CMMC is coming: Here’s what cybersecurity professionals need to know | Cyber Work Podcast

Frank Smith joins us from Ntiva to talk about the new Cybersecurity Maturity Model Certification (CMMC), organizations achieving Level 1 and Level 3 maturity levels, and why CMMC is so important for government contractors. Plus he discusses security for federal entities and how to get started in a career in cyber compliance by becoming a Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA).

0:00 - Intro
2:11 - Origin story
4:17 - Key projects to climb the work ladder
6:45 - An average work day
9:30 - Cybersecurity Maturity Model Certification
16:38 - CMMC over five years
17:30 - Which level of certification will you need?
19:00 - Level 3 versus level 1 certification
22:20 - Finding your feet by 2022
23:55 - Jobs to take in first steps toward compliance officer
27:27 - Benefits of CMMC for other roles
28:44 - Experiences to make you desirable as a worker
31:55 - Imperative to locking down infrastructure
37:58 - Ntiva
39:47 - Outro

– Get more free CMMC resources: https://www.infosecinstitute.com/solutions/organization/government/cmmc/
– Download our ebook, Developing cybersecurity talent and teams: https://www.infosecinstitute.com/ebook
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • View transcript
    • [00:00:00] Chris Sienko: Today on Cyber Work, Frank Smith of Antiva gets us up to date on all things CMMC. We talked about the race to compliance, why many of these requirements were already on the books, and how we can secure the acres of open federal and infrastructure security just primed for breach. That’s all today on Cyber Work.

      But first, I want to point your attention to an all new ebook published by Infosec. It’s called Developing Cybersecurity Talent and Teams, and it’s free to read if you just go to infosecinstitute.com/ebook. It contains practical team development ideas for industry leaders sourced from professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more. Did I mentioned it’s free? Well, it is. Infosecinstitute.com/ebook. And now, on with the show.

      [00:00:54] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals and offer tips for those breaking in or moving up the ladder in the cybersecurity industry. Frank Smith CISSP, CMMC, ABRP brings over 25 years of expertise and experience to Antiva. He is a Certified Information Systems Security Professional, CISSP, and a registered practitioner with the CMMC accreditation body. As the manager of security and consulting practice, Frank currently supports Antiva clients with CIO, CISO and security consulting services, incident response and forensics, and management of Antiva’s security suite. He and his team have helped dozens of government contractors identify and address their requirements under DFARS clause 252.204-7012 and 7019 develop their system security plans and set them on the path toward implementing their POANMs, and eventually CMMC level three compliance. So as you can imagine, with all this talk, we’re going to talk about the CMMC today, which is something I am looking forward to learning about because I know very little about it. And Frank knows very lot about it. So Frank, welcome, and thanks for joining me today.

      [00:02:09] Frank Smith: Hey, Thanks, Chris. It’s a pleasure to be here.

      [00:02:11] CS: So we like to start out by getting the story of our guest’s cybersecurity journey in their own words. So looking at your bio, it’s clear that tech and computers were in your blood from at least the time you were in college where you got a bachelor’s in computer science. What was the original appeal to computers and tech? And what and where did the emphasis on security specifically take hold?

      [00:02:29] FS: So I’ll date myself a little bit and say that my dad bought me my first computer when I was in high school. It was a Radio Shack TRS-80. And I learned programming on punch cards in high school in FORTRAN IV.

      [00:02:47] CS: FORTRAN. Love it. I think you’re our first FORTRAN guest. That’s amazing.

      [00:02:52] FS: A FORTTRAN, COBOL. You name it.

      [00:02:54] CS: Yes. Right. Right. Love it. Love it. Love it.

      [00:02:57] FS: And then just really, after I left the Air Force, I joined a company that basically I was doing computer programming, and analysis, and manpower stuff for the Navy and the Marine Corps. And then I just sort of grew through it. And stay doing the software development, the IT, the infrastructure, and then became a more security focused. And the rest is kind of history. And here I am.

      [00:03:24] CS: Right. I was going to say. I like talking to guests who are there when just even the idea of cyber security was still sort of being written and stuff. So I mean, you saw it right when people start going, “Oh, we should probably secure all this stuff,” right?

      [00:03:38] FS: There never was a thing like security. And you didn’t have firewalls per se. You did things very differently than you do now.

