AI and Your Privacy. Digital Citizenship Today. Artwork

Cyber Crime Junkies

Socializing Cybersecurity. Translating Cyber into business terms. Newest AI, Social Engineering and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manages cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

AI and Your Privacy. Digital Citizenship Today.

November 12, 2024 • Cyber Crime Junkies. Host David Mauro. • Season 5 • Episode 57

This is the story of AI and Your Privacy. Digital Citizenship Today. Antoinette King, Author of the book Digital Citizens Guide to Cybersecurity. She is the founder of Credo Cyber Consulting, LLC, who has over 20 years of experience in the security industry, from physical security to digital security.

Grab her book: https://www.amazon.com/Digital-Citizens-Guide-Cybersecurity-Empowered/dp/1956464220

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Antoinette King, Author of the book Digital Citizens Guide to Cybersecurity. She is the founder of Credo Cyber Consulting, LLC, who has over 20 years of experience in the security industry, from physical security to digital security.

Grab her book: https://www.amazon.com/Digital-Citizens-Guide-Cybersecurity-Empowered/dp/1956464220

AI and Your Privacy. Digital Citizenship Today.

Chapters

00:00 Introduction to Cybersecurity and Antoinette King

02:19 Antoinette's Journey from Physical to Cybersecurity

04:34 The Importance of Cybersecurity in K-12 Education

14:38 Challenges Faced by SMBs in Cybersecurity

19:10 The Value of Data in K-12 and SMBs

22:18 The Human Element in Cybersecurity

28:32 Social Engineering and Open Source Intelligence

30:10 The Importance of Password Length

31:00 Cybersecurity Awareness and Communication Challenges

32:31 Bridging the Gap: Cybersecurity Education for All Ages

33:40 Practical Cybersecurity Tips from Antoinette's Book

35:14 Understanding Digital Citizenship and Online Safety

39:12 The Dangers of Online Interactions and Human Trafficking

40:34 AI's Impact on Cybersecurity and Social Engineering

48:06 CMMC: The Cybersecurity Maturity Model Certification

Topics: ai and your privacy, digital citizenship today, generative ai and data privacy, why digital citizenship is important, protecting yourself online, how to balance privacy and security today, protecting yourself online, improving your digital hygiene, how to improve your digital hygiene, digital hygiene best practices, new ways to improve personal privacy online, improving your personal privacy online, ai and privacy, how to improve personal privacy online, personal privacy online, how to protect your personal privacy online, how physical security standards effect cyber, why physical security matters, is cyber insurance worth it, how to educate people in cyber security today, affordable methods to limit cyber liability, new ways to raise awareness of security today, affordable new ways to limit cyber liability, affordable ways to limit cyber liability, best cybersecurity practices for business, best policies to limit cyber liability, best practices for protecting personal data online,

summary
In this episode of Cybercrime Junkies, host David Mauro speaks with Antoinette King, a seasoned cybersecurity expert and author, about the critical intersection of physical and digital security. They explore Antoinette's journey from physical security to cybersecurity, the unique challenges faced by K-12 institutions and small to medium-sized businesses (SMBs) in safeguarding their data, and the pervasive threat of social engineering. Antoinette emphasizes the importance of a holistic approach to cybersecurity, where everyone in an organization plays a role in maintaining security protocols and awareness. In this conversation, David Mauro and Antoinette King discuss the evolving landscape of cybersecurity, emphasizing the importance of password length, the challenges of cybersecurity awareness, and the need for effective communication. They explore the significance of educating all age groups about online safety and digital citizenship, while also addressing the dangers of online interactions, particularly for young people. The discussion highlights the impact of AI on social engineering and the importance of the Cybersecurity Maturity Model Certification (CMMC) in protecting sensitive information. Finally, they touch on the role of cybersecurity insurance in risk management and the need for organizations to adopt a proactive approach to cybersecurity.

takeaways

Antoinette King has over two decades of experience in cybersecurity.
Cybersecurity requires a holistic approach that includes both physical and digital security.
K-12 institutions face unique cybersecurity challenges due to limited resources and high attack rates.
Small to medium-sized businesses often underestimate their vulnerability to cyber threats.
Data from K-12 institutions is particularly valuable to cybercriminals due to its long-term implications.
Human error is a significant factor in most cybersecurity incidents.
Organizations must prioritize keeping their devices updated to mitigate risks.
Social engineering remains a prevalent threat in cybersecurity.
Cybersecurity is not just an IT issue; it requires involvement from all employees.
Open source intelligence can be exploited by cybercriminals to gather information about potential targets. Length matters more than complexity in passwords.
Cybersecurity awareness is still lacking among many individuals.
Education on cybersecurity should be accessible to all ages.
Practical tips can help individuals protect themselves online.
Young people are often unaware of the dangers of online interactions.
AI is changing the landscape of social engineering.
CMMC aims to improve cybersecurity standards for defense contractors.
Cybersecurity insurance does not guarantee protection against breaches.
Organizations must prepare for potential cyber incidents proactively.
The threat landscape is evolving, requiring constant vigilance.

Dino Mauro (00:05.504)
Ever wonder what you are supposed to do to protect yourself online? How about kids, elderly relatives? How about when you log in at work? What's your responsibility to protect your employer? I mean, nobody wants to be the cause of a massive data breach, something that brings the organization to a screeching halt, resulting in lawsuits, insurance claims. It's like a massive car wreck.

that goes on and on for years upon years. Today's episode brings you an expert, somebody that will help you individually, help small business owners, leaders and mid-sized businesses with some great insight. We're joined by Antoinette King, author of the book, Digital Citizens Guide to Cybersecurity. If you go on LinkedIn, you'll see her there. You'll also see her speaking at a lot of cybersecurity.

conventions or even a local organization over on the East Coast or a local school. She's the founder of Credo Consulting LLC, and she's been involved in cybersecurity, starting in the physical security space and then migrating over to the digital security space. She's been doing it for over two decades. You'll hear specific, exclusive takeaways on AI and your privacy.

why digital citizenship is important today, what it means, and new ways to protect yourself online. This is the story of Antoni King and AI in your privacy, digital citizenship today. And now the show.

David Mauro (00:01.334)
All right. Well, welcome, everybody to Cyber Crime Junkies. I am your host, David Mauro. And in the studio today, we have a really cool guest, Antoinette King, author of a bestselling cybersecurity book, Digital Citizens Guide to Cybersecurity. It's a holistic approach. She's the founder of Credo Cyber Consulting LLC. She's been in the industry for over two decades. She focuses

on a holistic approach to cybersecurity, which is something that we're going to talk about today, kind of bridging the gap between physical security and the digital realm of cybersecurity. She has a focus on data privacy and protection. She holds, and you can correct me if I'm wrong, I believe she holds the Physical Security Professional Certification, the PSP, the Data Privacy Protection Specialist, DPPS.

and a CIOs, SIA, Security Industry Cybersecurity Certification, the SICC, as well as a Master's in Cybersecurity Policy and Risk Analysis, a Bachelor's of Science in Managing Security Systems, and an Associate of Science in Criminal Justice. If I got it wrong, can correct me when I'm done. tonight, welcome to the studio.

