Sittadel PodcastMar 29, 2022
43 - Securing Lazer Guns with Joy Beland
Think of the CMMC like HIPAA for companies that work with the Department of Defense. It's a seemingly-endless list of concerns to juggle when planning a CMMC compliance journey, and the guides for getting started are overwhelming. If you can make it past the Special Publications (like NIST 800-53 and 800-171), there are maturity levels to manage and DFARS requirements, and waiting at the finish line is the promise of legal ramifications if you did the whole thing wrong.
In this episode, Nate and Joshua find a loophole to bring their Tye Dye Lazer Gun business to market without going through all the hassle that comes along with CMMC. We're thankful that Joy Beland was there to talk us through our decision making process.
Joy seems to know everything about CMMC, which perfectly suites her as she travels around to meet with MSPs about their compliance concerns and runs the CMMC Boot Camp for Edwards Performance Solutions. Joy Beland is easy to find on LinkedIn, and you can find more information about her boot camp at https://edwps.com.
For more titilating CMMC content, head over to www.sittadel.com, tweet us @sittadelpodcast, and send your questions to ask[at]sittadel.com.
42 - Don't Click the Link with Joanna Sitta, BCBA
It's Valentine's Day, and love is in the air in the Sittadel Podcast. The birds are chirping, the phishers are rhythmically clacking away on their mechanical keyboards, and somewhere in the distance the cryptominers are buzzing away in a misconfigured S3 bucket. On this very romantic episode of the Sittadel Podcast, Joshua tricks a Board-Certified Behavior Analyst into discussing cybersecurity for a solid hour.
But this isn't just any run of the mill Security Awareness Training conversation. This is a hot and heavy discussion between Joshua "Statistically Average in Height" Sitta and Joanna "The Perfect 10" Sitta. To set the mood, Joanna explains the origins of Applied Behavior Analytics and gives us a crash course in behavior interventions.
The two discuss the fallacies of "Don't Click the Link" training and talk through two examples of pitfalls organizations wander into while dealing with the problem of phishing emails. Always searching for Joanna's approval, Joshua finishes out the show by laying out his blueprint for effective Security Awareness Training.
In this episode, we discuss Security Awareness Training, Phishing Emails, The Nigerian Prince scam, Spearphishing emails, the importance of data relevance, Hook Security, simulated phishing campaigns, and tikka masala. For more Indian food recipes, head over to www.sittadel.com or send an email to Ask[at]Sittadel[dot]com.
41 - Sittadel Plays a Role on The Community Bank Podcast
With Nate out on assignment for today's episode, Trafenia Flynn Salzman fills the void to kick off the conversation. We join our heroes as guests on The Community Bank Podcast, hosted by Eric Bagwell and Caleb Stevens from SouthState Bank.
The Community Bank Podcast on Apple Podcasts is dedicated to helping community bankers grow themselves, their team, and their profits. Today's clips focus on cybersecurity risk management as applied to banks and their customers, but they're relevant for any business in every vertical.
The views, information, or opinions expressed during this show are solely those of the participants involved and do not necessarily represent those of SouthState Bank and its employees.
40 - Out-of-the-Box Incident Response
In this episode of the Sittadel Podcast, Joshua came prepared with an extreme approach to cybersecurity incident handling. In May of 2019, Israel Defense Force (IDF) shut down the attacks of Hamas cyber operatives. Joshua had planned to talk through the implications of moving from a digital series of events to a physical series of events. His notes on what can be learned about the moments after a cyberattack would have been valuable to hear.
Unfortunately, Joshua wasn't prepared for when Nate brought up the logistics of time travel. It was all over after that. Instead of predefined communication channels or incident severity matrices and escalation procedures, the conversation never returned from space.
If only this was covered in his response plan...
39 - REvil: A suspiciously wonderful outcome.
We're back from our long holiday break with some exciting news about 2020's most notorious ransomware gang: REvil. X-Force, IBM's threat intelligence offering, reports that 36% of REvil's victims paid their ransom and at least 12% of victims watched as their sensitive stolen data was auctioned off to the highest bidders on the dark web between 2019 and 2020.
