Cybersecurity: Amplified And Intensified

1. Where do we go from here?

March 17, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
1. Where do we go from here?
Chapters
Cybersecurity: Amplified And Intensified
1. Where do we go from here?
Mar 17, 2021
Shiva Maharaj/Eric Taylor

 Join Eric Taylor and I as we discuss recent events and navigate the cybersecurity world as it is today.

Eric Taylor 
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com 


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

 Join Eric Taylor and I as we discuss recent events and navigate the cybersecurity world as it is today.

Eric Taylor 
Twitter: barricadecyber
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com 


BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. So what's on the docket for today?

Eric Taylor:

I think I want to talk about Sisa at least releasing the tools to actually be able to help internal IT folks, you know, actually start doing their own assessment. That was pretty cool that they released that a while ago. And it seems like it's still being updated the Lego talk about ubiquity, and some of the whistleblower stuff that came out as of yesterday. And that's the two biggest things that I wanted to kind of address and kind of get ball around a little bit what we're really talking about today. I'm pretty much game for anything.

Shiva Maharaj:

What really is keeping me up at night right now is the iterations made by regal, they are just getting stronger, and stronger. And they're the ones I'm increasingly more concerned about.

Eric Taylor:

Speaking of a reboot, I mean, we go down that rabbit hole for about three days with me, at least, you know, but there was my forget the it was a no name ransomware group that I hadn't really heard about through all the incident response stuff that we've done, but there was one that came out earlier this week. That said, all of a sudden, it's going to start refunding everybody back to their cryptocurrency that they were paid in. And here's

Shiva Maharaj:

all the decryptors that was the group that that voluntary shutdown voluntarily shut down, I want to say November of last year, and some of them splintered off into other groups.

Eric Taylor:

I,

Shiva Maharaj:

I almost think they're doing that because their group has been breached by a government agency. And by giving the money back, they're hoping you know, maybe they're not target. Number one, none of these guys are doing this. For the love of hacking. They're doing it for the money.

Eric Taylor:

This is true. That's why I was really interesting to see where suddenly they have a quote unquote, change of heart. I'm like, Oh, no, this doesn't work that way.

Shiva Maharaj:

You know what I've seen and heard worse things, different things. So if people are getting decrypter keys, and they're getting their money back, then more power to them? I'm all for that. Well, yeah, let's kick it off with Sisa. For you.

Eric Taylor:

Yeah, sounds good. So earlier this week, maybe even late last week, but Sisa had put in, has been putting out a bunch of content on their GitHub Pages. And I'll try to add it to the notes after this. This, this meeting, if I'm able to forgive me, again, this is quite new for me. So we're still trying to figure out how to publicize notes. But if you want to I know my Twitter is attached to so if you want the links, send me a message on Twitter, say, Hey, what's that Cisco says a GitHub page and I'll happily send it to you. So they are releasing a ton of tools. And one that's really, really interesting is one that you can actually start doing your own internal assessments, you can actually start diving in and figuring out Okay, my company falls under PCI compliance, my company falls under Sox to my company falls under whatever your variant is of compliancy. And Sisa, has put together a template, a starting point, if you will, to actually start going through and saying, Okay, my company has done this, my company has done that, or crap, we haven't done this, we need to do it. So it's really starting to arm, the internal IP folks, which is a nice thing, you know, that something from the government actually coming out to be helpful in our space. Because I can't tell you how many times I go into these conversations, they're like, we don't know. Well, you know, your government's telling you now that you've got these tools available, you've got the sparrow, you've got the turbhe, you've got several other ones, some of the latest ones that they're coming out with to help you analyze, your Microsoft 365 tenants, starting to look for IO C's instant increments of our indicators of compromise, all these things, as things are being developed and being put out there. These things are becoming available to you all anybody in it, who has a little bit of cloud that kind of knows how to do PowerShell, a little bit of Python, maybe to be able to build this thing out and be able to make their their enterprise stronger.

