Cybersecurity: Amplified And Intensified

4. Industrial control systems are the low hanging fruit.

April 07, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
4. Industrial control systems are the low hanging fruit.
Chapters
Cybersecurity: Amplified And Intensified
4. Industrial control systems are the low hanging fruit.
Apr 07, 2021
Shiva Maharaj/Eric Taylor

The Iranian nuclear facility hack, CMMC and those selling into the DOD compliance space.

Eric Taylor
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com 


BARRICADE CYBER
Barricade Cyber provides Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to support that's actually supportive.

Otter.ai
Otter.ai provides audio transcriptions services to help you get your message across.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

The Iranian nuclear facility hack, CMMC and those selling into the DOD compliance space.

Eric Taylor
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com 


BARRICADE CYBER
Barricade Cyber provides Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to support that's actually supportive.

Otter.ai
Otter.ai provides audio transcriptions services to help you get your message across.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj  0:00  
This is the cybersecurity amplified and intensified podcast. So what's on the docket for today?

Eric Taylor  0:07  
Not too much. I know I keep saying that all the time. But I don't think there's really too much on the docket today. But definitely want to see if you've heard about how Iran is blaming Israel for the sabotage their site and really talk about cmmc. Again, and see how it may be impacting some of our vendors now that I got turned on to the new website that may actually be helping us out.

Shiva Maharaj  0:31  
The only thing I would want to add to that is maybe some industrial control system stuff since we are talking about Iran and Israel. And some news reports actually indicate Israel has taken accountability for being the ones to go after Iran's nuclear power plant and shutting down the power of this week or last week,

Eric Taylor  0:50  
I just got brought up to speed or not even up to speed because you're even telling me stuff that I was unaware of. But I started seeing across my feed about two hours ago that I knew that Israel supposedly went after Iran, I didn't know that they actually shut it down, or anything like that, I guess, bring us up to speed on that.

Shiva Maharaj  1:09  
I wrote a couple articles this morning, indicating that Israel has taken responsibility for the lights out at the nuclear facility. And Israeli President Netanyahu said it is their responsibility. And I'm paraphrasing here, so I could be wrong. So please take it with a grain of salt, that it is their responsibility to mitigate any risk of Iran becoming a nuclear power, add some or even dubbing the Stuxnet part two, if you remember, Stuxnet was one of the first industrial control system worms that Israel used against Iran many years ago, as the dawn of the industrial control system takeovers,

Eric Taylor  1:49  
you say the dawn and I'll do a little pun here. But referring to the dawn of Donald Trump, I do wonder, when Donald Trump did pull out of the nuclear deal, if this helps spark any of that at all, what do you mean? Well, didn't some of the nuclear deal help govern and make sure that some countries did not maintain nuclear silos and things of that nature, and by us pulling out of that, you know, removed a lot of enforcement from us against third world countries?

Shiva Maharaj  2:18  
No, I think it's the I triple E that regulates any of the nuclear treaties. But let's be realistic here, back in the 90s, India was told they could not become a nuclear power. And they did it under the noses of most intelligence agencies until they did a live detonation on the ground. Same thing for Pakistan and some of the other countries. So I don't think countries are going to allow other countries to tell them if they may or may not become a nuclear power. Iran, on the other hand, has the issue of being under a trade embargo with many countries, not just having the US go against it. So I wouldn't blame the US pulling out of nuclear proliferation talks with Iran for this. They were going to develop whether or not we had a dog in the fight.

Eric Taylor  3:10  
Yeah, I guess kind of circle back a little bit. Make sure we don't get too political on this, because this is technology, not political talk.

Shiva Maharaj  3:16  
Hey, man, technology is political at this point.

Eric Taylor  3:22  
I guess, do you think, from what you're seeing so far, that at least everything I'm seeing that this is just a continuation? I mean, back when I was in the Marine Corps, and we did a lot of OSI stuff that there was a lot of this stuff going back and forth, even back then and late 90s and early 2000s. So, you know, it's been going on this long, so I can't imagine this ever slowing down for any reason at all. Is that kind of the same thing with you that these cyber threats between these two countries are really going just keep going? If not, maybe potentially escalate to potential war of some sort.

Shiva Maharaj  4:00  
I got a few words for you. I think everything will be amplified and intensified. Tell you like them apples.