REvil's back in the headlines, but this time the story is a little different. After a string of law enforcement activity that pushed the gang further into obscurity, the nations of Russia and the United States have held hands to bring the ransomware group to justice. It's a story almost too good to be true.
Listen in as Nate and Joshua discuss the wild variance in numbers reported by differing news outlets, as they put on their tinfoil hats, and hear a word straight from the old timey prospector himself.
38 - Stealing Houses in the Metaverse
The holidays are a time to gather round the yule log with the family, reflecting on the most precious parts of your life. And when you get sick of all that, we can turn our attention to the Metaverse and build that perfect digital life. And while many analysts see the Metaverse as a 1 trillion dollar investment opportunity, cybersecurity professionals see more similarities to the Wild West.
In this special holiday episode, Nate and Joshua skim over a few notes on the holidays and discuss the future of social engineering attacks launched in the Metaverse. The anonymity of blockchain technologies and crypto currencies create hurdles for proving ownership of digital commodities. What recourse can you have when someone else's avatar is living in your digital house?
At Sittadel, we believe cybersecurity empowers business. If you're thinking about working with NFTs or setting up a storefront in the Metaverse, why not plan for your success (before your wallet is falls into someone else's hands!). Start the conversation by tweeting us @sittadelpodcast or visiting our website at www.sittadel.com
37 - How Minecraft is Hacking the Internet (Log4j)
The sky is falling, and it's all because of your kids' favorite video game. The National Vulnerability Database lists the recently identified Log4j vulnerability as a perfect 10 out of 10. It's everywhere from Minecraft to iCloud, and it doesn't take any special skills to copy and paste the exploit into remote systems. This time next year, businesses all over the globe will have either proved the value of their vulnerability and patch management operations - or they will have learned the reason these ops are a critical piece of running a business in 2021.
In this episode, Nate and Joshua take a 30,000 ft view of software development and how functionality can sometimes translate to vulnerability. The two discuss how patching out functionality can work, and why businesses of all sizes are feeling the squeeze from vendor management programs.
At Sittadel, we believe cybersecurity empowers business. A mature cybersecurity program doesn't only serve to prevent losses and keep your data safe: It can also be your differentiator when bidding for work. How can cybersecurity help you stand out from the crowd? Find out at www.sittadel.com.
36 - Defense in Depth and IT Hygiene
The grubrious emotet gang is back at it again, and rather than focus on the tricky cybersecurity wizardry necessary to go toe to toe with the threat, Joshua and Nate talk through some entry level security principles: Defense in Depth and IT Hygiene. Sometimes, it's the low hanging fruit that makes the difference between safe and sorry.
If it's time you came up with a layered defense to cybersecurity threats, check out the website at https://www.sittadel.com.
35 - Love, Beauty, and Family
Happy Thanksgiving, Everyone.
34 - Joshua Fails a Phishing Test
Joshua Sitta holds several Information Security credentials, created the phishing simulations and training for a big bank with over 5000 employees, and has written the playbook for how to identify phishing emails. Throughout his career, he's blocked millions of phishing emails from ever reaching the end user and has personally received hundreds of different phishing scams. He's seen it all, from the Nigerian Prince we all joke about to the spearphishing emails crafted by the world's most successful cyber criminals - and he's never fallen for even one of them.
As Joshua talks through his eperience in falling for the easiest-to-identify phishing email ever, Nate points out how differently the two approach failure. For Nate, failure is one of the most important tools in his toolbox.
We'd like to set you up with a safety net and take the scary out of failure. Sittadel is ready to be the group that has your back - 24 hours a day, 365 days a year. Start the conversation at www.sittadel.com or send us an email at ask[at]sittadel.com.
33 - Ben Malisow, Privacy Radical
When cybersecurity professionals need to develop their skills and earn credentials, they turn to Ben Malisow, author of Exposed! and a number of self-paced courses on Udemy.In 41 minutes, Joshua completely changed his stance on privacy.
Ben Malisow didn't waste any time to bring his unwelcome perspective to the podcast. In Ben's mind, it's time for you to embrace a future of perfect privacy: where all of your secrets become public. Your location, your browser history, and your finances should all be at the fingertips of your neighbors. Big corporations and governments are already using this information, so why should the person you just met at the bar be left out in the cold?