Shiva Maharaj:

I have a question on that for you. Good. You know, familiar with your technical aptitude. I have a little bit, you know, being an IT guy. But does the typical in house, IT team or even the typical managed services provider have the ability to utilize these tools, effectively. I mean, the biggest points of compromise are misconfigured tools in general in the SMB space, which is where we play for the most part.

Eric Taylor:

So that's a really good question. And I really think the overall answer is going to be no. They don't know how to properly configure devices. That's why we're seeing In breaches, I'm really hoping that me getting on my soapbox for the next three to six months or even longer if I need to, and start really hammering this thing home to everybody I need is to release, get them to start asking questions. I want them to start getting engaged, like, crap, I don't know about these things. Let me talk to somebody who does. So that way I can get these things taken care of. That's really what I'm hoping this thing does. Because without them educating themselves, they're, they're just open your mouth, just leave your back door lock still.

Shiva Maharaj:

Which let's be honest, most of the back doors are completely not even unlocked, they're open the illusion of security by buying all these solutions, and just installing them without configuring that much less. configuring the interoperability is a big issue that I'm seeing on our end.

Eric Taylor:

That's kind of a good segue into the next thing. You know, the ubiquity situation that we're seeing where you take ubiquity, and you take the massive solar wind thing, which, as of Monday, we're still seeing information coming out about this, and there's a really good point I want to drive home, you got to work you have people have got to start picking vendors that they feel they can trust. You really do. Because, you know, in this even for me, I'm really surprised by ubiquity. You know, they're even though I shouldn't be. But I'm a huge ubiquity fanboy, you know, I'll just put it out there. I like their product, I think it's really good. For the SMB space, there's, which is a really good, you know, their routers or stuff, you know, it doesn't provide the security, but on a networking level itself, their devices work really, really well. And the fact that they covered up the whole breach they had, it's come out now that whoever breached them actually had access to their LastPass credentials for all their cloud infrastructure. On top of that, I checked earlier, because I am a part of hacker one. And they do have a formal bug bounty program, where they're supposed to disclose these types of things. You know, and the fact that they are still radio silent. So anybody who is leveraging ubiquity, you know, I'm not going to be surprised at this moment. If in six or eight months from now, we don't see a supply chain vulnerability that came through ubiquity. Much like we do see with solar winds. It's just gonna take time.

Shiva Maharaj:

So now that we think we know what happened with ubiquity, how many people, it providers or home users have put two FA on to their ubiquity UI account? How many people have gone through any logs they may have been collected? And how many people have actually rotated the SSH passwords to get into the individual devices?

Eric Taylor:

I'm going to guess probably point 1%. If that even that high? You know, it's so two, there's no two FA on a controller? No, there are no two fa,

Shiva Maharaj:

you what you can do now is you can with one of the last controller updates, you can kill local authentication, and only use a ui.com credential that does have to TP MFA on it.

Eric Taylor:

Oh, I wonder why they implemented that. And

Shiva Maharaj:

looking back in my crystal ball in the past, I seem to recall that being a thing shortly after the breach was announced within

Eric Taylor:

a month or two and and this is a bit of thing that MSP is it in house it had been complaining about for years. because there wasn't even a simple to FA through SMS available to them. So you're really on the hook of you know, is my controller actually secure. And that's why a lot of people went with you know, I'm not a plug to them, but post defy which is a pretty big hosting company for unify controllers, but companies like them to actually manage it and hopefully keep things secure. That was pretty small, little out there a bunch of pretty cool guys, you know, pretty level headed. So again, not a plug for them, but a lot of people go to those types of platforms. in hopes of, you know, keeping these things hyper secure, and even there like he, we think we're good. You know, and this may come back to the whole solar wind thing, we're still finding out what, six months later that emails for the different branches of the God or mankapur actually accessed. And you know, like I said about a month ago, these are things are going to keep coming out and trickles. You know, for the next frickin year or two, it's crazy.

Shiva Maharaj:

I think the biggest issue here is you have to really understand that the way we do cybersecurity in this country, and just supply chain is very different to Russia and China. They're producing their own computers, they're doing everything for themselves, they're not relying on imports, we do.