Eric Taylor  4:07  
There you go. Circle, full circle. I guess the other topic I really wanted to talk about Well, that was cmmc. Yeah, there's been several sites that have come out, at least to my knowledge that really started diving in about who is supposed to be FedRAMP who's not supposed to be fed or after who needs to care about this and stuff like that. And there was some really interesting stuff in there. So as a full disclosure, you know, I've said it before we use for that we use some ubiquity stuff even though we're strongly reconsidering that, but when you start looking at unclassified content, and what's being managed and what's being monitored, there's still a mix out there you know, if we use a sophus product and use in the central sophus port or In my world is supported ad. So, you know, we have for the analyzer and for to manage with all of our clients, plus you got the ubiquity for the networking side of things. This can potentially cause us having problems when we're trying to go through our accreditations, you know, because they are not FedRAMP. And even so post isn't, I know, for the net is, to some degree going down that path. So we may have to change the way we're doing it with our ordinate stack and go full on for that. I don't know, but what are you seeing in your side of the world with some of that stuff?

Shiva Maharaj  5:38  
I think cmmc is a good play. In general, I like the tiered approach gives people and companies of different sizes and maturity, a way to scale or be a part of something, the issue I have, in the managed services side, you have a couple of the big players in managed services, wanting to sell some type of ability to check on cmmc compliance when none of their products are even close to being FedRAMP. Moderate. And it's what I was discussing with you may be last week where I think there's a whole lot of cmmc training and compliance snakeoil being offered up and you have a lot of inexperienced it providers who will take that to mean they can pay for these services, and they automatically become cmmc 12345 compliant. And this is where we need to invest in the education of our industry.

Eric Taylor  6:39  
Yeah, absolutely. You don't, you do not have to be CMC. compliant, you don't have to be CMC, any level to consult on cmmc, which is really ironic, you know, so you could have some company out there that will supposedly put you through CMC compliancy. And we're seeing a lot of spam mail coming out saying that I have for 25 bucks a month, we'll help you get there with you. and I both know, it's gonna take a lot more than $25 a month at least, you know, Darrel Ray, you're talking about a three to five year one, right? as well was even email out last week from some Israel SOC providers. We all kind of know that Israel is not going to go under a cmmc of 11 level, because why would they have to nothing against Israel or the awesome stuff that comes out of that country? But why would they put themselves through that scrutiny when they don't have to?

Shiva Maharaj  7:37  
To put context to this? And I don't mind saying it because well, why not? They're just talking about Cynet. They are an all in one endpoint detection, monitoring response, siem Soc. And everything else under the sun, they were probably doing xDr, before Palo Alto tried to make it a thing with Gartner or one of the big boys. based in Israel, all their talent is in Israel, so that precludes them from being cmmc compliant. But they are now advertising their services to msps that want to be cmmc compliant, and operate in the DOD subcontractor space. Is that a fair description?

Encrypted  8:18  
I see that. Hey, guys. Yeah, this is encrypted. I have a couple of quick questions. Can somebody maybe level set and help me understand what cmmc

Shiva Maharaj  8:26  
cmmc is the cybersecurity Maturity Model compliancy. It is what the DODis in the process of putting in place so that their subcontractors from the Raytheon's of the world go down, can have certain security standards in place as it relates to their IT services. So the closer to the DODyou get, as a supplier, you should probably be a cmmc, level four or five. And as you trickle down the supply chain to the shipping company that supplies to a third or fourth line vendor, you should have some form of security in place to handle securing the supply chain.

Eric Taylor  9:07  
Yeah, just for clarification encrypted, it's the cmmc will be replacing the DOD's mandate for NIST 801 71 as part of its cybersecurity policy, so you'll, you'll fall underneath one of five levels of compliancy. And to help streamline at least a little bit. So, you know, as they're trying to go through some certain compliancy regulation, you don't have to figure out okay, which version of NIST or which version of this or which version of that am I supposed to be on? You know, now we're just going to go through one of five levels. So it's a very much a tiered approach of how you fall in line with your mentality and with where you are in your security lifecycle. Does that help answer your question?