Antoinette King (01:24.028)
Thank you. Thank you. I love my acronyms. I'm adding one more. I also have my CISSP, which is certified. I do. Yeah. Information specialist professional. That was a spiritual experience. That exam was not easy. Yeah. Pretty much. Pretty much. By the end of the exam, I just remember hitting the button. The screen went blank. I got broke out into a cold sweat. Like, all right.

David Mauro (01:29.875)
you got the CISSP. Well done. That's great.

David Mauro (01:38.38)
Yeah. It's kind of like the bar exam. Like, yeah.

David Mauro (01:51.15)
Yeah, and you're like, what does this mean? Like, did I get it or did I not get it?

Antoinette King (01:53.724)
Ha ha!

And then you gotta wait for somebody to walk in and they escort you out. You still don't know what happens. then it's, congratulations, you passed. And everything just drained out of me. Yeah.

David Mauro (02:06.388)
Excellent. Well, let's dig into it. So Credo Security Consulting right now. What types of organizations do you provide consulting?

Antoinette King (02:19.806)
So I work with organizations everywhere from manufacturing, commercial industry to K through 12. I do for whatever, yeah, correct, correct. I will tell you that for, I always say for whatever reason, but it is a reason, I gravitate towards and schools gravitate towards me. So I do a lot of work in the K through 12 space around both assess,

David Mauro (02:25.888)
Okay, the whole gambit. You're not verticalized. Okay.

David Mauro (02:44.162)
That's how I, that's actually how I got my start too. And I think, I think that people can make it there. You can make it anywhere because it's an enterprise environment, but with like nonprofit budgeting, right? It's really challenging and you got kids, you've got kids beaten the heck out of devices and in no other industry does everybody leave for three months once a year and then switch places and then comes back and everything has to work at once. It's a really challenging.

Antoinette King (02:47.175)
Yeah.

Antoinette King (02:57.658)
I always say, yup.

Antoinette King (03:11.358)
Yeah.

It is, I always say it is the most complex systems of systems I've ever worked in with very little resources. And so I do work both internally within schools in terms of doing assessments and identifying gaps in their policies, procedures and technology controls, as well as I just this morning actually did a two hour presentation to school administrators and staff. was over 700 attendees.

David Mauro (03:19.256)
Yeah.

David Mauro (03:22.637)
Mm-hmm.

Antoinette King (03:43.71)
for a school district in Massachusetts on the risks and vulnerabilities and threats that schools face, right? So I do a lot of education as well for schools. So, but I also do things like stock two audit preparation, also policy procedure writing, business continuity planning, the full gamut.

David Mauro (03:46.169)
Great.

David Mauro (03:51.607)
episode.

David Mauro (04:04.216)
Yeah. So oftentimes listeners and viewers of our podcast want to know like, could have been an actor, but you wound up here. Like what, like why, how did this happen? Right. So as I understand from your background, as you actually began in the physical security space, can you walk everybody through it? Was there an event that like you decided to go into cyber or has it been a natural?

evolution. Walk us through it.

Antoinette King (04:37.142)
So I am one of the very few individuals in the industry in general that is here by design. So I went to school for physical security, managing security systems. have a bachelor's through State University of New York, Farmingdale. At the time it was the mid 90s and the advisor for the program had said, back then everything was analog in the physical security world. And he said, eventually in a very short period of time, we're gonna see security devices being put on networks.

And so he made the recommendation that I get a Microsoft certification. So I went for my MCSE back when Windows NT was the operating system of choice. And then he also suggested doing some hardware training because people are software or hardware focused. I wanted to be both. So I also got my A plus certification. After I finished my degree, I became an adjunct professor. So I started teaching in the program. I got my MCSE. I got my A plus certification.

And then believe it or not, it wasn't my degree that got me hired on my first job, but my Microsoft certification, I became a technician for security integration firm. So for the first four and a half years of my career, I did installs, installing camera systems, access control, intrusion detection, had the very, very wonderful opportunity to spend a lot of time at the Statue of Liberty.

David Mauro (05:43.945)
Antoinette King (05:56.67)
I have a photograph, I'll send it to you, maybe you'll pop it up during the editing process, but of me in the torch. Yeah, perfect. Me standing at the torch of the Statue of Liberty, putting a proxim wireless access point from the torch of the Statue of Liberty all the way back to Battery Park just post 9-11. So I've had some great, great experiences in the physical security industry, always.

David Mauro (06:01.132)
Sure, it's right there. Right. It's right there. See it?

David Mauro (06:13.506)
Really?

David Mauro (06:18.637)
Wow.

Antoinette King (06:24.572)
I would say IT adjacent, right? So it was operational technology. Fast forward 17 years and I started realizing, I was working for a camera manufacturer and I started realizing we were doing a really poor job as an industry, protecting the customers that we were installing devices in, in terms of the vulnerabilities on their networks. We were adding risk to our customers.

David Mauro (06:47.278)
Absolutely. Like just throwing devices on, right? Especially that was really happening a lot in the 90s. You saw that with multifunctional printers and everything else. Everything started to attach to the network and there was no cohesive thought really behind it. People were buying stuff that they thought was cool and they were like adding it on their own network. Hey, look, is Wi-Fi. You can connect it to your big

Antoinette King (06:51.73)
Yeah.

Antoinette King (06:57.724)
Mm-hmm.

Antoinette King (07:05.307)
No.

David Mauro (07:15.488)
PC at the time, your big workstation.

Antoinette King (07:18.034)
And our biggest issue in the late 90s, early 2000s was this, we created this us against them mentality with the IT departments because they had a fixed number of IP addresses. They didn't like the fact that we wanted to put 150 devices on their network. They didn't have enough IP addresses. So then we created this, the early days of shadow IT where we said, okay, no problem. Give us two IP addresses. We'd throw a server.

David Mauro (07:30.892)
Right.

Antoinette King (07:47.102)
onto the network with two Nick cards, install 150, 200 cameras on one side they knew nothing about and just had one output to their operational network, right? And so that really was the beginning of a very dangerous mindset and mentality that still exists today in the physical security industry where we just say, that's okay, we'll build our own network. And all of that.

David Mauro (07:53.783)
Right.

David Mauro (08:09.568)
Right. So you have these really almost shadow networks that really are off grid, right? They're part of the framework, but it's still kind of off grid, meaning the people that are in charge of watching and monitoring it aren't seeing it necessarily. let's say for a business owner or for a non-technical person, why is this such a risk? Why is this like...

Antoinette King (08:28.24)
Exactly.

David Mauro (08:39.31)
dumb it down for us a little.

Antoinette King (08:41.224)
Absolutely. So organizations need to have policies and procedures around keeping their devices up to date. One of the biggest risks and vulnerabilities that we can have on a network, aside from the human element, the mistakes that people make, are outdated technology, whether it be hardware that doesn't have updated firmware or updated software. Back in the day, we didn't fix something unless it was broken, right? If it's not broke, don't fix it now.

We have to keep up with patches. Exactly.