      [00:03:47] CS: Was there a sense of being like an honor system almost where it’s like we all know each other. I mean, like there was so little Internet, there was so little sort of like networking at the time. So was there that sort of idea of like, “Well, it’s fine. We all know each other.” [inaudible 00:03:58].

      [00:03:59] FS: Well, you had DARPA net, right? So there really wasn’t the commercial cloud like we know it now. It was a much more controlled environment. And then it wasn’t. Then when it became something else, it really became something else really fast.

      [00:04:17] CS: Yeah. So looking at some of your past positions, I like to sometimes look at people’s LinkedIn profiles. And you can kind of draw some lines through the disparate types of jobs that you’ve done to show like the types of things you’d like to do as a career. So for example, from 2004 to 2009, you worked as CIO and vice president of technology solutions at Unitech, which involved, among other things, developing processes around procuring hardware and software for clients. Developing policies and procedures for firewalls, and developing study materials for the army program, executive office simulation and training. But it’s in each subsequent job, you are doing higher level variants of this type of work, including facilitating training, managing security professionals, doing compliance assessments and basically creating these well-running systems aimed at making sure that the day-to-day processes can be humming unobtrusively in the background. And can you talk about your interest in this type of work? What are some of the key projects and learning experiences that allowed you to take on these bigger and more complex versions of what seems to be like variations for the same type of work?

      [00:05:15] FS: Yeah. Well, quite frankly, a lot of it goes back to I work primarily at small and mid-sized companies. And you didn’t have a pure technical career track like you would at like an Oracle. You go in there as a college graduate, and you can stay on a technical track, or you can go to a management track. When you’re in small and midsized businesses, it’s kind of a combination of the two. And so I stayed – I wanted to stay technical. I mean, I’m a geek at heart. If I didn’t have this virtual background showing, you would see this mess of circuit boards, and wires, and stuff behind me. So I’d like staying keeping my hands dirty, but basically took higher level positions in the companies as I went. And basically did that for many, many years.

      And it’s interesting to keep your hands into it. You can’t separate the lower level functions, and the database, and the code, and the networks and all those kinds of things. You haven’t been able to do that in a long time. And so it’s really been a function of the job required it, and I guess I was naturally born to organize teams and run the groups and keep my hands dirty at the same time.

      [00:06:44] CS: I like that too, because I often talk to people who are in sort of high-levels of whatever they do. Maybe they started as a pen tester, or maybe they started engineering, or making systems or whatever. And then they get to a certain point in management and they get a little sad, because it’s like, “I don’t get to do the fun stuff I used to do. I just get to manage other people doing that.” So you like to keep your hands dirty. I mean, can you walk me through your average workday at Antiva and different things you do?

      [00:07:09] FS: Yeah. Boy! No two days are alike. And it certainly is not boring. So the CMMC and lots of compliance issues out there, obviously, I spend a lot of time helping clients do their compliance requirements. Maybe it’s preparing for an assessment, Maybe it’s answering their questions. Maybe it’s recommending the tools. It could be as simple as helping with a cyber insurance application. Because quite frankly, a lot of people – We’re a managed service provider. So people outsource their IT to us entirely. A lot of times our point of contact at our clients site is a very nontechnical person. Sometimes it’s more technical, but they might be the CFO or the office manager. Somebody who says, “Look, I don’t want to deal with this. This is why we have you guys.” And so they turn around they’ll outsource any number of things to us.

      Quite frankly, since December, I’ve spent 12 of the 24 hours a day doing incident response, forensics, answering questions. The supply chain has been just brutalized since December. And the flow down requirements are amazing. President Biden’s executive order is just the tip of that iceberg. Everybody that sat in a gas line of a couple of weeks ago – Well, I guess it’s a month ago now. So everybody that sat in a gas line a month ago is now turning around saying, “Can this happen to me?” And the answer is you better believe it can happen to you.

      The adversaries are not two guys who want to steal your credit card and buy a pair of sneakers, right? I see routinely threats linked back to Russia, China, the Mideast, Korea. These are all hitting just regular kind of clients now. We don’t do any business with the federal government. And I have points of contact at DHS, the FBI, other law enforcement just simply because these things come up so often now.