It's easy to disagree with Ben.
But what if it wasn't just your secrets? What if everyone's information was available to you as well? Would you feel more comfortable meeting a stranger if you were able to review their arrest history first? As Ben points out, privacy creates opportunities for fear and distrust. Secrets lead to shame.
There are movements all over the United States to bring about transparency in politics and law enforcement. Today, cities burn in the wake of officer-involved shootings, but if the public had access to all the information, they could reach a level of comfort that the actions were justified. Or if it wasn't justified, it would be plain to see for the Good Apples who protect and serve. But this would only be possible with complete transparency. And what is transparency if not the enemy of privacy?
It's hard to disagree with Ben.
Until we reach our new future, it's up to cybersecurity practitioners to continue defending the C in the CIA triad. For more information on how Sittadel can keep your secrets safe, let's get the conversation started at www.sittadel.com.
32 - Social Media
Social Media has fostered the most interconnected and mentally unwell society in history. Communities have never been more accessible and people have never felt more alone.What's the point?
Silicon Valley titans like Pinterest and Reddit have fundamentally changed the way information is shared on the Internet. For many previously marginalized voices, social media has provided platforms for collaboration and representation. And while those examples are important, the valor of social media starts to drop off from there. After another round of concerning reports on facebook's priorities, Nate has to hold the conversation that stays resident in the back of our minds: When billion-dollar businesses drive our communication, can decisions be made with the public's best interests in mind?
The social media apps that live in our pockets are treasure troves of private information. For law enforcement, that data represents an endless stream of opportunities to protect the innocent. But as we explored last week, this moral tradeoff can leave us feeling conflicted at best.
In this episode, the two discuss Social Media, facebook, Instagram, outages, transparency and accountability, the facebook whistleblower, health and wellness monitoring, and Nate started a gang.
There's no call to visit our website today. Just promise us you'll think about spending your time intentionally.
31 - Pegasus Spyware
We know your location, see your pictures, listen in on your microphone, and even get into your encrypted chat. But we only use that for good! (Okay, except for that one time...)Are we fighting fire with fire or becoming the very thing we defend against?
Israeli based cyber intelligence company NSO Group is a billion-dollar business that helps law enforcement agencies and governments learn everything about innocent and guilty citizens alike in the name of protecting the virtuous.
Cyber weapons like Pegasus represent a moral tradeoff. The intended use is to curb human trafficking or intervene before violent crimes are committed, but it comes at the cost of invading the privacy of good-doing citizens. We're quick to accept this risk when weapons are wielded by the armed forces that defend countries, but the NSO Group is motivated by profits as much as any other private company.What we called spyware in the 90s has become the way modern advertising works, and that lets platform holders more finely target the spaghetti they throw at the wall. Now it's angel hair pasta, and everything is sticking. The ethics of doing business today are directly tied to the ethics of cybersecurity.
As Nate discusses in the episode, he often finds himself caught between the creative ambition of an artist and catering to what will sell. To pay the bills, Nate has to sacrifice a bit of creative freedom. When companies profit from circumventing the security systems that keep us safe, it's a much greater sacrifice.This is not a new challenge, but privacy has entered a new frontier of technological reliance.
In this episode, we discuss zero day vulnerabilities, Pegasus Spyware, NSO Group, Edward Snowden, Spysweeper, Privacy concerns, mobile security, law enforcement, wardriving, and WIFI security.
Use our contact form or tweet us @sittadelpodcast to start the conversation on how Mobile Device Management (MDM) solutions can play a role in protecting your information (and if you're a business, there's a good chance you're already paying for one you've never set up).
30 - Maxime Lamothe-Bressard, Founder of LimaCharlie
Some men see EDR as it is; others see EDR as it should be. Maxime Lamothe-Bressard joins Nate and Joshua for a discussion on the ways LimaCharlie is removing the roadblocks for working with some of the most important data points for Incident Responders and SOC analysts: file execution telemetry. Maxime brings a wealth of experience to the show, bringing insight from his time at Google-X, CrowdStrike, and a French Cafe. You can get started with LimaCharlie today for free by visiting limacharlie.io.
For more information, visit https://www.sittadel.com or tweet us at @sittadelpodcast.