David Mauro (09:12.294)
there's updates and patches all the time now, right? And it's not just for a design of something or a new feature. lot of times, most times actually, it's a security patch, right? Because there are vulnerabilities that are out there on the dark web that are being sold or being identified. And then it's a race to who's going to exploit that vulnerability faster.

Antoinette King (09:25.947)
Absolutely.

Antoinette King (09:37.66)
And we have things like the Critical Vulnerability Exploit catalog. So they are publicly made known for the purpose of the customers to be able to go and make sure that they look at the severity of the vulnerability and then make decisions around how they're going to update their devices. So with those vulnerabilities being publicly made known, it's a breeding ground for bad actors to just go out there and search for devices that are network-facing, internet-facing.

David Mauro (09:42.211)
Mm-hmm.

Antoinette King (10:06.306)
to be able to exploit. So the danger around not having a program for upgrading devices and keeping them up to date with firmware and software is the fact that you're essentially leaving your network open to the bad actors. And with physical security devices, oftentimes they have internet facing servers, for example, that are not necessarily being updated. And with that becomes an opening to the network.

I have a really quick anecdotal story, if you don't mind, if you'll indulge me. I was working with an integrator trying to advocate for how important cybersecurity should be as part of his business model when he's installing devices with his customers. And his answer to me was, well, listen, if a bad guy gets to my server, that's really the customers got way more problems because they had to go through the customer's layers before they get to me.

David Mauro (10:37.708)
No, please. Yeah, share it with me.

Antoinette King (11:03.388)
And I said, I understand that, you also don't want to be the person with the egg on their face at the end of the day that your device was used in some sort of negative way. We kind of parted ways that about three weeks later, I got a phone call from said person and he said, you know, you were right. And I said about what? And he said about that cyber security BS we were talking about. And I said, do tell. And he said he had two customers call him almost in tandem to talk.

David Mauro (11:12.087)
Right.

Antoinette King (11:31.762)
to him about some issues they were having with their NVRs. And both NVRs were very slow. The cameras were not loading. He couldn't figure out what the issue was. He sent a technician, two disparate customers, same manufacturer NVR. And it turns out that both were being used to mine Bitcoin. NVR, a network video recorder. Yep, both of the network video recorders.

David Mauro (11:36.311)
Hmm.

David Mauro (11:51.83)
So what's an NDR? Explain that to them. Yeah, that's what I thought. Yeah, sorry, I misspoke. Right.

Antoinette King (11:59.932)
Yeah, and so, and they were both internet facing. So he didn't lock them down. Sure.

David Mauro (12:03.244)
Right. So let's let's break that down for a second. So oftentimes networks can be exploited and a vulnerability can be exploited and they could be using your comp your compute. Right. They could just be using your platform to mine for crypto coin. And people don't even understand what crypto is half the time. So they're like, I don't understand. It's like

Antoinette King (12:16.711)
Yes.

Antoinette King (12:26.056)
Yeah.

David Mauro (12:27.596)
It's basically like a math formula that if they process on your thing, they're going to find something that they will be able to turn into cash eventually. mean, mean, simplistically, that's what it is.

Antoinette King (12:36.734)
Absolutely. We've seen security cameras. We've been seeing security cameras exploited for bots as bot armies for denial of service attacks. So there's so many applications.

David Mauro (12:45.293)
Mm-hmm.

Right.

Denial of Service attacks, for those who don't understand, are the ones where they will flood a website, let's say, with so many inquiries that it basically either regurgitates itself and the database on the back, the admin side on the back spits up and it becomes vulnerable or the whole thing shuts down. And they'll get different devices, tens of thousands of them from all these different points, and they will all point them.

right at that. And that's been going on for decades. that attack, remember Michael Kaltse, the mafia boy brought down like Google and eBay or Yahoo and eBay back in like the early 2000s doing DNS attacks before anybody knew what was going on.

Antoinette King (13:22.269)
years. Yep.

Antoinette King (13:40.52)
Yep. And we forget about operational technology devices when we're talking about cybersecurity programs and building out strong cyber. Most people are thinking cameras, HVAC systems, lighting. Absolutely. Absolutely. So of course, those are going to be green fields for bad actors. And again, then you talk about the silos just within departments and the struggle between departments for

David Mauro (13:49.112)
They really don't talk about cameras a lot, right? They don't talk about cameras, MFPs, things like that, right?

David Mauro (13:59.989)
Mm-hmm.

Antoinette King (14:08.124)
You know, this is my turf. No, it's my turf. And so when we, when we talk about just that human element of people not cooperating and not working together, and then also the fact that people in facilities or physical security are not necessarily as educated on the, the why around firmware and software updates. It just creates, like I said, a playing field for the bad guys.

David Mauro (14:10.734)
Right.

David Mauro (14:33.918)
Absolutely. What have you seen? want to talk about CMMC in a second, but before that, what are you seeing in terms of K-12 environment, the SMB space, right? The organizations, and I don't care about the revenue value because it's more about the size of the organization, right? And you know, that under a thousand employee, which is the bulk of them,

Antoinette King (14:38.846)
Sure.

David Mauro (15:03.278)
employers in the United States. It just seems to me, culturally, compared to our brethren over in the UK, let's say, or even Canada or Australia, but especially the UK, because they have GDPR, the case has to be made that cybersecurity is important first, and then

budget needs to be found and then what layer work, you know, an assessment needs done and then certain layers get applied based on what your environment and your footprint looks like. Are you, are you seeing that as well? okay.

Antoinette King (15:45.595)
what thousand percent? First of all, you're spot on. The case has to be made. Why does the case have to be made? You would think that people... Yeah, you would think that at this point, everybody would kind of be hip to it. Yeah.

David Mauro (15:50.958)
It still boggles my mind that the case has to be made. It's 2024. yeah, I'm like, it's 2024 and every single week there's a massive, you know, ransomware attack that's making the news and it's making mainstream media and every facility, everybody's health records, every, every entertainment facility everybody goes to, they've all been breached massively, not just a little bit.

It's not like, they got some data and nobody really cares. It's like, no, everybody's got to like freeze their credit now in America because of this. Like it's, affecting daily life. it still boggles my mind that they don't, that we don't just take it more seriously.

Antoinette King (16:28.7)
Yeah, and these massive, these massive.

Antoinette King (16:36.306)
These massive breaches actually I think are making it more difficult to make the case for the K-12 and SMB. So let's take.

David Mauro (16:44.588)
because they're such big organizations.

Antoinette King (16:47.26)
Yeah. So let's take small business first. Small business organizations typically are saying, well, any data that I collect has already been breached by some other major organization for those customers, right? And my small mom and pop operation, and I'm talking 1,000 employees or less, right? I don't mean to diminish the medium-sized businesses, but the mentality is who wants to get my data? Why is my data valuable? And what we need to understand is,

David Mauro (16:50.67)
Mm-hmm.

David Mauro (16:58.466)
Yep. Yep.

David Mauro (17:13.048)
Right.

Antoinette King (17:16.35)
The bad actors don't care about the data records anymore. They're in a small medium business or even in a large business. The data records themselves have no value because you're right, they have been devalued. It's all out on the internet. The social security department had been breached and all of our information was out there, right? So, but the bad actors know the value in the data is not to them, but to you. And business continuity, business operations, the integrity and the reputation of your organization has value.