      [00:09:30] CS: Yeah. I mean, let’s get into that. Our conversation today, as I said, is going to revolve around the Cybersecurity Maturity Model Certification, or CMMC. A CMMC framework is intended to assess and enhance the cybersecurity posture of more than 300,000 companies, particularly DoD Systems, networks installation, capabilities and services. But because this is a relatively new certification and framework that’s being rolled out, I think a lot of people are feeling a little behind the starter pistol in terms of knowing how this is going to affect them. So to start with, what types of contractors and companies will need to be CMMC compliant to continue working with DoD? And how far down the relationship chain does that requirement go? Are there any low-level suppliers that can opt out?

      [00:10:12] FS: Originally, well, there’re five levels of CMMC. For all practical purposes, there’re three. One, three and five will be used on a regular basis. Two and four are transitional. Don’t expect to see anybody make that requirement. DoD has said in their estimation, 80% of the defense industrial base will need a level one. And 20% will need a level three. And, literally, it’s a handful will require a five. Personally, I think they have it backwards. It’s going to be 80% with a level three and 20% with a level one. Level one, if you can’t meet a level one, shame on you. You got to shut your computers off and go home. It’s that basic, right?

      Level three builds off of a requirement known as the NIST 800-171. Now that requirement has been around for a while. And in fact, DoD has mandated it for three and a half years. It was a voluntary self-attestation type of model. You just simply said, “Yes, we meet the requirements.” Well, it didn’t work very well. In fact, it’s estimated that like 80 plus percent of the defense industrial base didn’t even know the requirement existed, much less comply with it. And so what you ended up with was this hodgepodge of technologies of small businesses and medium-sized businesses especially not meeting the requirements. DoD quite frankly got mad at it and said, “That’s it. We’re now going to put a third-party model in place.” And that’s what CMMC is. So it takes the 110 requirements of the NIST 800-171 standard, adds 20 more, which are all pretty basic. There’s nothing really difficult about it.

      Creates 130 requirements for level three and says, “This is the process kind of stuff you need to do. And it’s formal. And it has to be a repeatable process. It’s not an ad hoc process anymore. It’s not yelling down the hall, which is what I used to do, right? It has to be written down. It has to be provable. It has to be repeatable. You’ve got to have some technologies in place. You’ve got to do some things that maybe otherwise you didn’t previously do. And basically, it’s that one M that stands for maturity, that says you’ve got to demonstrate that this happens inside your company and happens on a repeatable basis.

      Quite frankly, out of the 110 requirements for the NIST 800 standard, there’s nothing in there that’s really a bad idea, right? Every company should be doing most of those things that anyway. And we know that they’re not, that’s why we are where we are.

      [00:13:13] CS: Yeah. And the primary sin is just that people, it was sort of on a good behavior system, whether you chose to implement it or not.

      [00:13:21] FS: You know what? The amazing thing is, is that it was a legally binding requirement, because it was part of a standard contract that DoD issued. And it was in the terms and conditions. And when you signed a contract that you were going to do it, do the work for DoD, you basically certified that you were in compliance. I jokingly said when CMMC came out, and there was a bigger push into NIST 800 compliance, I said, “The money isn’t in doing the remediation, or doing assessments, or doing anything like that. The money is in being a whistleblower and go in the DoD and saying, “This company doesn’t comply.” Because, technically, every single invoice submitted since the summer of 2017 for a company that did not comply, they didn’t do the 800-171 stuff, that’s punishable under the False Claims Act.

      So there is a ton of money out there that DoD can go after. They’re not going to unless there’re whistleblowers. But with the new model, that’s not going to come up. It’s going to be a third-party comes out and verifies that you’ve done all of the things that you say you’re doing. The second part of your question, how far down the supply chain that’s going to go. A couple of months ago, I might have answered that a little differently. There’s a mandatory flow down requirement. If you’re slowing down certain kinds of information, you have to flow down the CMMC compliance requirements. The NIST requirements are required to flow them.

      In light of what’s happened in supply chains, I think you’re going to see flow down in ways that you’ve never seen before. Everybody is going to say, “I don’t care what the requirement is. I’m going to over protect myself. And I’m going to make it happen.” If I were a defense contractor hiring a law firm right now, I would flow down my CMMC requirements, because that law firm can’t review my contractual materials if it contains certain type of information, unless they comply with CMMC. So this might be the thing that finally puts a standard out there. You’re going to see other parts of the federal government adopt CMMC. So it’s got some problems. I would have done things a little differently. I think DoD was DoD in the way that the requirement is written. And you look at it and you go, “Yeah, the assessment guide is 500 pages, and it’s not particularly useful.” It’s the government doing something that the government does. But by the same token, it’s going to enforce a level of compliance that has never been seen before.