Eric Taylor:

Exactly. If you go abroad to the Asian world part of the world, forgive me for not being gay as rapidly as to hear but you go to Japan, you go to Asia, you go that side of the world, they have complete smart cities. And they don't worry about the lot of the stuff that we have to worry about. Even with a ring a camera over there. Right. So I don't know if it's by design, I'm wanting to say maybe it is even though I may upset some people, but you know, a lot of your smart devices call home to authenticate to a foreign server outside of the country, that you have no control over, you know, smart home rain nest, all these devices go outside of the country to do his registration.

Shiva Maharaj:

I think if the solar winds breach has taught us anything, you can't look at data leaving the continental US as anything different from data going to sources within the US because the points of compromise came from, you know, AWS Azure infrastructure within the US to get around certain geo blocks. So I think we need to look at who owns infrastructure, who owns certain software that we use, and really understand who we're letting into the into the wire. That's the issue here. Well, this

Eric Taylor:

brings up a question for you. Sorry, Gwen?

Shiva Maharaj:

No, sorry. Good.

Eric Taylor:

So I think this is a perfect segue to something I've been harping about that you probably are very familiar with. But what are your thoughts on completing zero trust of instead of a network, and you know, how to actually implement that in a meaningful manner? Because when you start looking at security, has to meet function ability inside of a network, right? There's got to be that give and take to some degree? Well, we got to implement zero trust as much as possible. How do we achieve that?

Shiva Maharaj:

I think that really depends on your IT provider, you need a firm, or people that are talented and skilled enough to implement it with minimal friction to the user. And I'll give you the perfect example. We know someone who implemented duo recently, we know two people that implemented don't do a recently, one just rolled it out and had headaches, trying to get it to work. The other, rolled it out in phases, made sure it worked. So the IT staff was okay with it. And then they gradually rolled up, rolled it out to the rest of the workforce, and there are no issues. Now, what would you say was the biggest difference between those two situations?

Eric Taylor:

Are we going to be on a limb here and probably say, planning,

Shiva Maharaj:

planning and ability? And I think those are the two biggest things that are missing. In our industry. I don't think security is hard. I think security is quite easy. Getting there is difficult, because it takes requisite planning and the skill level of people to do it. Not, you know, using restaurants is a big difference. You can go to some of the fanciest restaurants and get the greatest meal you've ever had. It's the same ingredients. It's just their technique is better.

Eric Taylor:

Oh, exactly. I mean, if you know, I got family members in the restaurant business and, you know, I've worked you know, for fast food and stuff like that. And I remember that. I mean, my first job ever. I worked at Pizza Hut way, way back in the day, but I would remember the same delivery truck coming to our pizza restaurant delivered in tow and deliver all these parts and pieces was going right across the street to deliver to McDonald's, to deliver to Taco Bell and to KFC that was on the block. Now of course how much For Pizza Hut, and you know Taco Bell, and all these guys had their own delivery, but they had, you know, they were using the same suppliers and a lot of the restaurants use a lot of the same local produce and everybody else. So I do agree. I don't know you can put MSP is that have an aren't the same RMM tool? And I can guarantee you they're probably going to figure 20 different directions.

Shiva Maharaj:

Absolutely. And that goes into the lack of standards in the IT industry. It's hard to put regulations down when there is no standard. And what really

Eric Taylor:

gave me

Shiva Maharaj:

a chuckle this week, was when CNA announced or was it last week, they were breached the insurance company. Yet all these insurance companies want to tell us how and what we should be doing. for clients, they can keep them

Eric Taylor:

so yeah. That brings up a great point. Exactly. So they were hit by ransomware. And it was announced last week. And as the it or as a cybersecurity incident response firm. You know, I'm personally hoping that insurance companies are going to be our driving force to help mandate and get these companies to a more secure platform without government intervention, right. So if these underwriters and everybody are starting to mandate, stricter cybersecurity, in the policies that they write, I was thinking that was going to be our biggest thing, but when they can eat their own dog food, so to speak, I think we may be Now granted, this is just one public incident. And I'll put a big Asterix on that, as an incident response company under NDA is I cannot advise asterik. But that is one public company this year, I know of at least a team that I've worked with, that are not public. So I'm starting to wonder if they're not eating their own dog food, so to speak, I may be putting my foot my trust and hopes in the wrong area.

