting users. It isn't making money as well as Instagram is. Stories in the main feed make way more money for them.

And spending on the metaverse, according to the New York Times, pop that up on my screen again, is bonkers. So Zuckerberg is thinking that the Internet's next generation is this metaverse, this wonderful world of who knows what, that he's willing to spend big money on it. And I'm highlighting this on the screen from New York Times article because it's

The spending amounted apparently to more than $10 billion last year. And Meta is going to spend even more than that in the future. And there's no evidence that it's really going to work. What's going to happen? Now we also have, of course, the specter of antitrust laws here in the US, various similar laws in Canada. It's the Anti-Combines Act in Canada.

But same thing in Europe. They have already been sued. They're going to be sued again. So Meta is in Meta trouble. And we'll see what ends up happening with these guys. But this is really interesting because frankly, even though Zuckerberg says they're not a monopoly.

Regulators are disagreeing and I agree with the regulators for once. All right. Hey, visit me online. Sign up for that newsletter. Get all of those free little trainings every week and a whole lot more. CraigPeterson.com. Data breaches are a very big problem. So what do we do about them? What are they? That's the first step, right? You got to know what you're protecting.

And you got to know what the attacks are. So we're going to talk about that. What has been the case in the last 12 months? The three most common causes of data breaches in 2021 were...

This is according to dark reading. Number one, cyber attacks. And we're going to talk about those different types of cyber attacks. Number two, human errors and system errors. Those are very big ways to get attacked and get breached. And physical attacks was the third one.

Now, what do all of those things mean and what are they doing? We know the Russians and the Chinese are trying to get our information in both cases. It's espionage in both cases. They want to see the information about our military, what the military is doing and how they can really steal our secrets. Look at the newest fighter in the Chinese air force. That fighter looks.

a lot like our fighter. In fact, they beat us to the punch and making it near as we can tell, they've still got some things to work out, but

They made it from our designs, which they stole. That's the allegation. And certainly looking at the two planes, I think that's probably exactly what happened. That's what they're doing. So that's on one end of the scale, right? Way, way up there where it's major industrial espionage. It's worth billions of dollars. And then there's you and me.

So from the you and me standpoint, what are they looking to get? On one end, they just want to cause chaos and confusion. We know, for instance, during the 2020 election cycle, there were a lot of social media posts that were not legitimate. They weren't real. They were all fabricated.

We know that they were trying to do it, particularly the Russians, just to confuse the issue entirely. Same thing in 2016, we can expect a lot more of that as elections go forward. So that's one thing. How can they do that effectively while they need a lot of computers? How do they get their hands on a lot of computers? Well, simple.

They steal them. So what they want to do is get their hands on your computer, on my computer. And once they've got their hands on our computers, now they can use them in order to do posts online. So it's going to look like it's in 123 Main Street, downtown USA, because it is.

They're using your computer to do these posts. Now, the other thing they'll use your computer for is to hack other people and other people's computers. So you've seen it for years. I remember

And they were trying to go through, remember back then it was dial up modems going through the network in order to hide where they were and to get around blocks that were in place. That sort of thing is continuing to happen today where they can hop between the computers. But some businesses for instance, have been hosting videos of just horrific things that are being shared by people. And I think that's a really good example.

bad guys, jihadists over in the Middle East, the people all around the world. They're using our computers as store and forward. The biggest thing right now is what's called phishing.

Now, fishing has a few different categories. And if you're watching this, you can see right now the growth in fishing over the last three years. So in 2019, it was 928 cases. Again, this is reported, right?

to 2020 it went down slightly yeah the vid and in 2021 it doubled to 1600 isn't that amazing it doubled so there's phishing there's smishing and there's email compromise that amounts to the biggest amount of hacking that's happening

So what does that mean? What is this big hacking that's going on? It's pretty simply put. We're talking about hackers who are trying to fool us into doing things. So you've heard about phishing attacks, I'm sure, before. P-H-I-S-H-I-N-G. And that's where a bad guy sends you an email, looks like it's from some legitimate source. And it might be a bank. It might be the FBI, PayPal, you name it.

So you open it up and when you open it up, what ends up happening? Well, you click on a link inside there. There are bugs in various email programs. There have been over the years where just having that headline show up in the summary caused your machine to be compromised. But nowadays, most of the time you have to, in fact, click on something, do an action.

So that's phishing. I just prepared a video for our clients, one of whom was having a real bad problem with phishing attacks using specifics for their business. Okay, now one of our vendors got hacked and they're using their email server to send phishing emails. That happens a lot.

