Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to status secure. Today’s briefing targets the rust in your engine. And we’re talking about the servers you haven’t rebooted in over a year and the software that hasn’t been updated since the Obama administration. In the GovCon space, we love the phrase, if it ain’t broke, don’t fix it. And I talked to people in the industry, and this government space a lot about, this topic when it comes to their systems. And in reality, and I used to work in the military and I, and I saw it for myself that.
You, have something that works and everyone knows how to use it and why change it. And if we did change it, what an overhaul, like what a pain to do all of that work and spend all that money. but my question for you see, so is you call this technical debt and why is an old working system a threat to national security?
CISO (00:46)
Well, it’s really simple. When companies stop producing fixes, now you have a system that’s unpatched and is end of life. Because even Microsoft, even the big companies, Microsoft and Oracle, will not continue to release patches to vulnerabilities at some point. So at that point, you have an unpatchable gap, which makes that system very vulnerable because the hackers
They love legacy systems. They’ve had a lot of time. Because if a vulnerability was discovered in like 2019 and you are running 2015 software and the hacker has years to perfect the tool to break into that system, there’s no defense against it because the manufacturer has stopped making patches, has stopped trying to fix any vulnerabilities, new vulnerabilities on those systems.
So the reality is that you’re saving money, right? That’s what you think, but you’re really buying time at a very high interest rate. So you can either pay now or you can pay later, but paying later always costs more.
Actual (01:49)
Yeah. And that makes sense, right? If you really think about it and it’s risky, right? it’s so let’s talk about contracts. the DOD has been rolling out the CMMC, for those who don’t know the cybersecurity maturity model certification. And, know, we have clients who say, Hey, this is the systems that we use because, you know, XXX uses it because the Navy uses it. and, or like our manufacturing CNC machines, run on windows XP.
⁓ and so, but can I still pass the CMMC assessment if I have some of these old like archaic dinosaur tools on my network?
CISO (02:23)
Absolutely not. That’s going to be very hard because CMMC is based on NIST 800 171 and the control is, if you want to look it up, 3.14.1. But it basically requires you to identify, report, and correct system flaws. So if a system is end of life, it can’t be corrected. So you’ll automatically fail.
in terms of encryption failure too, because you have to use the latest encryption technology. Right now at this time, I believe it’s FIPS 140-2, but you know, it’s whatever is the latest. So on an old server, sometimes you can’t even use the latest encryption. So if you put sensitive data on that box, you are already non-compliant. You already fail.
Actual (03:08)
Got it. So if I’m a CEO and I can’t afford, let’s say, I don’t know, a $2 million overhaul of my entire factory floor just to update software systems, what does that mean? Am I a business? Is there a workaround? Is there another way to set myself up in a way for success?
CISO (03:09)
All right.
Yeah, I mean, if you’re a security person, you know, you isolate it, right? Basically, you are quarantining it. You put it into what’s called an enclave in CMMC, right? So this way, you know, even if, if, well, it would be really, it makes it harder for someone to get to it. But if they were to get to it, they couldn’t, they could not, you know, do lateral moves into other systems that you have.
So think of it like a patient with a contagious virus. You don’t put them in the waiting room, with everyone else, you put them in an isolation ward. If you have a Windows XP machine, for example, you can air gap that. That means it won’t touch the internet and you certainly can’t touch your network and your sensitive data.
Actual (04:13)
Okay, got it. So, okay, let’s talk about it from the money side of things, because replacing an ERP system or a fleet of servers, it’s an, map. It’s a massive, capital expenditure, right? And it hurts the bottom line, maybe this quarter. So make the argument to me, why is writing that check today cheaper than waiting?
CISO (04:14)
Thanks
Well, if you get a assessment, right, and let’s just call that an assessment tax, right, if you get an assessment, you can probably get a certified assessor, a C3PAO, or 30 to 50,000. You can find one. So if they come in and they see that you have like legacy systems, you know, which, you know,
are no longer supported by the vendor. They see that you haven’t air gapped or isolated that system. You’re gonna fail. So you’ve just spent $30, $50,000 to tell you what you already know, which is that you’re using old systems. that’s not where you wanna spend $30, $50,000 when you could have spent that to upgrade it. So the ransomware…
know, ransomware can, the people who do ransomware, they scan specifically for legacy systems, like RDP on old windows. They know you can’t restore easily, right? Because they’re old. When that legacy server goes down, your production line stops. That costs way more than a new server. Right? So again, you need to think about that. Pay now or pay later. And pay later is always more.