Shiva Maharaj:

Very few people eat their own dog food, to be honest. It's just the nature of it. Because the same pushback you're gonna get from some clients, some providers are going to say, it's just too expensive for me to run that inside. I know you. I know your company, I know my company. I know that whatever we sell we use. So it's not that we just believe in it. But by using it, you understand the day to day ins and outs of the products. But to those companies that are using, you know, certain AV solutions that are that lead everything through, it's because they're getting it for $1 an endpoint. So they are running their business based on price, not on protection. And to go back to the insurance companies. They need a group of technology providers to advise them on what a baseline should look like. And the way technology changes, our baselines should probably change on a near quarterly basis, if not less. I mean, that may not be feasible to roll out to the public, but you can't rely on standards that were built five years ago. The vectors increase every day.

Eric Taylor:

Absolutely. And those who are jumping in and out of this room, y'all have any questions? I, I think I missed one person putting their hand up if you if you have questions, feel free. If you have anything, just put your hand up, I'll bring you up. Nacho, I know you want to try to be one of the two idiots here. But if you got anything, just say something, but uh, yeah, the if I may. Sorry, go ahead. I don't want to interrupt you guys. But I've been following what you guys are saying and in regards to like the silver with ambiguity or I can't pronounce that. I mean, anybody, including both you guys, companies can get hacked. It's really bad. If we know I mean, we'll admit it went bad cyber, we know that 100% is not theoretical, it's not gonna, it's not gonna work. It just won't work. You just as he was right, you'd need to up the baseline, I would say, at the very least a weekly basis based on whatever it is coming in. And in regards to the insurance providers, I mean, we all know, at least for those who are after, you know, ransomware attacks. The key is the insurance providers if you can get to them, and you can see the files of all their clients that have, you know, cyber insurance, those are the gold mines because those are going to pay automatically. And it's the insurance companies that's you know, just causing all kinds of mess because even they who are not a cyber company and they may not have the cyber You know, that solar wind path or FireWire has, how do you expect them to protect their own system that's put out? Here, I'll add to your not Joe, and I'll let Shiva talk sorry, the. So when you're talking about insurance brokers, and we brought this thing up on the nether group, couple weeks ago, you know, I am in conversations with certain insurance companies and actual brokers that work for, you know, 10 1520 different underwriting agencies. The problem that they really, really have, is when they go to a company, and they say, Hey, we need insurance we need, you know, these are the parameters that we want. And yes, we want cybersecurity. They don't know what cybersecurity is, a lot of the policies that are out there at will have different variations. So, you know, it may cover your loss of productivity, and maybe your PR stuff, but it won't pay out any damages for ransom, or payment, or won't pay for a company like ours, you know, there's different things that it will and will not cover. But when the broker goes to five or 10 different companies that say, Hey, I got a possible lead here. Here's our parameters of what they want. That broker goes back to that potential client and says, okay, the 10, that is queried, here's the top three or four. But to have these, you're going to have to answer 200 questions to actually get insured by them. And they're going to cover all the bases that you want. But these other two companies, you only have to answer 10. And no covering about half of the way, most business owners are gonna take a path of least resistance and gets partial coverage, some versus none. And that's really where a lot of the problem I'm starting to see come in, but I'll digress. And Kevin knows me out. I'll talk for five years. You know, here's

Shiva Maharaj:

the thing, if I were any of these ransomware guys, and I got into an insurance company, I'd never crypto them. I would do exactly what you guys just said, sit, wait, see who has policies go after them? Because it's a never ending source of funding, if you look at it that way.

Eric Taylor:

Now, that's what they do. I mean, that's what they're doing. They're they don't they don't encrypt insurance companies, they that's the least thing you want. You want that constant flow of customers coming your way.