So I put together a training video for their people. Okay, here's the vendor. Here's what these things look like. Here's how you report it. Here's what you do about it. The next one is smishing.

This is effectively the same thing as phishing, but it's using SMS. It's using text messages to try and get you to do something. So again, it might be a link that's sent to you in a text message. It might be a message saying, call me. I get almost every day a message like,

On WhatsApp, we use WhatsApp for one of my masterminds. I'm not a fan of WhatsApp. You know that, but that's what everybody else is using. It's not the worst thing in the world, but I get, I would say at least weekly, maybe every, every

you know, twice a week, who knows? But I get a message saying, is this Brian? Of course, I'm not Brian, right? I'm Craig Peterson. So the normal response from somebody would be what? No, this isn't Brian's number. But the problem is that now you have engaged with them. They know there's a real person. They start a conversation. They try and get a little bit of information about you and then use that against you.

to get into bank accounts, to steal money, etc. Which is the third phishing, which is called BEC, which is

The business email compromise. This is absolutely huge. According to the FBI, there have been billions of dollars stolen using BEC. I know one company that got really nailed and their operating account got emptied because of a business email compromise. So what is that? That's where you get an email at your business email address. And that email, again, just like a regular phishing email, looks legitimate.

So you look at that email, it looks legitimate. You open it up. Okay. So far it's the same thing, but what they're trying to do with the business email compromise is get you to do something that's going to hurt the business.

In these cases that I've been talking about, what happens is it looks like it's from the CEO or looks like it's from the CFO. We could talk about a lot of the different compromises that have happened. Probably one of the most famous is with Barbara Cochran. She, of course, on Shark Tank.

And she had about $400,000 almost stolen from her because an email was sent to basically her bookkeeper accountant saying, hey, we need to pay 400 grand. Here's the account number. Because remember, she's in real estate. So their rehabs happen all of the time.

And the assistant, I think, caught it and they were able to stop the transaction, which is amazing because you only have seconds, quite literally, in order to stop those types of transactions. So she stopped it. But that's an example of a business email compromise. There are fancier ones that happen too. This is the problem with having your email addresses or names even on your website.

So people can just go to the company website and say, who's the CEO? Who's the CFO? Who's this person? Who's that person? And so they go through all of that information and they've now got something they can use against you. So what do they do? They know who the CEO is. So they chum up to the CEO, Facebook or other social media, LinkedIn. Where'd they go to school?

And then they send a note on, let's say, LinkedIn or Facebook saying, hey, I want to follow you. I want to talk, whatever. You know, remember me? Because you put on LinkedIn that you went to Harvard Business School. So, yeah, you remember me? We were in class together. This is Joanne. And we took Econ 101 at Harvard. Right? Yeah.

So now a conversation starts up. They get linked into you. They get your Facebook, start following you and see, oh, they're going to be in the Bahamas this week. That means they're out of touch. So during that week, they go ahead and send an email to the CFO saying, hey, we've got this new vendor. And if we don't go ahead and pay this vendor, we're going to lose them.

Because we haven't paid them in three months. So the CFO then wires the money. Now you might think, oh, that's just too much work. First of all, $100,000 will support families in Eastern Europe for about three to five years. Secondly, that particular tactic didn't just get them $100,000. It got them $45 million. Oh, and it wasn't them. It was her, a single person that was able to do that.

So business email compromise, you've got to watch it. And then of course, all of the normals, right? Ransomware, malware, unsecured cloud environment, credential stuffing, et cetera, et cetera. All right. Hey, I want you guys to take a minute right now. Go to Craig Peterson.com. Once you're there, you'll see right at the top of the page. I'm going to pull this up here for those watching on video.

Subscribe for email updates. You'll get my updates. You'll get my trainings as well. CraigPeterson.com I'm a Mac fan. And being a Mac fan means that I like Macs. And a lot of people like Macs because they are typically safer than a Windows computer. But now that they've become so popular, hey, they're a target too. So here's your problem, as they might say.

Macs are starting to see the heat. In this case, the heat they're seeing is something called update agent. It has been around a while and many people have downloaded it. And I've known about various types of Mac malware over the years.

Some of them worse than others. The one in particular that I'm thinking of, a friend of mine paid for this stuff that was supposed to keep his Mac clean. So first of all, if you're looking for some anti-malware software for your Mac, I prefer what Cisco has. It has a very nice advanced stack that you can use.