Encrypted  9:54  
Yes. Thank you. I appreciate you helping me understand the larger context. So let me just To make a summary just to make sure I got it right, so you're saying CMC is this, if you're a vendor, if you're a commercial service provider, and you plan on doing work for or being becoming a vendor for the DOD, then in the past, and that's going to change very soon, you were asked to comply with NIST 801 71. Within all the cmmc. And there are tiers or different levels, depending on where you are kind of like the CMMI. And do you know when the switchover will happen from NIST 801 71 to the cmmc.

Eric Taylor  10:36  
They originally talked about doing this in February of this year of starting that but that plan was put together in the middle or the beginning of last year, they were trying to do a one year ramp up just like they do with, you know, HIPAA, and things of that nature. But since a world COVID is no, I keep paying the same, you know, the old COVID. But we are definitely in that my since the world of COVID, you know, things have been pushed back where cmmc auditors are just now getting verified and going through their accreditation. So I would probably assume the end of this year or beginning of next year, they're going to start rolling out mandates for at least level two, or level three accreditation to keep going. And then you'll have to be sponsored into a DOD prime to get levels four and five. But if you ever have any questions about that, definitely, and I'm not the all knowing guy, but I'm definitely in the mix trying to go through it for our organization. So you can definitely connect with me on LinkedIn by my profile here. So if you have questions, definitely reach out to me, you know, outside of this, but you know, we're, we're in these calls every week. So you know, either way you want to go.

Shiva Maharaj  11:47  
One thing to add is that companies are going through self assessments right now. So they can see how they measure up against the controls of levels one through five. And once the auditor's are in place, then you will get your date scheduled where you begin your audit process. The really good cool thing about cmmc is that it will not be self attestation,

Eric Taylor  12:11  
so incorrectly just not to disclose too much about yourself. Are you in the software business now?

Encrypted  12:18  
No, I'm an auditor

Eric Taylor  12:20  
of federal compliancy auditor or

Encrypted  12:24  
I'm trying to venture into the cyber zone, federal public sector area, but primarily, just PCI stuff to try to spots to an office block three things of that nature, ISO 27,002, with 2000 27,001. It's that sort of stuff. And I'm very interested in this. What are the 171 53. And there's another one that I'm looking into 37, which is related to the governance and risk management framework. So this piqued my interest. And I'm curious about the transition and what he experiences from Eric, if you're currently our NIST 801 71 compliant, and now you're going through that transition to the cmmc, whatever, level two or three, depending on what the mandate would specify, he has no self education. So it's not faith based assessment, you have to have people come in and look at your controls and stuff like that. How does that roll over? Are you starting from scratch with the cmmc?

Eric Taylor  13:25  
No. So when you're going through cmmc, there is a lot of overlay, right? I mean, you see that with a lot of your federal compliances when you're going through SOC and ISO and things of that nature, you know, there's a lot of models that overlaying each other. And the same thing will be true with the cmmc. What our current recommendation, well, I shouldn't say our least my current recommendation for anybody that we're talking to you is start the self assets nation of cmmc. And prepare yourself for a release that security mindset. Even if you're not in the god space, having that mindset and least provide our you'll gain yourself up to a certain security level will help increase yield all the way around. I mean, he's never met me before, but we're a cyber security firm, incident response firm. So while it'd be bad for business, but it'd be good for the country, so to speak, you know, so getting everybody to that level would be awesome. But if you can get people, at least in when you're doing like you're consulting, just like I'm getting them there. If they have to pivot to a certain federal regulation after even sort of affectation to actually become compliant with ISO or whatever. They can easily change a couple things out a couple things. And once a couple of things, why are you talking less than 10 or 15, control vector or controls in their organization, and be there really if you go in at a level three 98% for any type of vertical, you need to pivot to, you don't have to redo the entire wheel, if you will.

Shiva Maharaj  15:08  
I think one of the cool things about cmmc is it gets rid of the various NIST standards, it gets rid of DFARS. And when I say gets rid of it puts them all into a single language that everyone can speak. And by having that tiered approach, you know, what level of controls a company has. And I think every IT provider should invest in controls in their company. And if they can adopt to the cmmc lifestyle, it will only raise the tide of the industry.

