Cybersecurity: Amplified And Intensified

10. Unrestricted warfare.

May 12, 2021 Shiva Maharaj/Eric Taylor/Brian J. Weiss
Cybersecurity: Amplified And Intensified
10. Unrestricted warfare.
Chapters
Cybersecurity: Amplified And Intensified
10. Unrestricted warfare.
May 12, 2021
Shiva Maharaj/Eric Taylor/Brian J. Weiss
Show Notes Transcript
Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast. So what's on the docket for today, boys?

Eric Taylor:

Well, first off, I want to say hello to Brian wise with AI tech solutions. Thanks for joining us today. And, you know, as we banter back and forth about the random security crap that we normally talk about. So, welcome, Brian. Once again, the topic of the day is security and more and more ransomware.

Shiva Maharaj:

how about you, Brian, anything you want to talk

Brian J. Weiss:

I'm always game for talking ransomware I think about today? it's interesting to see the government getting more involved, finally, and it'll be interesting to find out. I personally feel like we're an information in an information war, like literally an information war, if you look at the money that, you know, the the bad actors, the cybercrime actors are making it interesting if the government's ever going to be willing to admit that,

Shiva Maharaj:

well, what are your thoughts on the way the government's getting involved?

Brian J. Weiss:

I'm kind of on the fence, because, you know, I feel like, if you think of a traditional wars, you know, they're fought with an army and military. And we've done really, obviously, America has done a good job at building a good military and defending our land, and, and our people. But their military isn't designed to handle this type of war. And it's a different type of thinking, and it's different people that need to be involved in. And so my concern, you know, I like the idea that we're seeing our tax money and resources go towards helping fight this war, because I feel like it's something we need as citizens. But then, you know, you can start looking into all the sci fi movies, right? where, you know, how many times does that go wrong? When the government's like, Hey, we want to create this AI to help defend us and then you know, then they maybe turn it into a weapon or that it turns on them. So, you know, I'm a big sci fi geek. So then my brain starts going down all of those, you know, avenues.

Eric Taylor:

So when you say you see in the government actually getting involved, what are you talking about? What ways are you seeing them actually getting involved?

Brian J. Weiss:

Well, the two ways that come to mind for me are, you know, CMMC, actually creating some form of, you know, the US version of GDPR, I guess, if you will, I think that's important, especially for government entities, at the very least. And I'm sure we'll see that creep into other industries, as more legislation passes. Basically, what what I see that doing the good thing that I see happening is it's holding people accountable. You know, it's, it's, it's not making this industry, such a free for all. Anyone in their mom get involved, there's actually standards to meet. And then the other thing I see them doing, which, again, is questionable, is like the FBI immediately killed all those web shells that were still out there for the exchange vulnerability effect. They did that without permission. Right?

Shiva Maharaj:

And well, what do you think about that? Because to me, that's a very slippery slope. And it's set a precedent for them to go in.

Eric Taylor:

And it only happened in one state and only two counties in Texas,

Shiva Maharaj:

as far as we know

Eric Taylor:

yeah, I mean, from what was this close, I personally have got two cases this week, or over the weekend, where Conti is back up in full swing, and they're popping exchange cells. So either FBI sucks, or what they do, or they didn't do it, or it was just an isolated case, which Me and Shiva kind of went back and forth about it before, you know, the stuff that was released from the Texas attorneys that they went in and solved all these web exploits with exchange. But they didn't say who they didn't even know who they were, they were going to be reaching out post mortem saying, Hey, this is what we did is what do you still have to do? It almost seems like they

Shiva Maharaj:

What do you guys think about DHS hiring 200 more were after some information, you know, not to get all conspiracy theory on people. But the writing's on the wall on that one's like, you don't even ask because I, hey, we've seen that you got, you know, this thing with exchange. Y'all need help fixing it. Now you got it. Okay, we'll follow up in a couple days. And look at traditional sales approach if you own you know, not saying that FBI need to sell us anything, but ther was no all we're just gonna ge a blanket warrant for any IPS i this range that geographicall goes back to it, and we're goin to start going in their shells people or CISA.

Eric Taylor:

I'm really curious about that. So when we go actually into that, is it going to be more of the post mortem, you know, they're going to go withI try to help analyze and advisors where they're actually going to advise us where the threats are and how the the IOC s are on this type of type of situations, or are they going to do more of a proactive because CISA has been more of a reactive and, you know, helping us with IOC s,

Shiva Maharaj:

I think the nature of attacks we've been seeing, it's going to be more reactive. What CISA should create is some division that does active threat hunting,take a look at everything in the government supply channel, and start pentesting them just as the Pentagon is inviting hackers to simulate attacks on any publicly accessible systems. That's what CISA should be doing.