But in addition here, you can use, if you can't get the advanced Cisco stuff, you can use Malwarebytes. It is quite good.

Now, historically, one of the main reasons you want to protect your Mac against viruses, including Windows viruses, is that your Mac can potentially spread a virus to a Windows machine. So let's say the virus is sitting there inside an Excel file, a Word file, some other document, whatever it might be.

So that virus is sitting inside of there. It's not going to hurt your Mac. It's a Windows virus, right? So now you send the file to somebody else and now they are on a Windows machine and they are susceptible. They get nailed with it. Okay. So that's been the main reason historically you want to make sure your Mac machines are clean. Cisco on the Mac advanced malware platform.

does look for Windows malware, okay, as well as something that might be affecting a Mac. But what we're looking at here right now over on darkreading.com is a piece of malware that is specifically aimed at Macs. And it's interesting too because it isn't just Macs. It actually has multiple versions that include Macs

our friends over on the Windows side. So it's called Update Agent or Wizard Update. And it is malware that as always, it seems is pretending it's legitimate software, right? Support agents, video software. It's been around for a couple of years now.

Adobe Flash, not only was it a serious security problem, but Adobe Flash, as it turns out, was used to spread a whole lot of malware here over the years. So they've constantly updated this thing. They came up with a new version in October. They've been sending it around using Amazon and CloudFront in order to do it.

So instead of using zip files or what Apple uses, which are called DMGs, which are basically compressed file systems, the new version can use zip files or Mac DMGs. So,

It's not good. Again, be very careful. Now, Apple has had for quite a while, like a signature based thing where software developers register with Apple. They sign the software they send out, but there are ways around it. And some of the hackers have been exploiting those ways. In fact, this version is the fifth version of this update agent and wizard software. Okay.

So be very careful with it. Don't think that because you have a Mac, you are guaranteed safe because you're not. But they're also talking in this article about Jamf. Now, Jamf is a great piece of software for managing your Macs.

We use IBM's MAS 360 for our clients and it lets us do mobile device control as well as for desktops. If you're a CISO, how valuable something like that really can be. Apple has their own thing built in. If you have a Meraki equipment, they have their own lightweight controller as well. But Jamf is very well known in the industry and it's one of the better ones out there.

Jamf was showing in research last year that adware is continuing to be a much bigger threat to Mac users than most other types of malware. Now, what is that? What are we talking about here? Adware is where a piece of software

gets onto your computer and shows you ads. That's one type, right? There's other types of adware as well. The most malicious types being they will run as JavaScript inside your browser, or sometimes they'll run as an extension. That happened to one of the extensions I loved for Chrome. And I used it all of the time and someone bought it and turned it into adware spyware. Okay.

So on the Mac front, it's very hard to get a legitimate piece of nastiness like ransomware on your computer.

You actually have to go out of your way to allow it to get installed. But this ad where some of it even mines Bitcoin, we've talked about that before, but what will happen is there's just an ad in an ad network, right? So if I pull up my screen again here, this is just the regular webpage here for dark reading. It's the article we're talking about. Here's some sponsored ads.

It's actually for 1Password, which is something I really like. If you look down at the very bottom of the screen, it's kind of hard to see, but the link to this takes you to adclick.g.doubleclick.net. See that down there on my screen? So that particular URL now is going to track it. See how long that URL is? It has all of this other UID type stuff on it.

That's an ad and that ad was probably delivered via a network of some sort. These editor choices things. These are not ads that are purchased. These are probably coming from dark reading itself. Who knows? But this Menlo security ad is an ad. You click on it. You can see again, this is double click.net. These ones here are not double click.

Those are direct on this paper. So what is that? Double click is what we call an ad network.

So if I'm an advertiser and I want to get in front of people who really like technology, maybe the visited the one password page, which I've done, right? So I go to the one password page. It deposits a cookie on my browser. Now I'm on dark reading and on the dark reading site, what's it going to do? The ad network is going to show me an ad for things that thinks I'm interested in one password.

So the guys who bought who paid for the ad to double click. So that's how double clicks making money. They show the ad to me on dark reading. So that's how dark readings making money either by showing the ad or potentially by being paid when I click on the ad if I do click on that ad.

All right. So if it's a company you like, don't click on the ads because it's going to cost them money. If it's a company you don't like, then click on the ads. There's actually plugins, by the way, that will click on every ad on every page you go to, but not really. It's not going to take you to all these sites. It's just going to look like you clicked on it.