      DHS has indicated that they’re going to adopt it. I think you’re going to see it become a federal standard. President Biden has already said, “CISA is now the executive agent that’s going to enforce a lot of this.” Congress has mobilized on it. They’ve done multiple hearings. The world needs a changing.

      [00:16:38] CS: Yeah. Now, it sounds like we’re already kind of, again, behind the starting gun on this, but how long is the grace period while people figure out CMMC and getting up to speed?

      [00:16:47] FS: CMMC will phase in over five years? So the current requirements for the NIST 800-171 compliance still do exist? Now you’re allowed to have gaps. So you’re allowed to say this is the requirement. I don’t need it. Here’s my gap. And here’s my plan to close it. CMMC doesn’t have that. It’s Boolean. You’re either in compliance or you’re not in compliance. But they won’t backdate any existing contracts. But all current DoD contracts contain the NIST 800 clause. That’s the DFARS 7012 that we talked about at the very beginning.

      [00:17:26] CS: Now, you said before that you think that you sort of would flip it. Do you think that most people are going to need level three rather than just level one, whereas the common wisdom is everyone just get a level one and get in the door. So what are your sort of delineation lines between like what kind of organizations will need a level three certification versus those that can sort of get by with just the bare minimum?

      [00:17:50] FS: So it’s tied to what type of information you receive from the government. So if you receive the information, then you are required, and it’s controlled unclassified information, but it’s pretty broad. There’re 125 categories of CUI. National Archives has a list of them all. They’re the executive agent for the CUI program. DoD has some specific categories that they consider to be part of DoD CUI. But basically, all the legacy ways of marking information for official use only and attaching distribution statements and all of those kinds of things, they’re basically all going to be swept under the CUI umbrella. And like I said, I think you’re going to see this massive flow down requirement. So even if they don’t flow the requirement down by the data, they’re going to flow the requirement down contractually.

      So if you’re going to process the information, you got to be CMMC level three. And as the contracts come out, they will phase out over the next five or six years. You’re going to see the requirement be explicitly put into the contract.

      [00:19:01] CS: How much more challenging or complex is getting level three certification going to be than just getting level one? Can you give me some examples of some of the things that people are going to have to level up to you to be ready for that?

      [00:19:13] FS: So level one only has 17 requirements. Level three has 130. So right on the surface, you can see that there’s a level of complexity there. But there’s also this element of maturity, and process, and practice that goes into it. So level one just basically says, “You’ve got some bare minimums in effect,” but you’re not really doing anything repeatably. It’s not an overly formal process. By the time you get to level three, you’re demonstrating that you do it, that you have a plan to do it, that you’ve allocated resources to do it in the future. And that third-party auditor is going to come in and in fact believe you and can understand. And you’ve got to prove it. So it’s a very different animal.

      Level three assessment – Well, level one, I guess too. They’re going to be good for three years. But right now, I mean, as of today, as of the 16th, there is one company authorized to do assessments. And so the process is a little slow. COVID certainly didn’t help. They would have liked to have been a lot farther. There was 15 contracts supposed to be put out in fiscal year 2021 that had a CMMC requirement. So far, none of them have come out, because there’s nobody to assess the companies.

      So the defense manpower data center has something called the DIBCAC. The DIBCAC is assessing the first companies. So they’re going to come up with the companies that then will go out and start assessing other companies to bid on contracts. So the first companies are only going to be assessors. They are the certified third-party assessor organizations. Got to think of the acronyms all the time. That’s the C3PAOs. Once they stand up, they can go out and start going after the defense industrial base.

      The short answer is, I think the whole process is at least a year behind schedule. So CMMC requirements, I don’t think you’ll see in a big way until 2022. They’ll start coming out more common in contracts. Now is the time to take advantage of that though. You’ve got to demonstrate maturity, and you’ve got to demonstrate the process. So do your NIST 800-171. Do a gap assessment. And find out where you are. I mean, it’s required. There’s DFARS clauses that currently require it. Do it. Lay out a plan. Come up with a budget. This is how we’re going to do it. DoD has created a pay to play model, pure and simple. If you don’t do it, you’re not eligible forwards. Have a nice day. So every business is going to have to make a decision, “Do I want to stay in the business of working with the government or not?”