Shiva Maharaj:

You know, the issue I have with the insurance companies and their questionnaires is, it's all about self attestation. And self attestation is the worst thing you can ever do for compliance. But the insurance companies would probably enjoy that because you're saying you have one through 50 lockdown. So when there's a breach and they ask you for the things you said you had, they can deny your claim and keep their premium. And it's the same thing when you look at HIPAA, HIPAA is self attestation sieges is self attestation.

Eric Taylor:

Both HIPAA and CGS is a lot of the smaller entities, business entities. It is honestly cheaper for them to pay the fine, then move on then there's to be compliant.

Shiva Maharaj:

Well, here's, you know, that's HIPAA. I mean, HIPAA has always been that way. I don't think they have much teeth behind it, because fines can be appealed. And then HHS has a good track record of forgetting about that fine, and then it dies off. Let's look at sieges, Criminal Justice information system is supposed to regulate, you know, the local police department to get access to the NCIC from the FBI, well, itself at the station. How many local PDS are actually doing what they're supposed to be doing? I can tell you for a fact. I've seen instances where they're not doing half of what they're required to do. information or access to these systems are sold or bartered with favors, again, because there's no logging on these things that they're supposed to have. And that's my problem with self attestation. I think we need a firm compliancy set that gets audited, like just like a sock to audit. Otherwise, we're all going to be doing the same things over and over. And if you're an IR company, it's great for you because you'll have persistent business. But if you really want to secure the country, secure the supply chains. There needs to be a mass rethinking of how we do things. Otherwise, it's just going to keep getting worse. I'm afraid this is just the tip of the spear.

Eric Taylor:

Just let you know, show me your audio is kind of distancing out there a little.

Shiva Maharaj:

No, sorry, my bad sound better.

Eric Taylor:

Much better, you may want to repeat the lesson or two.

Shiva Maharaj:

No, I was just saying that things need to change, we need to rethink how we're doing things. Otherwise, this is just the beginning. And it will get much worse in terms of breaches. And everyone should have the same baseline level of protection, it shouldn't matter if you're a two person business or a 200,000 person business.

Eric Taylor:

So on that note, because it looks like, you know, not to get overly political or anything like that, but you know, I know, we discussed it before, but we see businesses, you know, essentially getting rid of their offices and doing the the quote unquote, mobile workforce, if you will, from anywhere in the company, or anywhere in the world. And you and I both know, at least one guy that is, you know, you there, they have clients who are globally now, you know, you use that whole global workforce from whatever, but it's really opening up that So I think, you know, I have my own thoughts on it. But what do you think is going to be the massive uphill from actually securing a business identity? Who is adopting a new national or global workforce mentality?

Shiva Maharaj:

I think there are two things people love speaking about, you know, protect the identity, the perimeter protection is dead. Yes, I believe so. Because most of our clients are using some form of SAS as rady our IDP as SAS. But what I'm not hearing is, or what I rarely hear about is DLP data loss prevention. What are you doing with that? Azure has Azure Information Protection, and now they have it for the endpoint, which is great. How many providers know how to use it much less roll it out to their clients? How many providers know how to frame that conversation with their clients?

Eric Taylor:

Well, I'm almost gonna say most of these smaller msps that are out there. Don't know, because I was floored about three weeks ago, I was on a big zoom call, I think I told you about this. But there was four or five managed service providers going around the table and was germer, trying to figure out how to do link scanning in 365. And they're talking about all these different programs and all that. I just took a step back, and I pulled them I'm like, what version of 365 are you guys are using and everybody was using at least a business premium. Some had a three, some had IE five, right? Not a single one of those had ever heard of Microsoft safe links that was built right in. And I was just floored. I'm like, like, you have tools available to you, and you're not using it. And on the second part of that, to talk about Microsoft for one second, there is a complete compliancy part in 365, where you can start doing your own compliance, you can see, okay, this is what Microsoft is doing for you. These are some of the other things that you need to do to at least meet these compliances from a 365 standard. I find so many people didn't even know that frickin thing even exists and their minds are blown.