So these ad networks are being used by bad guys to put an ad in that is actually some form of malware. So just seeing the ad might cause some JavaScript to start. And you've probably seen this before. All of a sudden your computer screen just full of all of this crap. Where did that come from? It probably came from a small window, hidden window that came from some of this ad stuff that's out there. All right.

Big problem. And it is right now the biggest problem in the Mac world, according to Jamf. And it's called malvertising. Got all these cute names for everything. Malvertising in this case.

Hey, thanks for spending a few minutes today. If you would please go right now, go to Craig Peterson.com. You'll see at the top subscribe for email updates. When you subscribe, you're going to get my top special reports on passwords and other things. And you'll get my weekly emails and trainings.

Stick around cloud security. Wow. What a mess. If you are using any of these services online, you probably have a cloud security issue. That means your websites too. Security pros like myself are very frustrated by what we loosely call the cloud.

So the cloud is just a name, frankly, for somebody else's computer. So you might be using a cloud, for instance, based Salesforce.com system. You might be using your email, Hotmail, Yahoo, right? You might be using Microsoft Mail. There's a lot of them out there and they're all cloud systems.

So being a word for somebody else's computer, that doesn't necessarily mean that somebody else is backing it up or that they're providing adequate cybersecurity for it. So we've got an article right now, again, from our friends at Dark Reading, Robert Lemos.

about why security professionals are frustrated with cloud security. So more and more companies are moving their operations to the cloud. And because there are so few people available for cybersecurity, they're really getting in trouble. They're really getting in trouble.

There's a lot of security data that just never gets looked at. It's full-time jobs for people, depending on, again, how much cybersecurity they need. So many false alerts. And we've got warnings from the feds now that are probably going to continue forever about cybersecurity breaches that they're seeing and they're thinking are going to come.

So security data, they're saying, is wasting more than half of the time spent on security issues. That is not a good thing because there are so many false positives when it comes to cybersecurity. So how does the basic cybersecurity work? For instance, if we were to look at one of the firewalls that we maintain for ourselves or our clients, you would see attacks coming up

every few seconds. I can show it to you on just one little machine. If you're talking about a bigger company or a contractor for the Department of Defense or a subcontractor for the government in any angle,

you will see sometimes dozens of attacks per second. So they're pinging. They are trying to connect to services like Microsoft Remote Desktop. They're trying to break in any way they can. That is, frankly, a pretty huge problem.

Are those legitimate security alerts? Well, yeah, I guess they are. I have stuff set up so that if someone is trying to, for instance, log in remotely on one of these remote type protocols and they fail three times in a row, they are automatically added to the firewall automatically and they are banned.

Now, it removes that ban after a while, but if they do it again, they get banned again. So we know who the bad guys are. And let me tell you, there are a lot of bad guys out there. I don't know if I can get on that machine right now.

Because I think you might find that interesting. Yeah, it's not going to let me on right now. So I'm not going to do that. But it is a very big problem. Should I be looking at each one of those security alerts about somebody trying to remotely connect to one of these connection services, right? Desktop services, SSH services? Well, probably not. It's probably not the best use of my time.

So what we have is other canaries, if you will, in the networks. So other points that, okay, they're trying to get in from the outside, but people are always trying to get in past the gate. But if they are not successful getting past the gate, I don't really care so much. Okay. So how do we tell if they're inside the network? So we have other security probes that,

Inside the network, we have probes in the switches themselves. We have every network segment firewalled from each other. And in some cases, we have absolutely zero trust. So every connection to any machine is checked and firewalled. Depends on how much cybersecurity you need.

So this is a report from a cloud automation firm called Lacework, and they talked to 500 security practitioners, blah, blah, blah, right? They are saying that the vast majority of respondents regularly have to deal with at least a 20% false positive rate and a third deal with a 50% false positive rate.

The analysts are not alone. Only a third of developers believe that the time spent on security is meaningful, according to the survey. And frankly, that's what we have found as well. And that's why we have automated systems. And the automated systems say, whoa, this looks really bad. And that's when a person gets involved.

So it's a real problem. Now here's the next step. And the next step is, well, we had so many people who were working from home because of the lockdowns. Following the start of the coronavirus pandemic, according to this article of dark reading organizations quickly moved operations to the cloud. We know that's true. We've seen it. We've helped companies secure themselves

from their hasty moves to the crowd, the cloud. But after two years, companies still have a long way to go before moving all the operations to a cloud is less than half of respondents consider the most important applications to be cloud native. Now, this is really important because some companies have been moving and particularly some of the larger ones moving critical applications back

Now the cloud is wonderful. A lot of vendors love the cloud because it's MRR monthly recurring revenue, right? Yeah. You can use my software, but you have to pay me every month. Oh, and by the way, I don't want to support you guys anymore. I don't want to have to get onto your servers and take the support calls.

