Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

You. Hello and welcome to the Cyber Ants podcast. This is your co host Zach Fuller,
joined by Mike Ratondo and Laura Chavez. Today we are going to be talking about some
of the regulations that are not necessarily new, but just some updates. 
We hear a lot of people asking about really three things the FTC safeguards rule,
the Security and Exchange Commission rule ten, or their new security and privacy rule,
and then the CMMC 2.0 and where things stand with that. 
So we're going to dive into those topics and who knows where we'll take it.
It's always a toss up in the show. So that being said,
before we start getting into the meat of things,
Mike, you want to kick us off with the news? 
Yeah. Good morning and welcome to the news.
I've got some interesting things today. Let's start out with some sex.
Deep fakes of victims used in sextortion attacks spike according to the FBI sextortion,
the threat of leaking sexually compromised content featuring a victim if they don't pay up
is a welcomed chapter in the cybercrime playbook, federal authorities are warning. 
In a recent uptick in sexualized deep fake images designed to be used in a new
wave of so called extortion campaigns,
the FBI has observed an uptake into extortion victims reporting the use of fake images or videos created. 
From the consent from the content posted on the social media websites or web postings provided to
the malicious actor upon request or captured during video chats.
Targets are then extorted for money or face the threat of having deep fake images or
videos shared with family members or via social media feeds with friends. 
The FBI warns I'm going to go that's 50 50, that 50% of them are fake
and 50% of them are real just because I'm jaded and old. New power drop. Malware targets us.
Aerospace defense industry researchers discovered a new malicious PowerShell script dub power drop
that was employed in attacks aimed at organizations in the US aerospace sector. 
The researchers discovered the power drop in.
The power drop into the network of domestic aerospace contractors
in May 2023 that's the first appearance was in May 2023 the PowerShell
based malware uses advanced techniques
to evade detection including deception, encoding and encryption. 
At this time, the researchers have yet to link the malware to a specific threat.
Actor but the researchers believe it could be a nation state.
Actor due to the level of sophistication of the malware. 
And the discovery comes at a time of increased R and to missile programs.
As the war in Ukraine continues, hackers stole around 35 million in Atomic Wallet security breach.
Atomic Wallet is a multi currency cryptocurrency wallet that allows users to securely store, manage,
and exchange various digital assets in single application. 
It is designed to provide a user friendly interface and comprehensive set of
features for managing cryptocurrencies. Cryptocurrency Wallet supports a wide range
of popular cryptocurrencies, including Bitcoin, Ethereum, Litecoin, Ripple and many others. 
Threat actors have stolen more than 35 million worth of crypto assets from Atomic Wallet.
Shortly after the company received reports of the wallet being compromised,
it launched an investigation into the incident cyclops Ransomware group offers
multiplatform info stealer this is great. 
It's all about service the Cyclops Group has developed multiplatform ransomware
that can infect Windows, Linux and macOS.
In an unprecedented move, the group is also offering a separate information stealer malware
that can be used to steal offensive data from infected systems. 
This go based info stealer was developed to target specific files in both Windows and Linux.
Cyclops Group is advertising the ransomware on multiple cybercrime forums.
The game requests a share of the profits from those using its malware and financially
motivated tax the encompassion is complex all functions all functions statically implemented
using a combination of asymmetric and symmetric encryptions after encryption in both
Windows and Linux using the public key CRC 32 and a file marker appended to the. 
The end of the file used to identify if the file has already been encrypted so as not to repeat the encryption.
The Windows version of the info stealer can be downloaded from
Cyclops admin panel as part of an archive containing the stealer XE and config JSON. 
The steeler is an executable binary for X 64 systems and extract system information from infected machines.
So it's kind of nice. They have the malware and they bundle
it together for you and you can pay for it through their admin console. 
It's kind of like buying software online anyway.