29 - Social Engineering Via SMS and 2FA
Friend of the show Aaron Burns drops by the studio to talk about his experiences with scams sent straight to his phone. Aaron and Nate do their best to reinvent a few new cybersecurity terms, but Joshua wasn't having any of that nonsense. In this episode, the team discusses how Universal 2 Factor Authentication (U2A) promises big improvements by requiring login pages to prove their identity before users are permitted to login.
28 - Comedian Jayson Avocado
Happy Labor Day! Comedian Jayson "Avocado" Acevedo helps the Sittadel Podcast team celebrate with a look at 3 day weekends and the social engineering risks they introduce for businesses. Later, Jayson would weigh in on cryptographically relevant quantum computers, which could be the worst idea we've ever had. What does quantum computing have to do with drive thru terminals? Nothing, Jayson. Absolutely nothing.
If you'd like to hear more from Jayson, head over to https://jaysonavocado.com
To enjoy CrowdStrike's APT database, check out https://adversary.crowdstrike.com
To chat with the Sittadel Podcast team, tweet us @sittadelpodcast, email us at ask(at)sittadel(dotcom), or start the conversation at https://sittadel.com
In this episode, we talk about social engineering, viruses, advanced persistent threats, APTs, CrowdStrike, Jayson Avocado, Marvel, DC, comic books, and several things that had to be edited out (looking at you, Jayson).
27 - Strippers and Hurricanes
Trafenia joins us for another trip back to the 90s to talk about the Melissa Virus, Joshua tells us about how plywood fits into cybersecurity, and Nate introduces us to Jacques.
In this episode, the trio discusses phishing, security awareness training, Kevin Mitnick, Hook Security, honest hips, business continuity, and disaster recovery.
For more on what Sittadel can do for you, head to our website at https://www.sittadel.com
26 - Trafenia Flynn Salzman, Sittadel Co-Founder and CEO
Trafenia Flynn Salzman has been working with computers since the movie Rush Hour was a relevant cultural reference. She's bringing that depth of experience to the podcast and comments on the representation of women in cybersecurity, Cloud Security, Zero Trust, and CARTA. Later, Nate would be disappointed the episode wasn't titled White Van Candy Man.
Topics in this episode include diversity, Cloud Security, ZTNA, CARTA, MFA, trust algorithms, data centers, and teradactyls.
For more on what Sittadel can do for you, head over to our website at https://www.sittadel.com.
25 - Troy Hunt, Founder of Have I Been Pwned
Troy Hunt created www.HaveIBeenPwned.com with the expectation that a few of his mates would use it to keep their accounts safe, but today it's the resource the world uses to monitor passwords at risk for credential stuffing attacks. Troy spends an hour on the podcast discussing password strength, his work at Pluralsight, and answering the age old question: What do squirrels have to do with cybersecurity?
We thank Troy both for his time and for making the Internet a safer place.
24 - Cybersecurity in Film
Joshua tries to talk about the role of executive management in a cybersecurity operation, but Nate would rather talk about movies.
23 - The Role of Cyber Insurance
We talk about everything you need to know before buying cyber security insurance, and Nate and Joshua chat about an update to the Kaseya ransomware that crippled 1500 small businesses.
Bearded barley is a cool season annual cereal grain, growing about 3 feet high. It's great for adding lots of organic matter or biomass in a short period of time. Additionally, it provides erosion control and weed competition. You can't get cybersecurity facts like these anywhere else.
22 - Kaseya, the Largest Ransom Ever Demanded
What's the business you've always wanted to start? Gourmet hot dog cart? A crafty booth at the farmer's market? That's too normal for Nate, who wants to create new dinosaurs. In this episode, we talk through the Kaseya supply chain attack which demands $70 million for the data of over 1500 small businesses. Nate and Joshua discuss ransomware, Kaseya, RMM tools, and an archaeopteryx.
We want to say thank you for trusting Sittadel to bring cybersecurity to Lakeland - and the rest of the globe - as we now have clients and listeners all over the globe. If you want to learn more about Sittadel, start the conversation at www.sittadel.com.