Shiva Maharaj:

Again, that goes back to the whole, no standards, right? To become an IT provider. All you need is access to the internet at this point. You can buy a laptop for 250 bucks, and call yourself an IT provider. There is literally no barrier to entry

Eric Taylor:

and a vendor and yeah, I mean,

Shiva Maharaj:

and that's the issue, right? It's a lack of education. It's a lack of standards. And despite what has happened in the last year with COVID people do not look at it the same way they do as accountants, lawyers or other cost centers and their business. But if you don't take care of me step back. I firmly believe every company now is a technology company. I don't know a single company or type of business that can run without technology and being able to say, Yeah, I have an IT guy. That's not good enough anymore. You need a team. You need people with overlapping competencies to take care of your business. And these guys that are going out there and charging what I deem is not enough. They just hurt the industry, because the client will always go for the lowest cost. And then they will complain that they didn't get the best service. But it's the old adage, what is it? fast, good, cheap, pick two.

Eric Taylor:

Exactly. You know, that goes back to the whole insurance broker reference that I made a little bit ago where, you know, they're going to take the path of least resistance on getting an insurance policy that may protect them some of the way but not all the way. So based off of that, you know, those certifications that we're going through and some of the stuff that we're doing, but what do you think should be an industry level, at least Beginner's Guide to before they even start being an outside IT consultant, if you will.

Shiva Maharaj:

I think it all starts with knowledge. Have course have an accredited coursework program to teach the basics and the fundamentals. You can't just go operate on someone, you have to go through med school. And a computer science degree has nothing to do with the real world life of being a network engineer or a systems engineer for cybersecurity. I see all these people here, not in this room. But people on clubhouse, LinkedIn, everyone has now has a cybersecurity degree. I'm sorry, are these things even accredited? And that's why we need some kind of self regulating body to do this, just like the medical boards do. You want to be a radiologist, you have to go through med school, you have to go through your fellowship, you have to pass these boards and then every five or 10 years, you need to re up. We need that basic structure before we can do anything. And I remember when I started in the IT business vendors had minimums for you to buy. Now, vendors have a $50 minimum, which allows anyone to call themself a provider, forget MSP forget itsp we're just talking it providers in general. And we need to work with the vendors to for them to up their minimums. Otherwise, it's just not going to work long term.

Eric Taylor:

On the topic of the Holden vendors discussion, you know, we feel like I'm talking about you know, secret chats forever. But you know, I know blue for you, and you and I and many other people are having chats with other msps who are having chats with vendors. And you know, we all now at least arguable bando goofballs, if you will, or asking a lot of listener questions, you know, and time and time again, these vendors will come back from like, we never had anybody asked us all these security questions before and it's like, why, you know, we're, you mean, you know, full disclosure, we're bandos? What about 510? people, you know, that kind of collaborate, you know, offline and stuff like that. But how is it that us? You know, the I'm not trying to toot our own horn here, but I just, I'm really surprised that this seems like we are the only ones that we know of that are asking some of these major, major questions, before we even do a trial with these guys.

Shiva Maharaj:

You know, that's because just because this room is called two idiots, everyone else are a bunch of idiots. I hate to be politically incorrect, or whatever. It goes back to you, they let anyone be a provider. And companies using vendors who have unfettered access to their data and their customers data. That's a bad thing. But they don't care because all the MSP or the provider cares about is being able to Bill their clients. And, you know, if there's going to be a standard for us, the natural evolution is we should be able to impose standards on vendors, or security for best practices and everything else, we should be able to approve them to come into our area of operation.

Eric Taylor:

Oh, absolutely. And it's just, it's just crazy, right? Because I mean, we'll have these conversations with these folks. And, you know, he I start playing around, I start planning things and you know, some of them love it, and some of them get butthurt over it. And I think it kind of goes back down thinking about it. I'm starting to wonder, you know, the whole acquisition of rocket, cyber and some of these other companies. I'm starting to one A lot of these vendors that are getting introduced into the it MSP space, are using, you know, the whole method, if you will build it up good enough, and then dump it and do it over again.

Shiva Maharaj:

I think so, I mean, no one's getting into business to save the manatees, right? It's about making money. And if you're, I'm sorry.