CEO guilty of selling counterfeit Cisco devices to military government orgs
The Florida man has pleaded guilty to importing and selling counterfeit Cisco
networking equipment to various organizations,
including education, government agencies, healthcare and the military. 
The 39 year old resident of Florida conducted the scheme through 19 companies formed in
New Jersey and Florida in several online storefronts collectively known as pro network entities.
According to the DOJ, pro network entities imported old, used or low grade network equipment from
China and Hong Kong, having the exporters modify the equipment so
it appears as if it was genuine brand new Cisco devices. 
The defendant had a criminal complaint filed against him approximately a
year ago with the Department of justice accusing him of running a counterfeit scheme between 2014 and 2022,
making over 100 million in the process. 
Making your network run real slow. That's the worst kind of Florida man.
Oh yeah, and of course government controls were in place to prevent something like that.
Oh, wait, no it wasn't. Didn't happen that way. 
I guess it slipped through. Outlook.com hit by outages a hackavist claimed DDoS attacks Outlook.com
a series of outages after being down multiple times, with hacktivists known as
Anonymous Sudan claiming to perform DDoS attacks on the service. 
There have been at least two major outages creating widespread disruptions for global Outlook users,
preventing users worldwide from reliably accessing accessing or sending email, and using the mobile Outlook. 
Microsoft says these outages are caused by a technical issue posting to Twitter series of updates,
switching between saying they mitigated the issue and saying that the problem is happening again.
While Microsoft claims technical issues cause the outages, a group known as Anonymous Sudan is claiming to be behind them,
warning that they are performing DDoS attacks on Microsoft to protest the US. 
Getting involved in the Sudanese internal affairs. The article goes on to post statement,
but I don't post terrorist statements as part of policy. All right, so some headlines.
Over 60,000 Android apps secretly installed adware for six months. 
There's North Korean linked apt groups focused on financial gain. Keypass fixed a bug that allows the
extortion extraction of the clear text master password VMware fixes critical flaws for V realize. 
And Microsoft pays $20 million for Xbox children privacy violations. Finally, Google fixed the third
Chrome zero day of 2023, so Microsoft got smacked for some fines for exploiting children's privacy. 
Good going, Microsoft. With that, let's head to Laurel's Corner and see if there's something better to talk about.
Laurel, please enlighten and make us enjoy us. Make us enjoy the day. Thanks, Mike.
The cybersecurity news is always a little grim, and I think between the
programming languages PowerShell Go both belonging to Microsoft Centric and Rust,
it will probably be the downfall of the modern Internet as we know today. 
A lot of the stories that you brought up today had to do with something I'm going to talk about today in Laura's Corner.
But first, I want to take us crisscross applesauce back to March 22, 1988. It was a cool day outside. 
Had your Sony Walkman on. Maybe you were jamming out to some Def Leopard.
Maybe it was Boston, I don't know. Whatever your flavor of music on your tape deck was back then.
But on that day in 1988, the Amber Book would have its addition to what is now known in the industry as a Rainbow Series. 
And what is that and all the funky 80 stuff, are you asking? Well, the
Rainbow Series is really a library of guidelines and standards for trusted, secured computing
that began with the very first book, the
Orange Book the Trusted Computer Systems Evaluation Criteria that was released on August 15, 1983. 
And it's no coincidence that the Orange Book and Silent Sector Orange have a lot in common.
But what does this have to do with the Amber Book? So let's talk about that.
So this Rainbow Series is really the foundation for what we know today as modern cybersecurity. 
What's important about The Amber Book is it's just as relevant in 1988. Unlike your Boston tape as it is today,
the Amber book is also really known as the Configuration Management Entrusted Systems Guide. 
And that's what the core of Laura's Corner is about today, is configuration management.
Because while we have all the cool cybersecurity tools, some of them even now,
driven by AI decision making to help your ten year old child laborer even make vast decisions in the sock,
things can still go awry even in an advanced technology deployment in instances that we have today. 
And that, my friends, is configuration management.