So these organized crime constituents, if you will, are going after small to medium businesses for two reasons. Number one, they know that they're getting cybersecurity insurance. So there's going to be some kind of guarantee that they're going to get some kind of money out of it. And, yeah.

David Mauro (18:02.818)
Right. It's like a tort claim or a litigation case. it's, they're going to go because there's insurance or because there's going to be a payout. And there is going to be, I mean, the downtime that I see SMBs go through from not being able to, to me, 25, I keep saying the same thing, but it's so true. Like 25 years ago, we had two versions of our life. We had,

We could fully operate without our computers. Our computers were there, but it was almost like an electronic way of speeding things up. But if they broke down, we were fine. We still operated and we could still sell and produce and and pay invoices and do a lot of things. Today, we can't like you literally can't function without your systems. And they know that. Right. And

people are still not taking it seriously and doing cheap versions of backups. They're not air gap. They're not immutable. So the backups get destroyed. if they have, because half of the time nobody's testing them. And the damage is, it's so much more than what they anticipate ahead of time. Yeah. And, I can't even imagine.

Antoinette King (19:10.364)
Yeah, if they even have backup.

Antoinette King (19:24.414)
100%, 100%. In the K through 12 environment, it's a little different. So K through 12 is, first of all, the K through 12 and small municipals are being attacked at exponentially higher rates than any other industries for two reasons. One, okay, so you and I just talked about our data records have no value because they've already been exploited and exfiltrated and impotent. yes.

David Mauro (19:30.254)
because the key to.

David Mauro (19:38.903)
Yes.

David Mauro (19:49.038)
But a kid's record could be used for 10 years, right? I mean, I mean, I have talked to families. Yeah, I've talked to families whose children are now reaching adult age and they have a foreclosed condo in Nevada. And they're like, how did this happen? I'm like, would you remember that data breach in 2008? They've been using your child's identity for all this time. Parents aren't freezing their kids credit. They're not monitoring.

Antoinette King (19:53.778)
before they even realized it. So the value of that record through the roof.

Antoinette King (20:20.09)
Absolutely. And so that coupled with the fact that you've got some personal health information oftentimes in K through 12 environments, and then add in the fact that there's no resources financially to protect those networks. And the fact that we have those complex systems of systems like we were talking about where they've got cloud-based systems, they've got on-prem systems, they've got shared resources, lots of integrations and APIs.

EdTech has now created a whole new vector of threats within schools. So it's very, very challenging with schools. And then when you look at municipalities and you look at law enforcement, those records are also very valuable because, especially in the criminal records, what we can do with the criminal information or suspect information or arrest information and how we can use that to exploit individuals as well. those...

The municipalities, law enforcement, and K-12 we're seeing are being attacked at exponentially higher rates. And again, municipalities and law enforcement typically are small to medium. There's a lot of the big ones in the cities, but most are made up of the small to medium. They're either outsourcing their IT departments or the guy who knew how to use the iPad becomes the IT person.

David Mauro (21:28.462)
Mm-hmm.

Antoinette King (21:39.238)
And so that's oftentimes the way it goes in schools as well. I always joke and say, the person who learned how to use a smart board first got voluntold that they are now the IT director.

David Mauro (21:39.369)
Absolutely.

David Mauro (21:49.256)
Right. And then the IT director is now in charge of cybersecurity, which still to me, organizations, especially in the SMB space and in the K-12 space, they don't understand the difference between the knock career track of an engineer going into a network operation center and the SOC, right, and the security operation center, because they're two different careers. They're two different skill sets. And yet

Antoinette King (21:53.075)
Yes.

David Mauro (22:18.036)
it involves electricity and it's plugged in and there's computers involved. So it must be an IT thing. And then you have these well-meaning, good intentioned people that are not suited for the roles or the responsibilities that they're given. And they're not given budget to do it correctly, which is really kind of the perfect storm for cyber.

Antoinette King (22:42.238)
Yeah, 100%. And it's like asking the gym teacher to be a security guard, you know, just because they're strong. exactly. Risk and... Yeah.

David Mauro (22:46.22)
Yeah, because it's physical, because it's physical, right? Like he must know all about like the vectors and how to handle due process and all of that, right? He must know all about risk management because he was a gym teacher. It's like, okay, sure. Right.

Antoinette King (23:02.418)
Yeah, yeah, it's that disparate, right? And people don't understand that. And I'm glad that you brought that up because I talk about this a lot when I do talks for the K through 12 space, especially with administrators and superintendents who just kind of assume it's an IT issue. And I explain, know, people in the IT, you know, the computer science field, they're interested in network infrastructure. They're interested in network architecture, making sure that

David Mauro (23:17.848)
Right.

Antoinette King (23:31.356)
the technology works, the information gets from point A to point B and that it's, you know, gets there when you need it. Cybersecurity, we're talking about confidentiality, integrity and availability, you the protection of the data set. So the one is the transportation and the modes by which we use and process data. The other is the protection of the data set, completely different fields.

David Mauro (23:42.931)
Absolutely. Right.

David Mauro (23:48.898)
Right. Well, one is trying to drive collaboration and open and communication back and forth and open systems and everything and letting the technology really advance the cause of the mission of the organization, whatever it might be growth. If it's a business, right, production or, you know, future readiness for education. But security is like, no, no, like

Antoinette King (23:57.214)
Yeah.

David Mauro (24:17.516)
Within that environment, we're looking for anomalies. We're looking for people that are organizations and people that are inside undetected for a long time, going to do bad things before they're trying to catch them before they can do them. And it's a different, it's about policing the technology use. And you can't completely police it because if you do it completely, everybody will be offline. Like you want full security, unplug it all.

Antoinette King (24:43.422)
Yeah, you might as well just pull the Yeah.

David Mauro (24:46.87)
Right? And then you're fine. But that gets in the way of digital transformation and leveraging the advances of technology to move faster and quicker. So that's where the...

Antoinette King (24:57.55)
And you bring up that age old adage, right? How much security is too much? So we have to talk about the intersection between security and being able to do business, right? And giving people ease of use.

David Mauro (25:12.738)
Well, that's why I'm a big proponent of detection, right? Like having, you know, some of the, and, you know, the cybersecurity industry has done a very poor job, in my personal opinion, of like, security comes out of our box, no, it comes out of our SaaS program, or comes out, I'm like, no, it doesn't, right? Like, no, it doesn't. Like, I've never met one that the guys at DEF CON aren't excited to get in a booth and blow it up, right? Like,

That's not the case. having that view of like, like everybody really needs eyes on glass 24 7 in some affordable way, like some way to do it. So that way you can keep collaborating and building and growing and and collaborating and leveraging the advances of technology. And then should something happen, you can catch it before it's four months later that they've been inside and

you know, nobody wants to wind up in the news. Nobody wants to wind up being stopped, right, or being extorted or blackmailed. So being able to catch it faster reduces the risk of those bad things or the magnitude of it happening.