      [00:22:18] CS: Yeah. Well, I think that’s good advice, that, in theory, we should all be scrambling right now. But in reality, it sounds like there’s a little bit of breathing room to sort of find your feet and know where you are and be like fully both feet on the ground by 2022.

      [00:22:34] FS: Yeah, so it’s don’t hit the panic button, but you need to demonstrate. Yeah, start working on it. And demonstrating maturity means like six months or more of doing it. So you’ve got to write a policy and a process and deploy some technologies. And all of this has to come together. You’re not going to write all these processes overnight and then make it look you, in fact, follow them. You’ve got to either get a template, or hire a company to help. And there’re some things that I’m more than willing to help with. I can help write disaster recovery plans and IT user policies, but I’m an engineer, you don’t want me writing your HR policies, because all this factors into IT, right? So you got to get all that stuff going. The simple process of like bringing a new employee on or terminating an employee, that’s how it got to be written down. And it’s got to start with HR, and involve contracts, and program management people. And then IT gets involved. So it’s IT-centric, but there’s a lot more that goes on than just IT.

      [00:23:56] CS: So I want to pivot this a little bit over – There’s a million things we can talk about with CMMC and getting up to up to speed, but I want to get involved with the sort of the cyber work of it and people who want to do this kind of work. So people who are listening to this program who might want to get their foot in the door as a DoD contractor or someone specifically who wants to work with contractors become compliant, what types of novice level jobs are available to people who want to sort of take the first steps towards being like what you are, sort of compliance officers, or CMMC assessors? Are there certain things that they should be studying in school now to sort of move them down this path?

      [00:24:31] FS: So a strong IT background, number one. There are obviously lots of different certifications that get you kind of in the groove. A certified assessor, for instance, and there’re a lot of organizations that have different certifications for that. Specifically to do a CMMC assessment though, you’ll have to go to the CMMC accrediting body. Find a particular training program, a training provider that is then authorized to provide the training curriculum, and take the training and pass the certification exams for that. At its most simple level, the registered practitioner, it’s 8 to 12 hours of training, and there’s a test after each module. And it gets progressively harder. If you want to be a CMMC level one assessor, it’s a different program. Level three assessor, it’s a different program. So there’s lots of things overlap into it, but number one, you need a strong II background. And it has to be kind of the nature of the thing that you like to do. Assessment and certification stuff isn’t for everybody. You need to have a mindset for that.

      [00:25:51] CS: Yeah. Can you talk about that a little bit?

      [00:25:53] FS: Yeah. I mean, you’re finding fault with people. It’s like being an editor, right? Your job is to find fault.

      [00:26:01] CS: You’re seeing the worst mistakes every day.

      [00:26:04] FS: Yeah. So like in our business, we try to coach. So we have no intentions as a company of being a third-party assessor. That would be a conflict of interest. We provide remediation solutions, right? I’m a managed service provider. So I’m going to inherit your IT systems, and I’m going to patch them, and I’m going to inventory them. And I’m going to give you the security tools and that kind of stuff. So we take on government contractors that don’t do those things and we say, “Here’s kind of the way to do it.” And we coach them through it. We can do the assessments. But we’re not a certified assessor organization. So you can’t take that to the bank. We give you the plan that helps you get well. And there’re lots of things in that cybersecurity world that are like non IT. And that’s that policy piece. So there’s jobs in that area too that says, “I need an Access Control Policy.” Well, that starts right with HR doing background checks and goes all the way through IT and using Intune to determine what goes on to your local PC. So really, the gamut is there for anybody who’s interested in wants to jump in on it.

      [00:27:27] CS: So are there other job roles or career types that would benefit from knowledge gained by studying for CMMC certification? Even if you’re not planning on working for the DoD, is the information you would learn there translate well to other sort of career types in compliance and so forth?

      [00:27:41] FS: Absolutely. At its root, all of the compliance standards can loop back to ISO 27001 basically, CMMC included. So if you do any of those certifications that give you something along that path, you’re definitely going to be able to benefit from it. I’ve been telling people to go to DoD’s 8570 website. It’s DoD instruction I think. It takes all of the commercially available certifications and maps them to level one, two or three that you basically need to hold certain jobs in DoD. But it’s a great way to go in there and say, “Security+ does this. (ISC)² does that,” and kind of doesn’t equate them, but at least gives you a relative measure which ones that DoD sees as being equivalent.