And that's why the Amber Book is as relevant in 1988 as it is today.
Because it is configuration management that not only helps us define a baseline for these systems,
but the processes required to change that baseline to a new one. 
Because Moore's Law and the evolution of technology is ever changing.
So these technology standards and baselines and configuration management can't always stay constant,
they're ever evolving. So like the constitution, there's a process to change things, right? 
Sorry, it's a bad joke. But like all things there's a process to change things. And you know what? Go back.
Can cut that constitution joke out there. We'll just say that like all things there's a process to instill change. 
And configuration management should be that in your environment not only for the reason
of protecting your risk state because that baseline across all your technology
systems creates a risk state baseline that you're now making business decisions in. 
Assuming that PowerShell is not enabled they're going to allow somebody to
deploy malware and take over your whole network. Or that you're not allowing simple things
like Remote Desktop Protocol to be exposed as part of new deployments. 
So there are a lot of governance frameworks today that will call out the need for configuration management.
Now what does this mean? This means consistency.
When you go to your favorite restaurant or you buy your favorite cooker, you get a Snickers bar. 
You know what? Every time you eat that Snickers bar doesn't matter what country you're in.
I can't confirm that it usually always tastes like Snickers.
And that's because that baseline recipe is something of a design to provide that management of consistency. 
A configuration of particulates and chocolate and peanuts and nougat. Is anybody else hungry?
So let's talk about where are the standards out in the industry
that kind of require you to have configuration management? 
Well, ITIL is one of them. Configuration management is in the trusted phase transition phase.
ISO 27,001 is another one of our common industry governance frameworks that is going to require
configuration management in a twelve one two, which is inventory of assets and also in the other one, t
he Security Management system or Imsms or something like that, that they refer to COBIT,
as of 2019 calls configuration management covered in the manage changes for the domain section. 
NIST cybersecurity framework probably also going to be in CMMC is going to call out in configuration
change control and subcategory of Information systems documentation.
So you get to provide change control and configuration management
not only in process but in documentation form. 
And for those of you throwing out credit cards like you're one of the
Craziest shoppers online or even providing that for somebody and you fall under PCI DSS.
Well, PCI in several requirements offers the necessity of
configuration management and you have to demonstrate that in order to be PCI compliant. 
So making sure that you have a consistent baseline, a recipe to enact changes.
So build a checklist for how I'm deploying. So what does that mean to you in your 30 department user group?
Well, build a checklist, a basic checklist of the things that you need to install,
the things you need to remove for all the assets that are going to go out to your humans. 
Also enact a process to change that baseline. When a human requires a new piece of software
or something needs to change on the original build, there should be a test and evaluation criteria
that occurs to make sure that those new changes don't enact new risk. 
And above all else, we want to make sure that everybody is aware of changes that are coming down.
So establish some form of a board that doesn't just include yourself approving your changes,
but other downstream users that might be part of your use test cases to help you understand. 
What really downstream impacts these changes may have. But configuration management,
change management, asset management, and software management all fall under the umbrella
of the Amber series and the trusted criteria back in 1988, still applicable today,
nd still the cause of a large number of ransomware and malware and direct attacks from consistent threats. 
And even in the trusted software hacks that we've seen in Solar Winds and other software as of recently,
the three CX. And I think there's another one out even more recent,
where we have the download links being hijacked and older versions with legitimate keys being used. 
These changes could be prevented largely with a strong change management control process to make
sure that all changes how small go through a test and evaluation criteria before they're allowed to go into prod. 
So if we practice this along with all the other good hygiene,
I think we might not have to read the remainder of the Rainbow series.
I could be wrong, but maybe the orange book and the Amber book and the pink book. 
Well, you should probably read the brown one as well. Come to think of it, you're almost a whole collection.
Yeah. Now, one thing to add I can attest to your stickers analogy
that a Big Mac on Pushkinskaya in Moscow at the McDonald's there does taste the same as a Big Mac in the US. 