Antoinette King (26:25.982)
I agree. And I also think, you there's a couple of things that I like to address. Number one is you talk about security controls and all the technology controls. can throw millions of dollars worth of technology controls at anything. But at the end of the day, 95 % of any kind of security incident, whether it's physical or cyber, it has some sort of human element to it.

David Mauro (26:40.75)
Hmm?

David Mauro (26:50.114)
Yeah, it's Yes.

Antoinette King (26:50.446)
you go to a school and the kids are holding the door open for you. So all of that access control, all of the electronic lock systems are circumvented by a kid trying to be nice and hoping holding the door open. It just happened to me last week at a school out on Long Island. You know, the kids literally held the door open for me to walk right into a school, a high school. The same thing with with the on the cyber security. Yeah, exactly.

David Mauro (27:10.52)
Yeah. Bring a box of donuts. Yeah, bring a box of donuts. Everybody will let you in. Like not, I mean.

Antoinette King (27:17.682)
Think about the social engineering that's been happening that, and again, I feel like we're coming full circle because if you remember back in the day, you people from overseas calling to say that they were tech support and people were believing it. Now they're doing it again and people are giving them credentials to log in, giving them the email address, clicking on the link and allowing them to log into the network. So when you have people who are not aware and your culture isn't rooted in security,

David Mauro (27:31.319)
Right.

Antoinette King (27:46.379)
Again, almost every one of my presentations, I start with cybersecurity is not an IT problem. It's everyone's responsibility.

David Mauro (27:52.214)
That's exactly what that's so funny. Did you see my slides? Because that's exactly like the first like let's talk about the main myths. And number one is your I believe I'm too small to be targeted. So we blow that one up. Number two is like it's an IT thing. I don't have to worry about it. I'm like, but you're the reason why it's not secure. It's not somebody's fault. Like a lot of times they're brilliant employees. They're great employees. Right. Like

They're very good. It's just they're just distracted or they're socially engineered. mean, the people that are involved in social engineering are really, really good at their job. They are really good at it because the.

Antoinette King (28:32.414)
Uh-oh. Will you look at all the open source intelligence that's out there? Go to LinkedIn. I mean, the things that we post on LinkedIn, 20 years, you talk about what it was 20 years ago, we would never put an org chart publicly available and say, these are our executives. And then these are the people who report to the executives.

David Mauro (28:37.978)
yeah.

David Mauro (28:46.346)
I know. Or the ID or their IDs. I've made it, you know, 20 years at this organization and they show their ID and I'm like, you don't think we just made that same thing so that we can walk in? Like, that's what they're doing. Like, it's so shocking.

Antoinette King (28:57.853)
Yeah

Antoinette King (29:05.704)
Yeah, it's free, it's available. We're putting it up there. LinkedIn is really a scary one for me because not only are we, it's one of the only social media platforms that almost everybody has wide open. Most people lock down Instagram, Facebook, Snapchat, know, most people, not everybody, but most people understand the need to do that. LinkedIn is purposefully left open. So we're sharing all of this professional information.

David Mauro (29:20.77)
Yes.

David Mauro (29:25.282)
Hmm?

Antoinette King (29:35.368)
higher CVs on there, all our education, all the security questions that the banks ask you, you know, where did you go to college and all, it's all listed there, right?

David Mauro (29:43.448)
Well, that's a whole other discussion. Yeah, like the whole the whole like, asking of security questions. I'm like, we can. It's it's why? Yeah, that's exactly right. Yeah, have it be like some phrase in a song that you love or something like that, that only you're going to know or make it up, right? Like something from a movie, something from a song or whatever. And

Antoinette King (29:52.233)
I always tell people make it up, make up the answers, don't give the truthful answers because the truthful answers are exposed everywhere.

Antoinette King (30:06.267)
Mm-hmm.

David Mauro (30:10.166)
So NIST recently came out with the password recommendations and they said it's really length. Like length matters more than anything else.

Antoinette King (30:16.785)
Of course.

I always say length trumps complexity every day of the week. Don't worry about asterisk exclamation point, how many characters, uppercase, lowercase. Yeah. In New York State, they're pushing for 14 character passwords in K through 12. And I was doing a presentation for a cooperative BOCES and they were freaking out because like, how are we going to have four kindergartners? Because it was students and administrators and teachers.

David Mauro (30:24.118)
Yes. None of that. Just make it longer, right? Because the software...

David Mauro (30:48.718)
Yeah. Just a phrase. Yeah.

Antoinette King (30:48.732)
remember 14 characters and I said, do a nursery rhyme. Yeah. And they were like, yeah, that makes sense. the, you know, a line from their favorite book or something like that. They can memorize those things very easily. So I think that that's a great habit.

David Mauro (30:54.829)
Yeah.

Right.

Yeah. But then the problem is going to be, so I've been doing these security awareness presentations, public speaking for 12 some years. I did them before, but really have been pretty intense with them for the last decade because it's just so aware. What's shocking to me is when we talk about the same things that we've been talking about, like all the time, people are like, I didn't know that. And I'm like, who?

Antoinette King (31:27.006)
you

David Mauro (31:29.452)
Like, what are we like? There's so many people talking about cybersecurity out there. Like, how are we not? We're not communicating widely enough to people like we need to get it.

Antoinette King (31:30.674)
What rock? What rock have you been living?

Antoinette King (31:42.994)
I think it falls on deaf ears. think where you said something before about, know, cybersecurity industry is not doing a great job at certain things. And I think for a long time, cybersecurity professionals wanted to show their worth and their value and made things far more complex. Yes.

David Mauro (31:57.294)
Be exclusive. Yeah, it's kind of like the law. It's kind of like the law, right? Like you don't understand. This is a lawyer thing. Blah, blah, blah. And I'm like, so the word means what the word means. Yes. OK. Well, I guess everybody understands that, right? By not making this close cloak of exclusivity, know, we'd be we'd be better off. But we do it for our own reasons. Right. And it's.

Antoinette King (32:06.184)
Mm-hmm.

David Mauro (32:25.026)
you know, it's to charge more, it's to have a skill that others can't have. And so we kind of put this mystery.

Antoinette King (32:31.708)
It's why I wrote my book. The inspiration behind my book was a session that I did with fourth and fifth graders, right? And they were so, so smart. They knew way more than the teachers and the librarian knew about clickbait and things like that. And I said to myself, you know, we need to have something that is, that kids can read, that they understand, that's not technical. And every chapter has a checklist of things you can do every day. And the audience really is age 12 to 100.

David Mauro (32:42.594)
yeah.

David Mauro (32:52.205)
Yep.

Antoinette King (33:00.616)
things you can do every day to protect yourself, setting boundaries of sharing online, things like that. I think it's really important that we stop making a barrier between cybersecurity practice and best practices for cyber hydrine and the average individual. And we're getting taken advantage of. Yeah, sure.

David Mauro (33:01.283)
Yeah.

David Mauro (33:19.614)
Absolutely. Let's pivot and talk about your book a little bit. you were inspired by my friend, Scott Agenbaum, retired FBI agent. He's a great guy. He's just just phenomenal. So he got you to write a book, which is exciting. We will have links to the book in the in the show notes. I do encourage the listeners to check it out because it is very, very useful.