Eric Taylor  15:43  
Oh, absolutely. cmmc really does have layers of complexity with a mobile workforce too, which is causing me a little bit of issues, police myself application, most of the time I'm remote, whether I'm at my house, or on a site doing a pen test, or whatever the case is, right? So making sure I document and stuff like that, like even my home office, do I'm not supposed to log every time my little ones come into the room type stuff. I know we kind of joke about that. But there's a lot of stuff that needs to be considered and encrypted for you being a consulting firm going into this this. You've taken a wide approach, if you will, when you're starting to work at this stuff and starting to go into this, even just to do a security baseline will be awesome for your consulting business, I would imagine. Absolutely.

Shiva Maharaj  16:34  
raising the level of the entire industry is going to help I think we've seen very well since December, we the countries have been under siege by cyber attacks. And now is as good a time as any to start raising our game, I saw that there have been a lot of articles out there referring to building infrastructure and security enhancements across the country as well as supply chain. So as I said, this was a good start to

Encrypted  17:05  
that. And Eric, I heard you mention FedRAMP. Earlier, does anybody know much about who would have to be FedRAMP certified, what happens is is that it goes to their registry, that was undergone FedRAMP. And he's currently said rim 40 federally compliant and whatnot, I'm a little confused as to who it applies to, if you are a cloud service provider, or if you're trying to provide services to the public sector of the government, then you would have to complete that what if you're relying on a cloud service provider, but you're not the cloud service provider, you provide a component of a service,

Shiva Maharaj  17:45  
from my knowledge of cmmc. At this point, whatever you use, should either be FedRAMP compliant, or in line with FedRAMP requirements. So if you're going to choose a cloud service provider, their security controls and controls in general should line up with what FedRAMP is looking for.

Encrypted  18:05  
And that alignment is determined by you completing a self assessment of FedRAMP self assessment.

Shiva Maharaj  18:11  
That I do not know, Eric, I know you sent me something on this very question earlier this morning.

Eric Taylor  18:16  
Yeah, so FedRAMP, they have an auditing firm that goes through it. So it's not, you did, there is a self assessment that is available to you that you can get yourself ready. And then there is an auditing body and the name escapes me at the moment. But there's an auditing body for FedRAMP. So when you're looking at your cloud infrastructure partners, Amazon, AWS, even your firewalls or switches, you know, anything that from your internal network connects to an external identity needs to start looking at these things FedRAMP, moderate, within the next year, if you're looking at new vendors, you know, you need to ask them these questions, are you FedRAMP? But what level are you at that ramp? And what's your roadmap to get to at least a FedRAMP, moderate, or FedRAMP? High, you know, depending on the level of stuff that you're going to go through. In general, if people can get at least two, you know, this is maybe a little overkill for a lot of companies. But if you want an internal companies, I should say, but if you are a consulting firm, any shape or size, you need to be looking at FedRAMP Moderate vendors, because you have access to so many people's data and infrastructure. You need to secure your stuff more than your clients do.

Encrypted  19:30  
Oh, funny in my head, but I'm on their website right now. marketplace.fedramp.gov. And it was with consulting firms or the quote unquote, assessors that can help do that valuation to figure out or do that gap analysis for you and it has the void and you know, like you would expect center Booz Allen and when you say moderate, I'm assuming that there are tears. It doesn't specify, oh, no does. It was low, moderate. And then in On case of like Adobe, they have several listings. One of them is Li SAS. And it doesn't, it doesn't have a moderate low or high designation, that means

Eric Taylor  20:10  
they may be FedRAMP ready, or there's no designation assigned to them. So if you're choosing a vendor that has to meet a certain compliancy, then you're not going to use that Adobe product. If you're talking about federal, if you're talking about Adobe, as a general sense, if you have to have FedRAMP, at any level, you can't use Adobe cloud, because Adobe cloud is a multi tenant thing, just like a regular gmail account, we can't use regular Gmail, if you're in a turnaround situation, you will have to actually buy and secure the individual licenses for the workstations as a standalone instance, if that makes any sense. So you got FedRAMP ready, which means they have completed their self application. And they're ready to go through the process of being certified. And then they'll go through low, medium, or low, moderate and high, depending on the security clearance that they want to be able to offer, so to speak, right? And what that level of separation is between a company and you know, the one several levels of zero knowledge. Do they have been to your infrastructure?