      [00:28:43] CS: Okay. So for our listeners, we have a lot of novice listeners, people just getting started who are – Or listeners who are considering getting a job within the federal government or DoD in a cybersecurity role. Do you have any recommendations for experiences or certifications or other markers of knowledge that would make them desirable to people doing the hiring?

      [00:29:00] FS: They absolutely need to go to the DoD 8570 matrix and see where they fit. Because within the DoD, they will say you have to be an IAM level two to have this done. It’s cut and dry, right? If you don’t have it, if you don’t have one of those certifications that’s listed, you’re not eligible. Thank you. Your application goes on another pile. DoD contractors use that too. They’re doing staff augmentation on a lot of cases. So they’re basically providing a warm body in lieu of DoD hiring somebody. So they go and say, “Okay, for this job, you need to have a security clearance, and you need to have this certification. And pick one,” right? And it’s comes down to there’s a management track and there’s a more technical track in those certifications. There’re the assessor tracks. You just kind of pick the thing that sort of fits your personality and then determines what you want to do. I’ve been around, like I said, a long time I go back to FORTRAN and punch card. I learned at 8080 assembler language and did it on Mylar paper tape, which probably most of your listeners don’t even know what Mylar paper tape –

      [00:30:21] CS: Don’t know half of those words. Right. Yeah.

      [00:30:22] FS: Yeah. Right? The environment has changed to the point that you need to understand a broad range of IT, but you have to have some specialized skills. And those specialized skills are really what interests you. And pick something. You could become a security engineer. And you’re going to focus in how to deploy SIM Solutions, or how to deploy EDR. But if you still like to sling code around, maybe you want to go to work for one of those companies and write the backend pieces, right? So the sky is the limit these things.

      I have three kids that are adult that are out in the workforce. They’re all engineers also. They work in – Two of them are computer engineers like I am. One of them is a nuclear engineer in the Navy. They all sort of pick their own little niche. But I encouraged them, like when they were young to do math, right? You cannot do computer programming, and computer science, and computer engineering unless you know math. And get a good background in your math, and use that going forward, and piggyback into all the other different areas. And it’s just amazing what’s out there right now.

      [00:31:51] CS: So I want to wrap up a little bit talking about – And you mentioned at the beginning with regards to the pipeline breach and some of the other big stories. I’ve talked to people who are covering like the Oldsmar water hack and another person talk about like healthcare, and how he was able to find like 15 million healthcare records that were open to the world. And there just seems to be this vast field of completely unsecured data in so many places. And like you say, it’s not a matter of whether someone wants to take advantage. It’s just a matter of where to start. There’s just so much of it. Can you speak at all to sort of the 21st century imperative towards locking down some of our infrastructure and our government stuff that right now just seems terrifyingly open?

      [00:32:39] FS: That’s a great way to phrase it actually. I might use that going forward. Terrifyingly open is a good way to put it. Look, number one, everybody’s getting breached, because they have crappy passwords. They have crappy policies. And they’re just not managing it well. So add that to the fact that social engineering and phishing emails is so prevalent, and that it just makes my head hurt when I see what people fall for. And it’s like some of them are subtle, but some of them are so blatantly a fish. It’s like how did you follow that link and put your credentials in?

      My wife, bless her heart, who is not an engineer, who has to put up with all of us in the household who have been. She serves as my sounding board. And she knows that I tell people this. I show her things and say, “What do you think of that?” She goes, “Oh, that’s fake.” I’m like, “Thank you. I just want to make sure it’s obvious to me.”

      The Colonial Pipeline one was a user password that was found in another breach and was reused on the VPN at Colonial is the latest thing that came out on. So it’s like somebody’s Gmail password was the same as their VPN password at work. Now, there’s no way to prevent that. Because you never know what everybody’s password is. But you’ve got to put password rules in place. And you’ve got to instill a culture in your company that this is important. And you have to use multi-factor authentication everywhere you possibly can. They didn’t have MFA on their VPN. So bad password policy, a user that wasn’t paying attention, and no MFA. They come in. Well, depending on the level of the user that they compromise, they might have the keys to the kingdom right away. But they can still do mischief. They can still steal data. I don’t know what kind of antivirus they were using at Colonial. Standard antivirus doesn’t cut it. If you’re using any of the legacy antivirus programs, your low-hanging fruit on the Internet.