However, the Pizza Hut on Pushkinskaya does not.
No, the Russian version of pepperoni and their sausage are a little two different things.
Little different. And white fish never belongs on a pizza. Neither does pineapple, according to some. 
It never, as a matter of fact. Well, I don't know.
The Buenos ottes McDonald's is not even close to American McDonald's.
They have like, little truffles and a case little chocolate treats and it's like upscale. 
That's where the business people meet in their suits and ties.
A little bit different than your McDonald's on the corner of Maine and Whatever Avenue here in the US.
Pick one, you probably get it right every couple. 
It was a big thing in Moscow. That's where you went for prom or your wedding.
And we had your reception at the McDonald's on Pushkin Sky in Moscow.
But they had the same food. How did they do it all the way over there? 
All the way scientific, they have a baseline. That's why. That's right.
It's called loaded up with chemicals and shit.
Chemical baseline that they change depending on the region.
So that's why in Japan, there's a little more fish in the meat. 
There you go. Different locations, different areas, different tastes, I guess.
Well, that's good stuff, Laura. I'm glad you brought it up. T
hat hey, old things can still apply in the world of cybersecurity, right? 
So that means you guys aren't irrelevant. I had to throw that in there.
Yeah, that was a good job. I like that, actually. I think the more things change,
the better off you are. Adhering to the tried and chew that we've been around,
because a lot of this new stuff doesn't always work right, and a lot of stuff is missed. 
I remember my first job, and I've talked about this before.
Got handed stack of floppies, build a server. Kids couldn't do that today. Yeah.
You know how hard it is to find a three and a half inch floppy drive? 
Well, couldn't blow it up from a VM anyway. I mean, that's all they do anymore.
Is it's a VM image that's created by somebody else? True. It's a push. Push. Next play enabled.
Back in my day, I love uphill both ways in the snow, 40 miles just to get to the job. 
By the time I got there with my giant data tape,
I had to put in a massive ten ton VAT of rice to dry out the moisture before it would play.
That's right. And then the punch cards would get wet. But it's interesting, though, because. 
The Orange Book. The Foundational Book of Trusted Criteria came out in 1983.
And we've talked about this before. We don't have any excuse to be like,
cybersecurity is this new thing?
No, it's been around a long time. 
I think it's a separate discipline. Yeah, right. I think it's a separate discipline. It's new.
But I remember running networks back in the being like, yeah, security was just part of my gig.
I mean, that's just what you did. 
That's what you did. And you know what? It's starting to work its way.
It's starting to infiltrate the rest of the world. And we've had senators that try to enact bills
that require CEOs and leadership to be responsible. 
And, I mean, that even brings us to the core of a conversation today. Right, Zach?
I like your pivot there. Yeah. We have a tendency in cyber rants to go off on left field,
but it's all fun. Called that the boomerang. 
I like it. Boomerang. You can boomerang us back on track anytime.
But hey, we're going to come right back after a quick commercial break.
And we're back with the Cyber Ants podcast. So we are talking about all kinds of different regulations. 
Well, not all kinds. We'll talk about three different regulations because we don't have
47 hours to record here over the next week on all the regulations and stuff coming up.
But that being said, we will talk a little bit about the FTC safeguards rule, the SEC rule,
ten around cybersecurity, and CMMC 2.0 for the defense contractor. 
If I can talk today here, what do you guys want to start with? We have so many options.
No comment. I'm going to go. Okay, just run the wheel, the random wheel.
Just. Just pick one, everybody. Where are the dice here? 
How does it apply to me? Zach, tell me. Yes. We're going to start with the FTC safeguard.
Good, because I'm a CEO of this really big company, and I'm sweating bullets. So tell me, what do I got to know? 
Okay, well, let's talk about that. So the Federal Trade Commission, right?
We'll try not to name too many acronyms without spelling them out
but the FTC, the safeguards rule is one that is fairly interesting. 