Antoinette King (33:27.315)
I love Scott. He's such a great guy.

Antoinette King (33:40.786)
Thank you.

David Mauro (33:47.5)
So when we do the security awareness trainings, we will, you know, provide these no cost resources, how to freeze your credit, how to do that. But when I was looking at your book and it's not on my bookshelf, I should have done that so that it would have been right there highlighted for you. I'm sorry. But when I love the checklist and the practical advice there, like that's exactly what our handout resources are, because it's like

Antoinette King (33:59.9)
It's okay.

David Mauro (34:14.592)
If you just do these things, there's just so many different steps that can be taken. And if you just do a little bit, just a little bit better, right, that it changes the trajectory of of you not being on the news or you're not being involved in this stuff because you end up being a victim because it's just, you know, we understand it physically. We understand if we're walking and there's a dark alley and you hear something or you see some some shadows.

Antoinette King (34:30.888)
Not being a victim, right?

David Mauro (34:44.46)
You don't go, you know what, it might be faster if we cut down that dark alley, right? Like, yeah, but I want to live. So let's just keep walking. Right. Like, I don't know this part of town. Let's just keep walking. And there's those those simple steps you can take in cyber that you can just do yourself. And it really changes the course of it. So what was the inspiration and what was the experience like writing that book? Share it with us.

Antoinette King (35:14.078)
So in a real quick story about the inspiration, I was asked to do a digital learning day for fourth and fifth graders. I went in there, the administrators kind of had very low expectations of what they thought the students were going to react to and respond to. I went in there and I said, you know what, I'm just gonna bring some energy and I'm gonna talk to them like young people. I'm not gonna talk to them like they're stupid. And what I very, very quickly realized within minutes of each session that I did was not only were every single student

David Mauro (35:19.854)
Hmm?

Antoinette King (35:44.258)
logged into the internet somehow, someway, and this was actually 2019, just before COVID, it was October 2019. So we weren't even doing remote learning or anything like that, but in every class I asked, do you have a gaming system? Do you have an iPad? And every hand by the end of all the questions was up. So every kid was connected to the internet. Then I asked them,

David Mauro (36:03.404)
I think every every kid that has played a game has looked for cheats. And because of that, they understand hacking like it's just a natural phenomenon that that we that people over a certain age just didn't grow up with. Right. And and so go on. I'm sorry. But that's so it's so true. Yeah.

Antoinette King (36:09.33)
Mm-hmm.

Antoinette King (36:23.324)
Yeah. No, that's okay, but that's the point, right? So that's exactly the point. So some of the topics we talked about were like cyber bullying and being an upstander, how important it is. And one of the things you talked about was walking in a dark alley. We wouldn't just go and do that thing because innately, know, like stranger danger. When we look at global digital citizenship, there are no boundaries. We are in the safety of our home.

David Mauro (36:33.976)
course.

David Mauro (36:43.747)
Mm-hmm.

Antoinette King (36:53.07)
So those fight or flight mechanisms don't exist. Exactly. We don't have the fight or flight need to respond that way because we're in the safety of our home. So these young people, we started talking about, you know, when you're in the schoolyard and you see somebody getting bullied, you're good. The kids were really good about it. They're like, no, I wouldn't let my friend. Okay, great. Well, why is it when you're online, do you feel that it's okay to watch it happen and not intercede, not be an upstander, not stand up for that person?

David Mauro (36:53.078)
Right. Which is an illusion of safety. It's an illusion of safety.

David Mauro (37:03.659)
Right.

Antoinette King (37:22.076)
We talked about that. Then we started talking about missing disinformation. Remember, fourth and fifth graders and these kids knew what disinformation was. And so I started to explain to them on a web browser what it looks like when you go to a website, look at the URL, look for anomalies in the URL. And then I started talking about how when you're on an article, there's often advertisement on the side. So I said, sometimes there's a strange picture with maybe a wild headline.

David Mauro (37:30.498)
Wow.

Antoinette King (37:49.968)
and every single session they all yelled out, that's clickbait. At the end when we were wrapping everything up, I had the librarian and two other teachers come up to me and say, you know, I didn't even know what clickbait was. I had no idea. So fourth and fifth graders knew what clickbait was. And one of my colleagues that I often do speaking circuits with, he always says, we now live in an age where...

David Mauro (37:54.988)
David Mauro (38:03.33)
Wow.

Antoinette King (38:15.56)
For the first time in history, young people have more access to information than the older generation. Prior to that, it's always been the older generation passing knowledge down to the younger generation. And now we've got knowledge going upstream. And that's scary and it's dangerous. It's also exciting, but it's scary and dangerous because we're not preparing young people for how to deal with access to this kind of information. Exactly, how to conduct themselves.

David Mauro (38:21.752)
Correct.

David Mauro (38:26.508)
Right.

Mm-hmm.

David Mauro (38:40.536)
how to manage it. Yeah.

Antoinette King (38:44.656)
And when we desensitize them to exposure to the internet for all of our private and personal details, it creates a very dangerous environment. When COVID hit and we had all of these kindergartners now online using YouTube and Google meets and all these other things, it became a really fast uptick for human trafficking. Young people were just struggling to connect with other people. They think they're hanging out on

David Mauro (39:08.012)
Mm-hmm.

Antoinette King (39:12.668)
chat rooms with other kids, they go to meet them and they're, you know, human trafficking rigs and organized crime. So we're seeing massive upticks of sextortion, exposure to young people for, you know, sending inappropriate pictures and things like that. So.

David Mauro (39:29.596)
yeah, and it's happening a lot on the social media platforms like Instagram and things like that. And there's a lot of privacy groups struggling with the built-in protections that parents assume are there, but they're not. Yeah, so.

Antoinette King (39:33.359)
Absolutely.

Antoinette King (39:45.458)
Yeah, yeah. And you can't assume, you agree to these user agreements and every one of them says they're gonna access, they don't and they're gonna access your microphone, your contacts, your camera, your other applications. So you're giving away all of your data. I always say these apps are free because we're the product.

David Mauro (39:51.658)
Nobody ever reads those.

David Mauro (39:56.43)
Right.

David Mauro (40:04.78)
Right. That's exactly right. I mean, it's shocking. So I can't let you go without, I do want to touch on CMMC because I know you're frustrated about some of the changes, but we always get asked about AI and how has AI changed everything? And is it going to change the IT space dramatically? For me, I see it being leveraged

Antoinette King (40:14.472)
Yeah.

David Mauro (40:34.264)
quickly in terms of social engineering, right? Some of the red flags for phishing emails have changed. Now, deep fake video and audio has advanced so well, it is virtually undetectable by the human eye. So now you have it leveraged alongside phishing emails, meaning you might get an email, you might recognize it as a phishing email, I'm not going to give up that sensitive information, but then you get a zoom meeting request.

Antoinette King (41:01.096)
Phone call. Yeah, yeah.