So I'm going to do all of this on my servers. We'll call it the cloud. Maybe it's on Amazon or Azure, or maybe it's in my data center, whatever. And I'm going to charge you a premium. What's happening with your data when it's sitting on their computer or Amazon's or Microsoft's computers out there? It's a very legitimate question and a very concerning question, frankly.

Cloud apps, particularly those that aren't specifically security related, won't have the types of details on security that are really needed.

So you talk about all of the false positives that you have as a business in your own networks. How about false positives that these guys would have in the cloud? The bottom line is forget about it. You can't see any of those security breaches. You don't know if your data has been stolen, et cetera, et cetera. And that's why we use a cloud lock in front of all of these cloud apps.

Now, this is fascinating too. This is from our friend over at Burning Glass Technologies. Only professionals with application security experience were expected to be in greater demand with a five-year growth rate of 164%. Okay.

Yeah, and they're talking about 115% growth as well. Hey, visit me online. Get all of this information and more, including a little bit of training, right at CraigPeterson.com. Go there right now at the very top. You can sign up, get my newsletters, and get my special reports. CraigPeterson.com.

So we know already hackers went wild. So what are the things we should be doing to help keep ourselves safe? Five things we're going to go through right now. How to stay safe. This whole thing with hackers is it's just so annoying. Well, I got hacked back in now. I'm trying to remember 91, 92, something like that.

And it really sent me for a loop. Took me about three days to figure out what was going on. So I had a couple of DEC servers. You might remember those, Digital Equipment Corporation. I was working for them as a contractor. So I had purchased those systems and I had them in my data center that I had built in the building that I bought.

And it was down on the ground floor. It was something I was really proud of. It was just cool. It was so neat. So I was down there in the computer room trying to figure out what had happened.

Because my customers were calling and complaining that the email wasn't working. It wasn't going through. What was the matter? I had banks of dial-up modems. I had my T1 lines going to the internet, which cost a pretty penny. And all in all, just trying to figure out what's what and how did this happen?

And it turned out it was a backdoor that was purposely built into the mail application. So with the mail application, it was send mail. I was using at the time, still a great mail program, but I tend to use post fix now. And then of course I use again, Cisco's advanced mail filters and often we'll use Microsoft email for businesses and then put the additional mail filters in front of that. But

SendMail had this feature so that you could get onto someone else's mail server that was misconfigured and reconfigured for them.

Which was really a cool idea. It worked great for years when the internet was a safe place. When it was just us online. A bunch of wonderful people, libertarians, trying to spread the word in the gospel of libertarianism and sending jokes back and forth and using Usenet and everything. This is before websites even existed.

And it was a shock to me to see what had happened. And it was something called the Morris worm. And one of these days, well, we should probably talk about that whole worm thing, but it nailed me and my machine was spreading it to other machines on the internet. And the reason it all slowed down in the mail stopped was it was so busy spinning off new processes to find other machines to infect.

that the machine just ran out of gas. So it was very frustrating. And although my business was a technology business at the time, I've always almost always had technology businesses, but it was not an internet security business. Who was dealing with that then? Nobody, because it was barely legal to do business on the internet. I think I was doing it before it was actually legal to do business on the internet.

it was just Al Gore and me back then. That problem really got to me and none of my customers understood what had happened and there was no reason to even try and explain what a worm was and stuff. I just said some hacker got in and of course

Back then, hacker was a term disused for people that were not professional computer programmers. A hacker was somebody that sat there and hacked code and tried to figure it out and tried to put it together. That was a, what do you do? You tell them the basics of what happened and you continue on your way.

So I almost lost the business. Frankly, I ended up losing some customers over the next few months, but not very many. So it worked out okay. But then in talking to friends of mine, I found out even more of them that had been hacked and that it was a serious problem for what do they do? They turned to me because they knew I'd been hacked before they noticed a techie guy.

And I went on and I built some big internet systems. I built the largest website in the world at the time.

And it was, you might be familiar with it, Big Yellow or yellowpages.com, any of those sorts of platforms. I built the first one of those and got that up online, built the whole data center and even had to make our own routers at the time and firewalls. We actually designed one of the world's first firewalls and that was my design. And I had a couple of guys that helped to implement it with me. We had to do everything back then.