      The ransomware as a service coming out of Russia, it’s a thing. There’s a reason why it exists. These guys stood up an infrastructure to do ransomware. And they take 20% to 30% of the ransom that’s collected. You can’t stop them from always getting in. These are nation states in some cases. These are dedicated professionals who do nothing but try mischief and hack. But you can prevent them from causing trouble. You can at least limit the scope of what they do. Use some type of endpoint and response software. Next generation antivirus, right? Light year beyond the standard antivirus.

      So maybe if they get in, maybe they can do one machine. They’re not going to spread throughout your network and shut you down. So passwords, EDR, and MFA, those three things on their own will do an unbelievable –

      [00:36:08] CS: That gets you a long way there.

      [00:36:10] FS: Yeah, absolutely.

      [00:36:11] CS: Yeah. And to me, I mean, we have so many people who write us and say, “I don’t know where to start, and I don’t know what kind of job to get into.” And I just feel like there’s just going to be this this kind of like open field of people who you can just go to your hometown and talk to your municipal systems and see if their cybersecurity is tightened right. If everyone starts doing that where they live, like you’re just going to be like closing up this field of open possibilities.

      [00:36:38] FS: There are currently – I don’t remember who I can quote. So I’ll just throw a number out there. Something like 3 million cybersecurity jobs unfilled today. So it’s not going to happen by hiring somebody that’s already working. It’s got to be people that get some certifications. BS, number one. A BA in computer science. I’m sorry, those of you who are getting BA, you’re not getting the math background that you need. You really have to have a BS, BS in computer science or engineering, something along those lines, some of the specialized certifications. You could specialize in one component of Office 365 right now. There’s it there is so much going on in the office environment in the cloud, that you can pick just one of the hundreds of things that you could specialize in and make a career out of it right now. Go to Microsoft’s website. Go to Azure’s training. Go to AWS, right? Go to Google, and look at what they’re offering. And from a certification standpoint, that’s what you want.

      [00:37:58] CS: That is a great start. And that is a great place to wrap up here. So thank you very much for talking to us and giving all this great advice. So before we go, tell us a little bit about Antiva and some of the projects here is right about right now.

      [00:38:09] FS: So like I said, Antiva is a managed service provider. We do outsourced IT. We take over your environment for you. We take all the pain of those things that people just either don’t have the time or the expertise to do anymore. As part of that, we do your standard services, but then we’ll do whatever it takes. We can help you move your office from one building to another. We can help you deploy new security tools. We can help you transition from an on-premise server to cloud base. We do all of those kinds of things. And we do it for a variety of customers. Government contractors are a huge growth area for us. Even though we don’t do business with the DoD, we plan on being CMMC level three certified ourselves when that comes up, because there’s a level of inheritance. So if you’re currently using an MSP and they’re ignorant of the requirements of CMMC, you probably need to start thinking about another one.

      We do a lot of healthcare customers. We do a lot of legal customers. We’re starting to see a huge uptick in manufacturing, because the supply chain is getting tighter. And these requirements are flowing down. And the supply chain, especially some of the lower level, “Geez, all we do is X,” type vendors are now realizing that they’re easy targets. They’re the low-hanging fruit. If I wrote something up, I call them the wielder beast with the broken leg of the Internet. And they are the low-hanging fruit and they’re the ones that are going to get hit.

      [00:39:47] CS: Alright. So last question, for all the cookies here. If our listeners want to learn more about Frank Smith or Antiva, where can they go online?

      [00:39:54] FS: Our website has a wealth of information on the resources, and it’s antiva.com. And if you want to send me an email directly, you can send it to me at [email protected]

      [00:40:05] CS: Beautiful. Frank, thank you so much for joining us today and talking about this important piece of compliance. Really appreciate it.

      [00:40:10] FS: Thank you, Chris. It was a pleasure.

      [00:40:11] CS: And as always, thanks to everyone listening at home, or at work, or at work from home for listening. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page, on infosecinstitute.com/podcast, or an audio wherever fine podcasts are downloaded. To read Infosec’s latest free ebook, Developing Cybersecurity Talent in Teams, which collects practical team development ideas compiled from industry leaders, including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more, just go to infosecinstitute.com/ebook and start learning today. Thank you once again to Frank Smith. And thank you all for listening and watching. I’ll speak to you next week.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.