Brian J. Weiss:

Yeah,

Eric Taylor:

that was alarming.

Brian J. Weiss:

I've, you know, it's interesting, because I feel like the government does have a place to defend us in and help keep us safe as American citizens, because in this information, rock war, it's basically a war with economics, financials, right. But at the same time, they don't even have their own backyard clean, like, so. I mean, I think if they're, if they are going to be popping shells, if they're going to be hiring extra resources, they should focus internally first, before they start, you know, acting like they need to defend others if they can't, if you can't defend yourself, you know, why are you wasting time defending others? It's kind of my thoughts on that.

Shiva Maharaj:

Well, that's a really, it's a really good PR push to say that CISA is doing all this. So you know, half of battle is marketing, and getting your version out there.

Brian J. Weiss:

Yeah, we got to get more tax money to pay for this. Right.

Eric Taylor:

Yeah, I mean, it really opens up that Pandora's box that we've talked about several times, where, if you if the FBI is setting the precedents that we're going to go in as are doing some sort of remediation. And we're going to, you know, actually do proactive things. Does that mean it's now a government issue? When a business in the United States gets popped with ransomware, or they have PCI compliance, you know, data breaches, or whatever the case because the government didn't stop it? I have a question here. Why did the FBI do the web shell remediation? Why didn't cease to do it? I think CISA doesn't have the scope that the FBI does. Yeah, I don't think a CISA can go in and get warrants. Well, the US Attorney's get the warrants for the agencies. Yeah. So um, but I mean, Cece is just not a quitter. That there that's not their, their bread and butter. You could be you know, behind the scenes, maybe CISA says, Hey, we want to do a good deed. And the US government said, No, there's more the FBI or the NSA, or what you're really saying was that thanks, man contest. It may have been in May of them, but

Brian J. Weiss:

or they're not as corrupt as the FBI.

Shiva Maharaj:

I couldn't believe that. But you know, there's still a young organization give them time. Yes,

Eric Taylor:

I still think it was a grab for information. I think in several years, we're gonna find out who actually they were getting a hold of, and there was some information that they wanted.

Shiva Maharaj:

I believe that because part of the affidavit for the warrants said it had to be patched because these people did not have staff capable of remediating the issue. But then it said, they still don't know who some of these people are. So if you don't know who they are, how do you know if they have or don't have the talent? But hey, what do I know? I'm just an IT guy, right? As Rodney Dangerfield would say, I just get no respect. But exactly what do you guys think about us agencies reviewing software, suppliers with ties to Russia? I think if anything solar winds has taught us that you should look at everything, not just who you think has ties to Russia.

Eric Taylor:

This is always an interesting thing. Because everybody's it seems like no matter what we do, or what happens in the news, you can call in the whole back to political Russia, Russia, Russia, kind of like heritage. I keep hearing that I think of the old Brady, The Brady Bunch of Marsha Marsha Marsha, right, but um, it just seems like it's the big bitch fast. But is Russia a foe? Yes. Does Russia give a damn No. is Russia have more the ATPs that are coming after us? Absolutely. But our software companies really embed with Russia. I don't think it's a stretch.

Shiva Maharaj:

I don't think they're in bed. I think there is international money going through the stock market and to many of these companies. But if you look at the breaches, it's not the financial stakeholders that are enabling the breaches. It's poor security. Yeah, it's a lack of cybersecurity hygiene. More than anything else. What do you think Brian?

Brian J. Weiss:

I don't know, I think from like a tactical and more long term plan. I mean, I, I don't know how we're going to get ahead of this unless we start doing some double agents where we've got people on our side working with the bad guys cluing us in on what's going on, because the the zero day threats are the ones that are going to hit us the hardest. And if we can get any upfront information before the bomb goes off, you know, I think that's the best. I feel like the the approach of, hey, let's find out who's all vulnerable and very reactive, kind of, I guess, vulnerability scanning is technically proactive, because you're trying to patch vulnerabilities ahead of time, but it's, it's too big of a job, we're too far behind, like for the government to be able to take on the responsibility to make sure everyone's secure, like they need to get, the government needs to get itself secure. And then they need to gain better intel on what these threat actor groups are doing. So they can plan ahead of time and be able to be more proactive with potential zero days that are coming up that they don't know about yet.

Shiva Maharaj:

1000s percent agree. You know, I often say the biggest surprise out of the whole solar winds hack was the fact that the NSA uses solar winds. Ryan, I would have thought they would have something homegrown.