Jeffrey Snover, Microsoft CTO
Jeffrey Snover is currently serving Microsoft as the CTO for Modern Workforce Transformation, and he spends an hour with Joshua with Nate discussing everything from dinosaurs to professional advice. Joshua can barely keep it together as they discuss PowerShell, Microsoft, women in technology, Windows Server, Unix, GUI and CLI, fatherly advice, the rapid elasticity of Azure, change management, and professional wrestling.
Thank you for the impact you have had on my life, Jeffrey.
Coding, Coke, and Cash
Before the Wannacry attack, MalwareTechBlog was just another place you could go to read about the weapons used by cybercriminals. After the mind behind MalwareTech found a kill switch buried in the Wannacry code, all eyes were on Marcus Hutchins. In this episode, Nate and Joshua talk through one of the most fascinating stories in cyber defense. And offense. Depends on which part of the timeline we're talking about...
In this episode, we talk about sinkholing, malware, reverse engineering, wannacry, the NSA, shadowbrokers, and with deep respect, Marcus Hutchins.
Why didn't John Connor use Ransomware to defeat The Terminator? In this episode, Nate and Joshua discuss the best ways to defend against an attack by robots using a machine learning algorithm to identify their targets. Along the way, they stumble upon the meaning of life.
In this episode, we discuss tensorflow, IBM Watson, AI, artificial intelligence, machine learning, autonomous vehicles, and influence.
Network Topology and Personal Security
We hit three main topics in this episode: The endless stream of cyber attacks making headlines, network topology, and personal security. Nate coins the phrase, "What you're choosing should be based on what you're using," which perfectly summarizes the approach business owners should have when designing their network.
In this episode, we discuss a series of ransomware attacks, cyber extortion, keyloggers, password managers, UTM platforms, network design, and dinosaurs.
NetSec - Cloud Security with Trafenia Flynn Salzman
You can count on Nate and Joshua to tackle the hard questions like: How tall is the average American male and what's scarier than a network leviathan. Trafenia Flynn Salzman, a Cloud Security Architect for the federal government, drops by to give her thoughts on how network security is affected by using cloud systems.
In this episode, we talk about Zero Trust, network security, cloud security, MFA, access control lists, SaaS, PaaS, IaaS, Anonymous, and a few network security threats.
Intro to Network Security
Thinking about network security but don't know where to begin? In this episode, Joshua walks Nate through a few network security fundamentals: Stateful vs Stateless firewalls and IDS vs IPS appliances. It's just enough cybersecurity mumbo jumbo to set the state for June's Network Security series.
Also, Hoobastank. We talk a lot about Hoobastank.
Get Your First Cybersecurity Job
Is there a secret to getting hired in a cybersecurity role? Not really, but Nate and Joshua break down a few different approaches to land your first job. In this episode, we talk about CompTia A+, Net+, Sec+, CySA+, CISA, CISM, CISSP, and GCFA certifications, as well as penetration testing and forensics ceilings.
Another day, another headline - this time involving the largest gas pipeline in America. The Department of Homeland Security and the FBI agree that ransomware threatens the existence of small businesses with incidents spiking by over 300% during the pandemic. The challenge falls to us to figure out how to make a compelling argument for preparing for the ransom before your data is gone.
In this episode, we talk about ransomware, 2600 baud modems, blackberry, Colonial Pipeline Company, DarkSide (loosely), and the fact that people are just meat computers.
Swapcast - The Sony Hack
It's another Swapcast! Nate applies some of his inside knowledge of the entertainment industry to tell us about the odd ramifications to the time North Korea attacked Sony in response to an unpopular plot development in The Interview.
Whether you call them North Korea, Lazarus Group, Guardians of Peace, or a handful of other code names, Nate talks us through the standard operating procedures used by one of the most active groups on the planet.
In this episode, we talk about Seth Rogen, James Franco, Disney, Sony Pictures Entertainment, email security, malware droppers, shamoon whiper malware, and Microsoft Sam.
The Superhero Origin Story
We were supposed to talk about the Facebook breach, but Nate asked Joshua a question about himself.
In this episode, we talk about automation with PowerShell, Robocopy, Batch Scripts, registry reconnaissance, SSH, and ransomware.