Eric Taylor:

To say Speak for yourself, I'm not here just trying to save people. You know, I'm

Shiva Maharaj:

not here to save people, I'm here to do a good job and charge a fair price as I see fit. You know, I, I see a lot of people on LinkedIn, or I get a lot of people on LinkedIn saying, I can help you do this, I can help you do that, well, you're not really helping me, what you really want is to take money out of my wallet. So if you're going to do that, I need value. And that's what I hope to provide to my clients, I have a question for you based on this to go ahead. And this has been a drum I've been trying to beat and a lot larger it providers laugh me out of zoom rooms for this. Why is everyone and I mean, everyone not collecting their logs into a SIM,

Eric Taylor:

we try. All we can do is try our best to give the information. If the client follows our instructions, great. If they don't, all we can do is just go through the steps and say, Look, we told you to do this, we told you to do that, if you fail to do it on time. And when we tell you to do it, you stand the chance of having an incident.

Shiva Maharaj:

My question really is why are it providers not making a sim mandatory? Why is there virtually no logging or aggregation of logs? and running? You know, even if you're running canned queries against something, not you, but just in general, everything should be locked? Because you're not going to need it until you do? I guess that's my question.

Eric Taylor:

Yeah. I mean, you're absolutely right. The logs are the key to everything from a reactive approach to be proactive for the next time. I agree with that. Yes, the logs explain what happened. Unless you have a guy's you know, these guys that come in for the ransom or whatever. They're not going to get too sophisticated. But some of these, some of these, my clients have interesting clients, that the logs do matter, because they may not want to be part of a ransom. They just want to sit there and look because they gain access to the clients that they have. So yes, the logs are ideal. You are absolutely right. I agree with you. 100% is preaching to the choir here. The one thing that I want to jump in on they are Nacho, as you said that the ransomware guys are not very sophisticated. Can you dive into that and explain that I don't want to make any assumptions on what you're saying here. But I want to see where your mind is at please. On that point, I would say okay, the ransom stuff. We know, at the top level, it's a major organization, they run like a business, we know that. But they are there, there is so many parts of it that you know, average high schooler can purchase the necessary software, and use a broker to go ahead and do everything. And that person that the high schooler can, you know, socially engineer or just send out use bots or whatever service, they want to use third party servers to send out the emails or send them out any way they want to be able to infect the machines, they get a percentage of what they hit. But the providers that they use, get another percentage, that sort of thing. If you're just dealing with the masses, they're not that bright, all they want, they just want to, you know, it's a simple procedure, just go get as many clients as you can lock up their machine, get them to pay, you know, and they're only sending out to their list or whatever. The brokers over here on the other end are the ones doing the collections, I'm saying that it's just a whole process. Now, if you're talking a one gang of setup of ransomware people, or remember what you're saying is ransomware, you're locking up the system for them to pay. But that's sometimes not really the intent. If you have someone that's targeting a specific organization that has clients that are more valuable than that one client you have, you want to exploit that you don't want to go ahead and set up a ransomware on that you don't want to you don't want to encrypt their data, because you want to be able to just sit there and view what they have, and see what other customers are sort of saying like with the with the insurance companies, if I have my, my, my my hacker hat on, I would never encrypt that database for the insurance company. I would just sit there, open up my backdoor and watch what's coming through. See how many clients are picking up that's going to these clients comes up go and attack the new client every time they get a bunch of clients set up the timeline, go attack those client because you already have the client because they're providing them to you. I think I know where you're going. Just phrasing this in a lot of a different way than I would ever phrase it, but I'll make attempts. So some of the parts I mean, you're naming parts and pieces of different types of things. So you've got the Raz ransomware as a service where you've got the main hackers that will build the the encryption code, but it's up to the quote unquote minions to go out there and spread the ransomware infection. You have the legs Oh, what was ways what was net Walker now dark side, Roku, Brie evil just all these guys or gals? I don't want to be one occlude everybody, you know, but no, I think guys loosely, but you have the folks that are actually breaching RDP, or breaching FTP, SSH servers, those are the more sophisticated stuff and I'm not even talking, you know, we're not even getting in to ATP vectors, we're not even talking about nation state attacks at all, you know, this is the common run of the mill ransomware payloads that are being deployed right now that they go in and cause massive damage, they literally will data exfiltrate everything on it network, just like we were doing the kind of loose example, if you will, but the the examples so to speak, the insurance company where you're gonna drive data exfiltrate, you know, any and all the existing clients any and all the new potential leads and clients now, that's the whole data exfiltration side, and a lot of these ransomware guys are doing data exfiltration. Because the simple fact if you are able to recover your data from a backup, their data loss prevention in our data are from data provisioning, or not provisioning revision, sorry, data versioning, you're able to restore from one drive or one of these other backup repos, then they want to get a hold something over your head, so that way they can get some sort of money versus no sort of money, I think, I think you're kind of hitting it on the head. But it's a lot more complicated and more sophisticated than what you are talking about least from my point of view, because we the company that I run, we are penetration testers, and we are an IR from 80% of the business that we do right now is incident response from either ransomware or is from data breaches or for a PCI, or whatever the case is, you know, it's I think, more times than not thinking off the top of my head here. I think most of them have been RDP, and SSH breaches. You know, we've seen some people who actually put my drag controller on the public Internet, what company they have their entire server encrypted, if I may.