So I'm not going to go through all the requirements, but in essence, think NIST CSF, right?
You got to do all the stuff. You got to document your security program. You got to do annual assessments.
You got to train your users. 
You got to test technically and do some sort of continuous monitoring.
All the stuff that we're used to and every other requirement is now being
applied by the Federal Trade Commission. And get this. 
This is what I love, their definition. If you go on the website,
it basically talks about any business which is in the business, or any business which
the business of which is engaging in an activity that is financial in nature. 
So any business which is engaging in an activity that is financial in nature.
And I would say I hope that's every business, because it sounds like for profit to me.
It sounds like another jargon for profit. 
Well, I don't know. Charities are pretty financially driven as well.
That's also financial in nature. But here's what they're trying to get to,
although what they could have said in about three sentences or two sentences takes many, many pages. 
But I made a list for you. So do you want to hear that list? Sure.
Okay. And you should be this is not necessarily all encompassing, right?
But these are the majority of the organizations that. Fall under the FTC safeguards rule. 
So listen up, because if you're not working with these companies at this point in your career,
chances are you probably will at some point. Okay? So no particular order. Mortgage lenders
and brokers finance companies doing loans and stuff like that, payday lenders, collection agencies,
auto dealerships, right? 
They do often have their own loan programs and such, counselors and other financial advisors.
So if you're Joe Bob's Credit Counseling and you are offering advice, you fall under this FTC safeguards rule. 
Same thing with financial advisors that aren't even necessarily trading stocks, but saying, hey,
here's what you should do to get ahead financially. FTC safeguards. Rule applies.
Check cashers tax preparation firms, right? 
So that's basically most accountants and everything from the big professional firms to your
H and R block that's right there on the corner next to the grocery store.
Non federally insured credit unions, investment advisors that aren't required to register with the SEC,
the securities and Exchange Commission, which we will get to. 
Don't worry about that. They have a regulation as well. And this was really interesting.
What they call finders finders are simply people that bring together or companies that
bring together buyers and sellers, stuff, products, services, whatever the case may be. 
So that is a huge, huge list and encompasses, I don't know, tens or hundreds of thousands
of business is. Now, there is a caveat to all this. I'm not your attorney, so make sure this is all valid.
And we do not give financial advice. 
Yeah, none of this is legal advice, but they also do have a statement that if the organization,
if the company. Holds less than 5000 or information on less than 5000 customers,
they can potentially be exempt from these items. 
So that's a good news for a lot of the smaller mom and pop type operations out there.
But a lot of these companies that we're talking about, I mean, they're high volume.
Look at auto dealerships and things like that. 
They generally have lots and lots of people that have come through over the years and they offer like a
buy. Here, pay here a lot of times in some cases too. And then, like you said, your check cashing places,
hose are everywhere. 
Even parts of grocery stores have in the backs in some communities.
The check cashing operations and things like that. Very interesting. Yeah, really, it's going to be big.
I mean, it is big. It's already out there, right? 
It's been out there. But I think a lot of organizations don't necessarily know that they're supposed
to abide by this. Now, to my knowledge, it's more similar to HIPAA in nature in that you're
not getting an audit every year, every three years by some independent third party. 
It's more in the event that something goes wrong that you could potentially be called out on this.
Or there's something I also want to mention on that note, which is the False Claims Act.
So for those of you who don't know, the False Claims Act basically states that whistleblowers
can reach out to the government anytime for all these different compliance requirements. 
Could be NIST 871 for defense contractors, it could be FTC, it could be HIPAA compliance, you name it,
they can reach out and the government will get this. The government and these governing bodies,
I should say, dependent on the requirement and such, can take action. 
And the False Claims Act allows whistleblowers to get paid generally 20% to 30% of the.
The fees that are imposed. So there's a company not too long ago that got hit with $9 million of fees,
and that whistleblower a former CEO that was left or fired or whatever from the company. 