Actual (05:46)
Got it. Yeah. And so if we’re going to take this conversation and, let’s say there’s someone listening who is in that space, they’re in that industry. Maybe they are, they have this problem or maybe they’re in this current situation and they are a decision maker. what would you, what would you tell them? Like what, ⁓ what kind of, marching orders, if you will, would you, you give them.
And maybe what’s their first step, something actionable that they can do after they are finished listening to this conversation.
CISO (06:15)
The first one is always inventory. You can’t protect what you don’t know. So the first step would be to get an inventory of your end of life systems, your old systems, your legacy systems, whatever you want to call it, but get a list. Know where they are. Once you get that list, you need to then figure out a plan for remediation. That should be so if you’re looking at NIST,
You need to have a system security plan for each of those systems. You need to create a plan of action and milestone to remediate that. You can’t hide them. You have to manage them. You have to identify how you’re going to manage that risk, those old systems. And if you do that, it makes it a lot easier for the CMMC auditor.
because they can see, ⁓ you have that list, you have a plan, you know you’re managing it, and hopefully you’ve at least isolated them.
Actual (07:12)
Yeah, got it. That’s good. so something I want to do right now is when we were discussing the topic for this conversation, we discussed some other things and this is something you wanted to talk about. We adjusted the title, we adjusted the content for today’s episode. And so if we could take a few minutes and some time here, can we just riff a little bit and let us know a little bit more that’s on your heart, right? A little bit more that’s in your…
in your experience what you’ve seen and why is this subject important to you? Why do you think it’s important for people listening?
CISO (07:43)
Well, mean, in the private sector, especially if you go to Silicon Valley still, they’re very fast. They innovate really fast. They move really fast. They try to stay on the latest. So it’s interesting that our government agencies and government contractors and vendors, they don’t move as fast, but they should. I think it’s very important that
you know, that all of these legacy systems, not only do you increase your risk, right, but you can actually see all the damage that has been done. You can just look it up, search, search, search, you can see agencies that have been breached or had ransomware, you know, and then check. Most of the time it’s because of these legacy systems. It’s preventable, right?
Again, know, trust, public opinion, that all matters in this space. So take care of it now or it will come back and it will come back with a vengeance.
Actual (08:45)
Yeah. And maybe, something I’m curious about, you know, to, to hear from you is you talked about working with, you know, let’s say, let’s call it tech startups in Silicon Valley, who do move fast. Right. And they’re just, they want to use what’s the best thing right now. Be secure. Cause money’s on the line, you know, and secure a security breach, something like something that happened to crowd, crowd strike, right. Or just these, can, they can, ⁓ hurt the company, which then can.
hurt the valuation of the company, which, if you’re, know, a venture capital firm who’s highly invested in the company, you don’t want that to happen. So, I would hope that this is something where they’re like, secure, be on the new stuff, right? Be, be like cutting edge. Let’s move quick. Let’s make a lot of money and let’s not be blown out of business because of a security breach. And so you’ve worked in that and then you go maybe the next day and you’re working with a DOD entity of some sort.
And so from your perspective, what does that shift look like? What does it feel like?
CISO (09:39)
Sometimes it feels like I’m going back in time, to be honest. Sometimes it feels like, am I working with this system? It’s been gone for a long time, but I see it here. It’s almost like being an archeologist sometimes. And so that’s why it’s important. Going into a government agency or working with a government vendor,
I should feel like, wow. ⁓ wow. They’re using the latest technology. They’re even ahead of tech companies. But that’s usually not the case. Usually the case is, well, I haven’t seen this system in like 20 years. Or 10 years. Maybe that’s exaggerating a little bit. Maybe 10 years. I haven’t seen this system in 10 years. I remember they were having a hard time finding a COBOL developer. There’s still systems using COBOL.