Encrypted  21:17  
That makes sense. I have so many questions about the drain specifically, go for it. A FedRAMP. It looks like there's a ready in process authorized, like I said, and there is a portal that I discovered, it's called UCF, it helps you map standards against each other because there's always overlap. And if you've done work with the government, the public sector, instead of going out or articulating the security requirements, they want you to comply with the keep referencing other standards, and the rabbit hole goes deep, as opposed to the rat hole. Two different things. But if you want to compare two different standards to see if they overlap, what your delta is that UCS platform, and it's six months of every time you do a build this will they call it a mapping against one standard against the other. So right now, I'm trying to figure out if FedRAMP or cmmc. If there is overlap, because I feel like you're just out forcing, there's nothing really. And it takes me off when people say terrestrial data center, like as opposed to what. So I feel like there may be overlap between the nest or cmmc, and FedRAMP. And if anybody knows, areas that tend to be unique to FedRAMP, as opposed to cmmc, or NIST 801 71.

Shiva Maharaj  22:38  
I think that the cmmc compliancy is meant to govern those of us in the supply chain for the DOD. I think FedRAMP is more related to what the government agencies are allowed to use. So they've gone ahead and created a curated list in the case of federal marketplace, so that agencies can shop for low moderate, or high certified vendors.

Encrypted  23:07  
So moderate, what derives that classification is it that you will have access to SBU or sensitive but unclassified data as opposed to other sensitive data?

Shiva Maharaj  23:17  
I would imagine that a high compliance would mean you are dealing with classified information. Moderate, is probably lower variations of QE and low I, for the life of me, I can't understand why you would want low on anything to do with federal compliancy. I just don't see the point that

James  23:38  
the last couple of weeks have been an increased amount of ransomware attacks in organizations. What would you recommend a company that has been freshly started or has been in the business a long time to put awareness in the organization?

Shiva Maharaj  23:56  
Like you might if I take this Eric,

Eric Taylor  23:58  
go ahead, and I'll have my two cents.

Shiva Maharaj  24:00  
I think what they should do is go to barricade cyber.com two r's and book some time with Eric.

Eric Taylor  24:07  
Thank you barricadecyber.com.

Shiva Maharaj  24:09  
Yeah, if you go to Eric's profile, I'm sure he's got a link up in there. If not, he'll have it on in the next three minutes.

Eric Taylor  24:16  
Yeah, it was it was kind of saying it was where I was gonna go with. Even if you don't contact us or barricade, you contact somebody, you know, not just to be self promoting by by any means. But you need to go through and consult with some security professionals and have them really go through and assess your organization, there's going to cost money, but you can at least have a basic conversation was done by like, Okay, this is kind of what we're doing, what do we need to be concerned about and then go into an assessment phase with them, and kind of go from there. If they're not willing to at least sit down with you about for about 30 minutes, 1530 minutes to kind of have a brief conversation with you to understand your business. Because every last one of us is different, even if you put 10 down actors in the same room, you know, all of them have their own caveats, right? Whether it's IP cybersecurity, nobody wants to listen. 

James  25:09  
Yeah, that's that's the problem now, and that's why businesses get targeted.

Eric Taylor  25:14  
Oh,

I don't know about that. I mean, they're targeted because they're not implementing security. And we can go into holy cow another hour conversation, because I know for a fact that I will recommend as a cyber security firm, for companies to do X, Y, and Z, and they will not do it. And they will get hit six or eight months later, and they'll come back and try to blame you. You didn't tell us about this. Oh, why? Yes, we did. We almost jumped up and down on your doorstep telling me you must do this, or you're going to be in trouble. So it really is on both sides of the fence. And, you know, if you're coming in post mortem, like we do a lot of times on the incident response side. It's hard to say, okay, who's telling the truth, who's not but it really doesn't matter. You know, the breach has already happened, whether it's ransomware or whatever, but it can be a mass in the house. The question is more, it's not able to happen, but it's when it will happen, when it will happen and are they already in your networking. You just don't know it yet. I thank you for this conversation. 

James  26:18  
This was James. Thank you for having me. Absolutely. Alright everybody. Thanks for joining us. Thanks

Shiva Maharaj  26:24  
again for joining us for the cybersecurity amplified and intensified podcast.