I don't know all the details. They got about $3 million in their pocket for being a whistleblower.
Hold on. I got to wrap my head around this real quick, Zach. Are you telling me if
I work for a company in the scope of this regulation that's not doing what they're supposed to,
and I blow the whistle, I'm going to get money on the fees that are charged,
I'm incentivized to do the right thing, and not only Tattletail but get some money too? 
Yeah, I don't know. There's a lot of ethical questions on this on both sides of the fence.
Right. But it's not just the FTC regs. It encompasses lots and lots of different regulations
that are generally backed up and supported by the government. 
Sure. In jokes aside, everybody, there's times for a whistleblower's activities because
the company is egregiously negligent in one aspect or another, and it's causing harm in not only the lives of others,
but the financial aspects to shareholders and everybody else. 
So there's certainly the reason for this law, jokes aside, and I think it is comforting to know that the whistleblowers
are incentivized versus being vilified, because that's been kind of a trend of the past. 
Right. My question on the CEO is that he's ultimately responsible for all the activities in the company.
How could he be a whistleblower? Because he'd be blowing a whistle on him. He was beholden to shareholders,
I bet. 
No, but I mean, he was a CIO. Oh, CIO, okay. Yeah, in that particular case. But the CEOs are still.
In a lot of organizations are not well public and such. They're still subject to the board decisions as well. 
Right. So it's not always their call, but it's a good valid question. I don't know how that will shake out long term.
The thing is that keep in mind too, if you're working from some organization like Laura said,
they're just blatantly ignoring the regulations and they're doing so for years, that's one thing. 
But don't go out blowing whistles on companies that are actually putting in the effort that are trying.
Instead, just get them aligned to the requirements. Right? I mean, that's not what this is for. 
In reality is if there ends up being a case against an organization in this and they see that
there's proactive measures being put in place and they're working toward those regulations,
there's going to be leniency right. 
Versus, yeah, you're just going to look. Silly for trying to blow something out.
Of proportion and your career is going to be ruined. Words going to get around
and all that stuff that you're just trying to pocket some dollars. 
So never use it like that. But like you said, I think there's some validity to having that in place
because somebody doing something like that could, depending on who they're with, what organization,
I mean, they could be basically outed from their industry and never get a job again
in it if they do something like that. 
So at least maybe they get some funds to support themselves. Yeah,
they'll probably still be out of the industry.
And I think that's probably why that clause is there.
What's interesting is that this impacts so many organizations and what is
FTC doing to really alert those organizations in a method that's effective? 
I'll say because I know that a billion people listen to our podcast, but I don't know if that's enough.
It's probably not. We probably need more. Yeah, the FTC. And then aside a tangent there on the
False Claims Act and kind of what that is, because if your organization is just not
willing to follow anything and then they're laying people off or firing people for raising the
red flag and saying, hey, we really need to follow this regulation. 
Just keep in mind, those people could go off and go to the appropriate governing body
for whatever industry you're in and take advantage of this false claims act and be rewarded for doing so.
So do the right thing, business leaders. 
That's all we're asking. Do the right thing. And it's a non issue. But that being said,
I know we're running a little short on time.
Should we move on to the securities and Exchange Commission? We should. 
Okay. Anybody have any notes or you want me to dive right in? Dive right in.
Tell me, tell me what horrors await me as a business. This is the securities Exchange Commission.
Now, when we look at this, Rule Ten, basically, and this is not necessarily new,
but they're always iterating right and creating new regulations. 
So the latest iteration here, it applies to what the SEC calls market entities,
which there's a lot of organizations under that, including like stock exchanges a
nd different types of currency exchanges and brokerage houses and things like that. 
Where it's going to apply most in terms of volume of businesses,
those financial advisors that are broker dealers, those people that are trading
stocks and stuff on behalf of their companies or their clients rather. 