Who remembers that? But those systems still exist. They should be gone like the dinosaurs.
Actual (10:31)
Yeah. You know, it’s interesting is if I guess, if I think about it and maybe it’s a naive thought, right. a government agency should be more secure than it just like a company that’s holding onto customer data from like how they interacted with my app. Right. And you think, well, there’s things over here on the, on the government side where this is some pretty important information. Right. That’s not being protected.
as securely as it could be. And I know like from my background, if I’m like, you know, if I’m securing my house from just everyday people, there’s a, maybe a protocol for that, right? And it could be fairly, normal maybe, or something. I can go get a lock from like Home Depot and then that’ll keep the intruders out maybe a security system or something. But if
I know that there’s a state actor. Like when I was trained, it wasn’t, I wasn’t training for like, you know, the 18 to 25 year old people driving around neighborhoods, reconning houses and like trying to break it and steal like a TV or something. Right. That’s the, the, their skillset is probably not very good, but I was trained for people with much higher skill sets and you’re training for nation state actors who are like, this is their job. This is what they do.
And so there are those types of people you would imagine they’re targeting government entities. And it seems so to me, it seems backwards, right? Shouldn’t these entities shouldn’t the people working in that world have a higher level of security? you know, around them as opposed to maybe the, the, the home of someone’s personal, just like everyday average Joe’s house.
CISO (12:01)
Agreed. Agreed. mean, there’s so much sensitive data, highly sensitive data in the government, and they have access to a lot of personally identifiable, but really sensitive data that could potentially create chaos in the world. And financial stability, infrastructure stability,
and just a sense of peace with people, right? So civil unrest, which we’ve seen, right? There’s a lot of data that can be used for bad things. So I agree that in the government, every person, every employee of the government should feel like security is there.
priority, their responsibility, that they are accountable to protect every citizen, every person, you know, that has, that would, I would say it’s in their, it’s in their domain, which is the country, really, right? But that’s their, they should feel accountable and responsible for that.
and they should add it.
Actual (13:08)
You know, this,
yeah. And that you reminded me of something that happened, ⁓ when I was in the military and it’s interesting. Cause it’s like, and they’ll, and they’ll use this, these techniques. It’s like, there’s this highly technical security system and infrastructure set up in this, these firewalls with passwords and biometrics and all these things. Right. But then you have, there’s a China went to like.
And it’s so simple. If you think about it, they took like the DOD login, which is everybody has like some kind of government account, right? Their personal account is just kind of how they manage their, their like, it’s like their employee account. Right. And they just created their own domain, same domain, which is with a different tail at the end of it, you know, dot something else. And then they started emailing people in the military and so many people took that link, clicked it, went to log into their account and basically gave away their passwords.
Right. Their username and logins and so many military personal military accounts were breached that way. And, ⁓ I know we’re not necessarily talking about that, but it kind of made me think about that, that even though we can have our eyes on security, like we do, right. We want to make sure the infrastructure secure. is still that element of maybe what you would call like social engineering. Where if you just open the door for somebody, I mean,
This is have all the security you want, but you just let them walk in and take all your stuff. Right. So I think that educational component, is also important to understand that that stuff is happening as well as the crazy technical stuff that’s coming your way to.
CISO (14:33)
absolutely. People are always the first line of defense. So everyone should, especially if you’re in the government, even if you don’t have a security clearance, you should walk around like you do. That it’s your responsibility and double check everything. Triple check if you’re not sure. Don’t just randomly click on things or mindlessly click on things because you just skimmed it.
Like that’s not a good practice. And then once you get the human more secure, then even if you have legacy systems, hopefully it mitigates some of that. But you need both, right? You need the human, you need people to be more secure and not be falling for social engineering traps.
and then you need the systems to be secure. if they do get past the human, that the system will keep the bad person out, the bad actor out.
Actual (15:26)
Yeah. And on that note, you know, we’re going to cut it here. and so talking about the systems, innovation is a requirement. It’s not a luxury. If your systems are stuck in the past, your business is not going to survive the future. Right? So let’s clear the debt. Let’s secure the network because mission success is about preparation and we need to be executing to the standard. So on that note, we’re done and we’ll see you next week.