Brian J. Weiss:

Yeah, it's, it's interesting the world of of it when it comes to the government, because there's still a lot of government systems that are on old legacy technology. And you might argue that some of its more secure, especially if it's not connected to the internet. But, you know, traditionally, the government has not been on the, on the leading edge of technology, where they're using the latest and greatest. And it's been these, you know, private technology companies, Microsoft, Google Amazon that are driving the market. And I always you right, I always assumed, hey, they're developing their own stuff in house. But no, they're relying on all these private companies. And if they don't do, they don't have something like CMMC in place where all the supply chain vendors that are involved get rigorous checks. I there's easily areas like this for vulnerabilities to happen.

Shiva Maharaj:

But you know, here's the thing about the supply chain. And I think this goes this rings true for the federal side, as well as private sector. Once you're in, you're in. And it cuts both ways for the vendors and the bad actors. Because as long as you're in, you have your persistence, and it's gonna take an active thought to get you out, especially in the government sector. How often do they change vendors? Oh,

Brian J. Weiss:

yeah, and the threat actors love those lateral moves. I mean, they don't, all they need to do is find someone in the chain someone with a relationship. And then if they can get in, then they start figuring out what type of lateral spread they can make happen. From there,

Shiva Maharaj:

you know, you bring up an interesting idea, I know of a company that has been breached, and they sell their product into practically every department of the government and hundreds of 1000s of companies around the world. And now their product is likely a jump point for these bad actors into the end customers. And that includes our federal base here.

Eric Taylor:

That said, You know, I mean, they're, like, we keep saying it is definitely a long game. It's definitely something that we are behind the eight ball on we we have years to catch up. And that's just to even get to the same playing field. Because, I mean, it seems like we are getting, I guess, Lisa, stories that get leaked out, you know, when we talk about, you know, having spies in on the other side and stuff like that, you know, kind of right away reminded me of that failed attempt to actually breach into Tesla warehouse over there in California a couple months back, right. So, you know, more and more, are we hearing about potential Chinese spies in the US government or dating or advisor dating some of the Congress people and there's active reconnaissance going on against this country?

Shiva Maharaj:

I think it's like narco trafficking. There's just so many opportunities for the bad actors. If one gets caught, there are 10 others that have been successful.

Eric Taylor:

And I mean, the whole value is everybody's got a price point. You just got to figure out what it is. Right?

Shiva Maharaj:

Exactly. What do you guys think about the colonial pipeline? I know that's hot off the presses relatively.

Eric Taylor:

Oh, my gosh, so this is this has kept me awake a lot this weekend. So everybody's always like, we got to protect our infrastructure. gotta protect our infrastructure. You know, it's gonna be EMP blast is gonna be this is gonna be that. No, it's ransomware

Shiva Maharaj:

And it's dark side, it was dark side and who was the company called in to unfuck. This

Eric Taylor:

fire I

Shiva Maharaj:

fireeyes, the single company that's finding all these things and remediating everything.

Eric Taylor:

But see, I don't know, in this particular situation. And again, this is, we don't know all the facts yet, or even speculative facts right now, but we don't know if fireeye was is doing IR, their their response team of this thing's like, Oh, we got pop, let's call some big hitters. And oh, we can do fireeye. Or if it's something completely different, right? If it's fire, I was part of a panel if fire I was already in the network, you know, they were an active client.

Shiva Maharaj:

Well, the CEO, or the CIO of tenable, made a comment in our article I just shared with you that it seems like colonial doesn't even have insight into all of their systems. And worse yet, colonial didn't have an AARP pre incident. They are building an AARP as they go.

Brian J. Weiss:

I would I'm not surprised. I've been, you know, doing a lot more CO managed leads lately of these huge nationwide, you know, they're private companies for the most part, but they've got internal IT that doesn't even have a decent RMM. To know all the devices, they're responsible for supporting in a single location, right? They don't even have identified down the first pillar of NIST. And so, big companies like that, I imagine if you get siloed enough, the other thing I noticed with these IT teams is they're siloed. You know, I'll talk to one person and I'm like, Hey, what are you doing for backup? Oh, I don't even know that someone else that handles that. So these IT teams don't even communicate or work together, where, you know, you've got one group responsible for security, and they're not even part of the backup team. And it's like to me, like that goes right, with backup continuity, disaster recovery, like those are all, you know, they flow that, like, that's the last pillar recover, right.

Shiva Maharaj:

I think that's very good.

Brian J. Weiss:

You know, I, when I hear stories, you know, my first thoughts is that no, they had no idea what was going on. And I'm not surprised to hear they don't even know all the devices, and probably even users are responsible for supporting internally.