Bitcoin Part 1
You asked for it - here's part 1 of our episode on Bitcoin. Joshua and Nate talk through the things individuals should consider before investing in cryptocurrencies (including a few cyber threats to keep in mind), how to break into Ft Knox and kite checks, and a billionaire that wants you to know about his skills in video games.
In this episode, we talk about bitcoin, etherium, substratum, blockchain technology, Kim Dotcom, coin miners, and methods of keeping your bitcoin wallet safe from password theft. Not featured: financial advice.
Zero Trust with Trafenia Flynn Salzman
Nate and Joshua catch up with Trafenia Flynn Salzman, CCSP, an Information Security Architect for the US federal government and leads the nation's 3-letter organizations through a multi-year initiative to implement a Zero Trust approach to cybersecurity. It's one of our top 10 best episodes (as of the time of this writing).
In this episode, we talk about zero trust, antivirus, firewalls, network segmentation, and the importance of IT asset inventories.
Emotet vs The Bank
This episode goes way off the rails as we discuss the effect of interdepartmental politics on a cybersecurity response team. The Threat Hacktors don't have to wait for committee approvals to act, so institutions without predefined incident response plans struggle to keep pace with long term cyber incidents. Nate (who I understand is very funny) coins the phrase, "badvertising," and we talk about a deer wearing a mustache.
In this episode, we talk about emotet, trickbot, file binary heuristics and telemetry, thread hijacking, watering hole attacks, and badvertising.
Hacking the Bank
What do Sony and the Bank of Bangladesh have in common? Were they both hacked by Club Penguin using the North Korean malware known as Hidden Cobra? While Nate raises important questions about Club Penguin's involvement in the attempted theft of $850,000,000.00, Joshua went on a 34 minute rant about EDR, MDR, and DDR (don't worry - it was cut for time!).
In this episode, we talk about phishing emails, Secure Email Gateways (AKA SEGways), and the importance of having a firm grip on financial procedures.
When American and Israeli cyber operations join forces, you end up with one of the most sophisticated malware operations in history. Nate learns how to make a nuclear bomb, and Josh doesn't know how cars work.
In this episode, we discuss zero day vulnerabilities, USB drive controls, hardening, maintaining a software inventory, Carbon Black, and the importance of having a security ally (like Red Canary).
Swapcast - Exchange RCE
There's a new worst case scenario for small businesses. In this special emergency release of the Sittadel Podcast, Nate brings the cybersecurity as we talk about over a hundred thousand compromised organizations, and Joshua makes it lit. It's a full on swapcast! And this time, the microphones are on.
CVE - Common Vulnerabilities and Exposures - a unique tracking number for thousands of vulnerabilities
CVSS - the Common Vulnerability Scoring System - a Richter Scale analog for rating the severity of vulnerabilities
IDS/IPS - Intrusion Detection / Prevention Systems - a network appliance that can detect malicious behavior over the network to shut down attempted compromise
...and Fitkicks foldable shoes.
Solarigate and Strategy
Joshua Sitta and Nate Fleming talk through one of the most successful cyber attacks in history - Solarigate. In this episode, we cover the basics of setting up your own Cybersecurity Strategy both in business and in personal lives. Not featured: Hugh Jackman.
Mærsk: Dead in the Water
What's it take to cripple the largest shipping company in the world? About 7 minutes. Joshua talks through the impact NotPetya had on Møller – Mærsk and explains the approach he uses for combating ransomware. Later, Nate works some things out about Tommy. Featured in this episode are attack.mitre.org and RanSim.
For free tips on defeating ransomware, check out The Free Ransomware Defense resource on Sittadel.com.
If it wasn't clear, this episode is not sponsored by Møller – Mærsk.
Nate and Joshua manage to talk through important security issues like bears, worms, and monkeys. In this episode, we highlight the way cybercriminals can share the love without compromising an email server if DKIM, DMARC, and SPF were never configured.
The Target Hack
Nate Fleming (Comedian) and Joshua Sitta (Cybersecurity Professional) host the Sittadel Podcast which takes listeners on a journey through cybersecurity incidents and their application to their small business. This episode is about the great Target Hack of 2013 and how that was a supply chain attack, email security and a few references to Hugh Jackman.