David Mauro (41:02.55)
or a phone call or a team's meeting and you get on the call with the person and they alleviate any concerns you have and then you proceed to release it only to later learn that that video wasn't really the person. And you're not an idiot. It's literally undetectable by the human eye. It sounds like them. It thinks like them. And there are legitimate companies for creative purposes that are pushing those products because they're like, well, businesses, can business leaders can

scale their ability because they could attend. There's a certain company that literally advertise with professionally generated videos out there ads that are saying you can attend a thousand meetings at once. Our avatar of you will look like you think like you decide like you and, and speak like you all on a zoom meeting or a teams meeting, which is great and also dangerous. Right.

Antoinette King (42:00.22)
I would love to see the legalese behind that.

David Mauro (42:03.01)
Yeah. yeah. There's hundreds of them, actually. And it's quite it's it's really at the apex of what's happening. What are you seeing? Anything unique?

Antoinette King (42:14.812)
Yeah, I mean, you hit the nail on the head. So we've got these data lakes of information out there about us. And again, I just spoke about this this morning with that large school district in Massachusetts. And I'm going to take it a step further where this is really where the digital realm and the physical world are converging when you talk about this type of social engineering. So we've got all of the videos and things that we're posting to YouTube, Instagram, LinkedIn, these podcasts, right?

open source intelligence data that can be gathered and culminated in order to create a digital twin about an individual. I talk about, you know, on the physical security side of things, surveillance cameras, they're surveilling individuals, but they're also detecting patterns of behavior within the workforce or within schools. So now you can, again, you take that another step forward where not only can you

take those videos and create a deep fake, but you can actually put them in places that you think they should be. And then for young people with the identity theft, we can now create that digital twin of an individual, use that for all sorts of extortion purposes. And young people, I've actually seen the opposite where a young woman created an avatar of herself and she's charging people to go on virtual dates with her.

David Mauro (43:19.063)
Wow.

David Mauro (43:23.128)
Right.

Antoinette King (43:39.09)
She's making tens of thousands of dollars to go on virtual dates, which is crazy because we're now normalizing this kind of behavior, right? I know America's Got Talent had a whole act on Deepfakes and it made me cringe because although it was cool to see them doing real time video rendering where they had the judges singing up there and right, but that scares me because that means we've got the compute power to do that in real time.

David Mauro (43:47.477)
Unbelievable.

David Mauro (43:57.868)
Right. yeah, I saw that Simon. Yeah.

David Mauro (44:07.401)
Yes.

Antoinette King (44:07.43)
misinformation, the elections, all of these things come into play. And quite frankly, I don't believe anything I see anymore online because you just can't determine. And there were tools that would give you the capability of detecting deep fakes, you know, through generative AI. And now it's become so sophisticated that these tools are often not able to detect whether or not they are the original.

David Mauro (44:31.49)
Or they could do it after the fact to prove something. I mean, I know there was a school principal or a school superintendent outside of Maryland who got fired by the board because he had.

David Mauro (44:47.678)
it became public that he had said some inappropriate things, right? And the board terminated him. But really what happened is he was able to get the police involved and they did a deep fake analysis of the announcement originally and they found that it wasn't him. What was happening is he had been investigating the athletic director in the school system.

And this is out there, you can Google the story, but he had been for like, misappropriating, allegedly misappropriating the booster funds for some reason, right? And so the person got mad at the either the superintendent or the principal, and then deep faked his voice saying these racist things or whatever. And, and it's like, yeah, but it's too late. Like he was able to show, look, I didn't say it. But the board already terminated. The damage is already done.

Antoinette King (45:15.282)
Yeah.

Antoinette King (45:34.024)
Mm-hmm.

Antoinette King (45:40.114)
Damage is done. And the barrier to entry. So let's just take this a step further. Five years ago, to be able to do things like this, to be able to launch ransomware, you had to be sophisticated. You had to kind of know what you were doing. You needed the resources. So the barrier to entry for not only this type of technology, but also when we look at generative AI around creating ransomware and other types of attacks, you can just go in and say,

David Mauro (45:49.663)
it was it was very sophisticated. It is like 19 bucks a month now. Yeah, you can get a subscription.

David Mauro (46:08.339)
yeah.

Antoinette King (46:09.534)
create malware with this operating system at this version to be launched using Outlook and all the code is created. It's packaged up and it's handed over to you. So, you know, we had this kind of transition from highly sophisticated criminal actors to then we had, you know, ransomware as a service where you can hire people to do it. And now you can just go onto a chat GPT style environment and put in what you want and it spits out the results, right? You've got a work product and it's free.

David Mauro (46:37.238)
Right. Yeah. And while, while OpenAI is chat GPT and things like Microsoft's right co-pilot, they won't let you create malware because it's designed that way. There are not only ways of prompting around that, but there are dark web versions of the chat GPT that do allow it. Right. So, and, you know, we recently did a webinar on the dark web just to kind of show people what it was.

Antoinette King (46:50.974)
Correct.

Antoinette King (46:56.998)
Mm-hmm. Exactly. Exactly.

David Mauro (47:06.422)
I went there fired up, you know, tails and the Tor browser and all that stuff. Yeah. And, and got on there and filmed it so that they can actually see it. Look, this is, I blurred out the really raunchy stuff, but I mean, basically like anything you want to buy that's illegal or violent or whatever. It's like Amazon. You can literally go on and click and people like, you've got to be kidding me. I'm like, no, from the exact device that you're watching this on, you can do this.

Antoinette King (47:12.399)
Mm-hmm.

David Mauro (47:35.586)
That's how dangerous it is. Right. So let's switch gears as we're. Yeah.

Antoinette King (47:37.982)
Yeah, think when I went back to school, yep, real quick, when I went back to school, these are the kinds of things when, you know, I was in my early 40s, I went back to school for my master's degree, and all of a sudden I realized this threat landscape that used to be nation state actor against nation state actor is now nation state against individuals. And so, and it leads into your talk about CMMC, but that was to me the aha moment where I said, holy cow, this is dangerous.

David Mauro (47:52.684)
Right.

Right.

Antoinette King (48:06.822)
And because the United States is such a free, open society, the government can't protect us even if they wanted to. Our critical infrastructure is managed by private industry. They don't even have the authority. They can regulate and they can make guidelines, but they don't even have the authority to protect our grid, our power grid to protect.

David Mauro (48:19.886)
All

Antoinette King (48:32.683)
the gas lines to protect the water, all of it exactly. And that's really to me where the scare happens and where CMMC comes in.

David Mauro (48:33.038)
the water treatment plants, all of that.

David Mauro (48:41.814)
Well, I mean, and here's one of the other issues that I've seen since I mean, it's it's obvious, but there's there's so many different rule sets, like in some of them aren't even authoritative. They're like guides, like, you know, you have these, you know, you have all these different standards and what you're supposed to do to be and and it's really up to the organizations to voluntarily aim for them when they can afford to.

Antoinette King (49:02.142)
frameworks.

David Mauro (49:11.052)
Right? Like there's no mandate that you do these things. So one of the things I like about it, CMMC is at least in some sense, the government is saying if you're going to do business with somebody that's making something for the federal government, for the Department of Defense, you have to comply with certain basic things. And if you have access to CUI, which is like a confidential

Antoinette King (49:31.166)
DoD.

Antoinette King (49:40.018)
controlled unclassified information.