Shiva Maharaj:

So I mean, I would almost say they deserve that. Sorry.

Eric Taylor:

Yeah,

Shiva Maharaj:

well, I dropped the full credentials. I mean, I'm sorry, I'm sorry, but I'm not sorry.

Eric Taylor:

But God, sorry, there is a much, much bigger problem. There's more of an education, there's more things that need to be done. And it's not just a simple a sub clicking on crap. You know, there's more of a infrastructure security. Yeah, I think it's really goes back to the what I was trying to get at was, you know, implementing slowly but surely, you know, this is what she was talking about, you know, doing different implementations was around planning and execution. But I mean, you can't go into a 300 node work network and say, Alright, tomorrow, we're doing zero trust, you know, we're blacklisting everything until you tell me who you are. That's not going to work. But in office, a small lawyer office one, one or two practitioners and one or two legal aides, and maybe a secretary. Yeah, you can do that in a day or two easily. Yeah, mainly, I mean, I do this, what I do on that is my sidekick, you know, I don't, I'm not gonna take on someone that has more than 20 employees is that is beyond my scope. I mean, I can't do that, obviously, on my primary job, I do more than X amount of employees all over all over the world. But this is just a side gig. And I live in an area that has zero cyber presence. So it's a little monopoly, which is fine for me. But it's, it's just small agencies that the bigger the bigger shops are, obviously I'll give them a form about that look, a call this guy, this is what he does, they'll help you out. But I'm not going to be dealing with you know, big, big things. These are just people I happen to know. And I can see you know, I just helped them with the basics to try to make sure that they do not have other issues. It is very rare for me to you know, I've had very few of my clients and I'm talking less than a handful of my clients in the area that have fall into a ransomware attack. Because at the same time and i i i i'm a Big Mac performance and I trans you know, I bet everybody on Mac and I know I'm probably professing that Mac is safe, but no system To say, it's just that it offers them a little bit more protection. And it allows me to support them on a part time basis rather than a full time basis. Gotcha. I see where you're coming from everybody just mindful what you're doing you know, talk to your vendors is the best thing I can say at the moment anything from you should

Shiva Maharaj:

get good people, people who know what they're doing, and price should not be the deciding factor on

Eric Taylor:

anything, not during the closing arguments and you hung out with this two idiots here. Thank you for including me in the middle of you guys. always interesting learning. I'm always trying to learn as much as I can. And you guys obviously have a wealth more knowledge than we all know what we know in our own little

Shiva Maharaj:

on the village idiot.

Eric Taylor:

The mayor of the village. All right, I'm just gonna queue up the YMCA interest on here we go. See? So everybody thinks that and thanks for joining and we'll see y'all on Monday. Take care.

Shiva Maharaj:

Thanks again for joining us for the cybersecurity amplified and intensified podcast.