And so that's going to be most people we talk to. But the SEC regulation,
it's kind of interesting because securities Exchange Commission, of course,
has always pushed for transparency. Financially for investors. 
So if you're as an investor, you're investing money, you should have transparency
about where that money is going, where it's being used. Great.
Well, now they're pushing for the same regulations on the cybersecurity and privacy side. 
So one of the interesting things I thought about this was the proposed rule, not official,
but quite yet, but very likely to be. So the proposed rule requires broker dealers and
different people that fall under this market entities umbrella of
companies need to start reporting breaches on their website in an easy to access place. 
Like you have to have a button that says about our security or whatever and list your breaches there.
It can't be behind a login screen or anything like that. It's got to be accessible for everybody,
whether they're an investor with you or not. 
So that's interesting. Another thing that's interesting is they are requiring executives
and board members to report at least annually their internal level of
experience in terms of cybersecurity, if they have any. 
And regardless, they're required to report their level of involvement.
What are they doing as the executive team and the board members in terms of
cybersecurity and how are they involved in that? And I thought that's interesting
because I think what's coming down the pipeline is as breaches occur, that gives
the SEC the ability to say, hey, guess what? 
You said you were doing these things. Obviously they didn't happen.
We're holding you liable. Mr. Or Mrs. Executive. Right.
That's I think that's what's going to be happening is they're going to hold
both executive team members and board members. 
They're going to hold their feet to the fire. So be prepared for that if you're in that realm, if.
And then another thing is, of course, the requirements and what they're asking for. Again, nothing new. 
Think NIST CSF Esque they're putting a huge emphasis, though, on documenting everything, right? Like any requirement,
it's not enough just to have just to do the right things. You have to have it in writing. 
And then finally notification. And the proposed rule says we have to notify the SEC of any breaches or cyber incidents,
rather within 48 hours of knowing about that incident. So that's pretty quick notification. 
And again, not only that, but you're also going to have to put that on your website, notify your investors and all that stuff.
So if you're an SEC regulated entity, think all the stuff you've been doing for finance, you also got to have that level of
transparency in your cybersecurity realm as it relates to your investors data. 
So there you have it. Very cool. Can I put anything I want on my button?
Because I want my website button for Recent breaches to say Recent Ownage.
Recent ownage with a P. Recent Ponage. I think we had that discussion. 
I think we did. Shame on you. So there is precedent for those fines because the FTC did find a hotel company,
and I can't remember the name, this is five, six, seven years ago, who claimed they had all this up to date security
and brand new routers and all that kind of stuff, and they got breached with like 6 million records stolen. 
FTC went and investigated, and it's like, you don't have any of this stuff. It's crazy.
Well, this all tells a story. I mean, both of these, right, both of these new additions tell the
story that leadership no longer has the plausible deniability. 
Yeah. Statement or the indemnification of responsibility when these breaches happen.
Well, there's a lot of things I've dealt with, like CFOs and CIOs at larger companies where they've said, so.
My stock takes a dip for a couple of months, and who cares? 
Well, not anymore. They're going to be big minds. Unfortunately, we're out of time here for CMMC,
so we will save that for another day. Here's a hint. It's just as crazy as the two you just heard. There you go. 
And just more delays. Go figure on that one.
We'll get back to that. But yeah. Thank you all for listening to the Cyber Rants podcast.
Mike, Laura, any final quick words before. We wrap configuration management? 
Make it the heart of your risk program. That's all I got. I got nothing else. I agree with you, Laurel.
Yeah, and to all the billions that listen, thank you. And the old books still contain some wisdom, right? 
Yeah, the old scripture. Well, outstanding. Hey, thanks for listening to the Cyber Ranch podcast.
Be sure to rate this. Rating this and sharing it really helps us get the word out.
And we want to get this information out to people all over that need it, that are making
decisions for their organizations and growing in their cybersecurity careers and everything else. 
So that's what we're here for, to educate and equip and informed. Thanks again and we will catch you on the next episode later.