And ever since then, I've had a focus on this because one of my clients had a million dollar a day lottery system down in New York City. You got to keep that safe. And they were sending out millions of emails. So I had to learn about the email security, all of that stuff. So I mentioned all of that to you guys because think about the position you're in now. I don't think it's much different than the position I was in 30 years ago.

But you don't want to spend all of the time that I've had to spend the last 30 years to understand this better and to learn how to protect it better. So that's why I do what I do. I try and get this information out to you. Here's this another article from our friends at Dark Reading and it's a letch. I think they invite people to come on and write things for them.

But he's talking, okay, he's the product strategy manager over at Ubuntu, Canonical. They've been around quite a while. Ubuntu is a Linux distribution company.

So what's happening? We know about the colonial pipeline, right? We know the hack that happened and how bad that hack was. It was absolutely huge and it affected all of the East coast for fuel. Every kind of fuel you can think of. A real big problem. Russian linked hacker.

The hackers that broke into this. Okay. Probably the largest hack ever on a U S utility system. I'm pretty sure it was solar winds. Another big hack. They hacked companies that were providing services to businesses, including security services, right? That's why we don't use them. And we reported serious security problems to them a year and a half before they were hacked.

Did they fix them? No, they did not. So this article goes on to talk about how through September in 2021, there were about 1300 breaches in the U.S. Again, these are reported breaches. And they broke the all time record last year. No two ways about it. And then President Biden in 2021 came out.

with an executive order that is forcing now the federal government to eventually become secure and Department of Defense and the Department of Defense contractors. Okay. Very big problem. He's trying to fix it. Of course, Trump tried to fix it and President Obama tried to fix it. Everybody's tried to fix it. And so far it just hasn't happened. And our typical IT teams really are struggling.

trying to stop some of these intrusions, including the more sophisticated ones, which are the intrusions that tend to be coming from nation states. The intrusions that are coming from China, Russia, North Korea, and Iran. Those are the main guys that are coming after us. So what are the things you can do? And I'm going to explain these kind of briefly.

You can, of course, look this article up yourself, but it is on dark reading. And if you're watching this on video, you can follow along a little bit. Zero trust is the first thing. That is the new, if you will, kid on the block or newer when it comes to cybersecurity. Because what it does now is it assumes all traffic on your network needs to be monitored closely because it could be a threat.

So at the very least, you're monitoring all the traffic. We do that for our clients as well. And you can get into very sophisticated firewall rules, which again, we have to stop certain applications from being reachable from machines they should not be reachable from. Okay.

So there's no silver bullet to put zero trust in place or even to make it work, but you need to do it. So if you're responsible for cyber security in your business, to some degree, check out zero trust. Next one. What data assets do you have? Because you need to protect them. This particular article is calling them a software bill of materials.

But you need to know what you have to protect. What software are you running? What data do you have? What data is controlled by regulations, federal regulations, et cetera. You have to know all of that. You have to secure it properly.

You need automated vulnerability management. That's why we tie into the biggest real-time database of hacks going on in the world. And we use that in real time again to protect endpoints and to protect network points. Secure configuration. That's another thing we do. I'm going to probably have this as part of a webinar, if you will, or at least a course on

There's about 250, yeah, that many changes you have to make to Windows to try and secure. In fact, I have behind me this book. It's probably about five inches thick. It's a binder on how to secure Windows 10. And it's gotten even bigger with Windows 11, okay? And you have to be aware of the regulations you have to comply with.

Now, at the very least, every last business out there needs to comply, which what's called the NIST CSF. I'm helping another company right now gain compliance with this. This is the National Institute of Standards and Technology Institute.

consumer security, not consumer computer security framework, NIST, CSF. It is the basics out there. There's others that get more complicated. The CMMC, the PCI DSS, HIPAA, high tech, right? We can go on and on, but

Those are the five things. Zero trust, know what data you have, what software you have to protect, automatic vulnerability management. I'm telling you, you're not getting that buying something from Best Buy or from a big box retailer online. Secure configuration and regulatory awareness.

Hey, thanks for being with us today. It has been fun. I enjoy sharing this. And I really realized that this morning even more. This is a blessing for me. Hopefully it's been a blessing for you. Check me out. Go online and get my newsletter, CraigPeterson.com and have a great week ahead. Take care. Bye-bye.