David Mauro (49:41.046)
Well, yeah, controlled unclassified information that you have to take certain steps to protect it. So in that sense, I think the intent is good. Now, in the execution, there used to be five different levels, right? And now there's only three. So why is that, you think? And what effect does that have?

Antoinette King (49:53.534)
you

Antoinette King (50:04.67)
Yeah, so I think if we just take one step backwards and say that the reason why this cybersecurity model, maturity model certification came about was because defense contractors were required, and I put that in air quotes, to comply with the NIST 800-53 standards through what we call self attestation. In other words, they were required to go online and look at all of the control sets and say, do we comply? Do we not comply?

If they did not comply, they voluntarily said that, they would create what's called a poem plan of action and milestones to say, are going to remediate these issues by this date. And that's pretty much as far as it ever went, if they even went on and did their self attestation. Nobody ever went back and audited anything. Nobody ever wanted to make sure that people were going to comply or fix the problems. And so with that, we had defense contractors.

that had access to small systems that created larger systems, which then created big planes and tanks and other things. So the attack on the supply chain for the DoD went like this. We have these smaller contractors that created the small systems, and then they sent those systems to contractors that took other small systems and put them together. And then ultimately you go through all the supply chain and you get this big plane. So China went after

David Mauro (51:19.81)
Mm-hmm.

Antoinette King (51:30.29)
the small companies that had these little and controlled unclassified information is like below top secret or secret information in that the drawing, for example, of this system, let's say it's a breaking system for a tank is not in and of itself classified because it's just that, but that combined with the 150 other drawings then compiles, and I'm making these numbers up, compiles the actual tank, right?

David Mauro (51:31.914)
Of Right.

David Mauro (51:57.26)
Right. Right.

Antoinette King (51:59.514)
And so they would attack all of the suppliers of those smaller systems. And ultimately they were able to build our tanks and planes. So the idea was, okay, anybody who has access to this labeled CUI, they are now going to have to have a minimum standard requirement for cybersecurity in how they handle that data. And in order to even bid on a project, and this is the thing I love the most about the idea of CMMC is that we're attacking cybersecurity at the procurement.

process. So the ticket to ride is that you've got this certification. Love it. So the initial thing, like you said, was five tiers, five levels, and every one of them was supposed to be audited. So even if you were level one, very small, you know, the brake pads for the brake system, for example, you had to be audited. The government very quickly learned that they don't have the resources to audit all of the DOD suppliers.

David Mauro (52:30.103)
Right.

David Mauro (52:34.956)
Hmm.

Antoinette King (52:57.734)
And so therefore they combined levels one and two together to make level one and then level three and four and five are their own levels. The problem is level one, which is the vast majority of suppliers are gonna fall into the level one is now back to self attestation. I'm sorry, it's three total. So level one and two are combined, level three and four are combined and then level five is now level three.

David Mauro (53:16.248)
Right.

David Mauro (53:25.326)
And to give everyone kind of a sample of the difference, like level one is, well, just self-adestration. I don't get really audited by a third party. And there's like 17 controls, 17 best practices I have to meet. Right. And then just from that shift to level two is like level two is like 110 or more control. So it goes up exponentially there.

Antoinette King (53:31.986)
Basic.

David Mauro (53:53.582)
And the difference in the security posture of level two versus level one is a big deal. Yeah. So why is that a problem? yeah. Right.

Antoinette King (53:59.664)
Absolutely it is. Absolutely it is. So it's disappointing to me because now we're back to square one, right? It's disappointing because we're back to self attestation, which means there's no accountability. There's no audit process. We're leaning on the individual in an honor system that didn't work before. We already know it didn't work. My hope is that once they get through the level twos and threes from an audit perspective, they will.

David Mauro (54:20.492)
Right.

Antoinette King (54:29.15)
put level one back into an audit cycle, even if it's two, I mean, again, even the audit cycle for CMMC was three years. I think that's just unconscionable. The SOC two audits is annual. And the first one, the look back period is like three months, then it's a year. So for me, the idea of doing an audit on someone's cybersecurity posture every three years.

David Mauro (54:38.146)
Right.

David Mauro (54:44.001)
Right.

Antoinette King (54:54.714)
It's like changing your oil every three years. Like you can't do that. It's going to break down because things change so quickly and the threat vector changes so quickly and the vulnerabilities change so quickly. So I love the concept of CMMC. I think it's something that definitely in practice, if it were executed properly would be wonderful. I'm just disappointed because they failed on the execution and then they lowered the standard.

David Mauro (54:57.28)
Yeah, it's right.

David Mauro (55:02.67)
you

David Mauro (55:22.094)
Yeah, well, I mean, it's like anything else. It's like having the I mean, to me, don't like one of the things that that shocked me the most in cybersecurity is how few organizations are either mandated to do some of these things or actually voluntarily do that, like incident response plans and tabletop exercises. We all did fire drills as a kid. Why did we do fire drills as a kid? Because otherwise, on the day of a fire, we die.

Right? Like you need to know you have to go left out the door, not right. You've got to go down that hall and then go down the other one. Don't go the other way if there's a fire. And yet we build these great brands and we invest all this money and we use investors money in building these great brands. And then we don't test for the day of a data breach. Like, but you see them all the time in the news and the odds statistically are that it's going to happen to you. So.

Antoinette King (56:14.663)
Absolutely.

David Mauro (56:18.136)
How are you not preparing? It still boggles my mind.

Antoinette King (56:21.766)
I think organizations think the transference of risk, right? Cyber security insurance. They think I have cyber insurance, so I'm protected. And I always tell people, I wear a seatbelt and I have car insurance. That doesn't mean I'm never gonna have a car accident, right? Cyber security insurance, first of all, it doesn't even guarantee that they're gonna cover you. If you don't have the controls in place that the insurance companies require, you may not even be covered. You may be paying premiums and because you are not protecting your network,

David Mauro (56:35.565)
Right.

David Mauro (56:43.085)
No.

Antoinette King (56:51.046)
you might still not get covered for an incident.

David Mauro (56:55.463)
And it's not going to stop the accident from happening, right? Or the bodily injury that's going to happen. okay, some of the bills might get paid, but the damage, like you need to learn how to drive better, right? Or how to drive defensively and to take other precautions. Not, you know, just because we wear seat belts and have insurance doesn't mean we can drink a bottle of Jack Daniels and get by in the wheel. Like,

Antoinette King (56:58.0)
Absolutely, absolutely.

Antoinette King (57:20.934)
and give them a hundred percent.

David Mauro (57:22.452)
It's and that's what organizations are doing. And it's it's it's really like they're flying blind. Excellent discussion. We could we could go on for for for a long time. But but but I want to be respectful of your time. But thank you so much. We will have links to your book in the show notes. I encourage everybody to check that out and we'll have your LinkedIn information as well. So thank you so much.

Antoinette King (57:32.634)
I know. Days.

Antoinette King (57:49.616)
I appreciate it. What an honor. So much fun.

David Mauro (57:52.364)
Yeah, absolutely. Great discussion. Thank you so much.

Antoinette King (57:55.602)
Thank you.

People on this episode

David Mauro

Host