Shiva Maharaj:

What's the first thing you guys do when you go into new client, or one of the first things you do

Brian J. Weiss:

gotta identify everything that they want us to support, and then see if there's any major red flags, either with the client themselves, if they've got too high of a risk tolerance, or, you know, the infrastructure, you know, if there's obvious vulnerabilities, then you wonder what kind of persistent threats or backdoors are hanging out? Are you guys dumping

Shiva Maharaj:

all of your logs into a sim for all of your clients, I'm in process of doing that we

Brian J. Weiss:

were using a rocket cyber and now we're looking for a different kind of, Sam, if that's what you call rocket, cyber, it kind of aggregates most of your logs. I know, Eric's looking at a couple of companies, I'm secretly hoping my company I'm using for my sock right now comes out with their Sim, sooner than later. But I care more about security versus compliance. So like, I want to make sure security is in place. And I've got a team I can hold accountable a sock. And then compliance to me is kind of second, a security.

Eric Taylor:

See, I take a little bit different stance on that, if you will. So I mean, security is important. Don't get me wrong. But at the same time, and maybe we're just using different words, though, correct me if I'm wrong here, but you put in your security stack, whatever it is, you know, your firewall, your EDR, MTR? Whatever it is, right. But if something gets through, that's what that's like, my next thing is like, crap. What was that? PowerShell that ran? And how did that get in there? Whether it's legit or not. Right? I want to know, I mean, so when we talk about stuff like this, we, I literally, I can't say I gotta be careful what I say because of attorney client privilege. But there is a fictional company somewhere united states that literally has less than a dozen servers, and all of them had a different backup solution. And I'm like, What? And they're all in the same location.

Shiva Maharaj:

That makes perfect sense if you don't think about it, though.

Eric Taylor:

Exactly. Exactly. You know, and I can't tell you, I'm just gonna go out of here on a limb and just ask you if you are still using semantic love of anything holy, please stop. I mean, I think should they use Webroot? I say, yeah, I think Even Webroot is least romantic, even though I hate those guys. But

Brian J. Weiss:

I to your point, Eric, I mean, if your sock relies on a sim to see everything they need to see, then yeah, you obviously need to have that in place. But I'm in a position right now without a SIEM, my SOC doesn't rely on a SIEM. But without it, if I want to see everything that happens, I got to go to each individual tool and check the logs and then correlate them right, which is ultimately what I'm missing by having them all aggregated.

Eric Taylor:

But this may be a good point for you, though, Brian, because I always have this debate with people. Are you have a mindset of being able to have that level of separation? So not all of your information is in one location? Or do you have everything in one location? potentially the keys to the kingdom?

Brian J. Weiss:

Yeah. But it's that's the whole that's argument on SSO too. You know, I've heard some MSP say, Oh, I don't want to do SSL because that's one door they can break into, and then have access to everything. And my argument on that is, well, would you rather secure 15 different doors or one door? What's going to be easier to keep secure? build a better door?

Shiva Maharaj:

Yeah, you know, that's what I would think. Eric, back to your EDR comments, what are your thoughts on ryusuke being able to bypass EDR. And using notepad plus plus,

Eric Taylor:

that I've we just seen that come over to, you know, earlier today, where, you know, they're using PowerShell encoding everything or running it through notepad? Right. So this is this is bad, you know, so we've already got me thief, that is an open source tool that will pass a dump anything in, I stored in the, in the Sams file, you don't need to be from what I've read so far, you don't need to be an administrator to run this open source tool, it will already pass a hash for you if it needs to. You doing that and doing your PowerShell obfuscating in Notepad plus plus, this is this is bad, right. So the I've definitely got to drop through some stuff later today and test against my EDR solutions. And these are things that we talk about, you know, when you have a new thing like this, how many companies are actually doing what I'm just talking about is like, Okay, how are they doing? This? Is my system detecting it? And how can I get that detection pushed out? So that way we can get early notification of these type of threats?

Shiva Maharaj:

And by saying new, you mean, newly discovered, not merely in use? This is true,

Eric Taylor:

right? Because I mean, this had to be used for it to be discovered,

Shiva Maharaj:

right? Probably by fireeye. Yeah.

Brian J. Weiss:

So it'll let I mean, what if you, if they don't have local administrator, how's it going to let them install the software? It doesn't, it's just it loads it.

Eric Taylor:

It runs in app data. From what?

Brian J. Weiss:

Run standalone I gotcha. Okay.

Eric Taylor:

So, yeah, yeah, cuz right here, this CVE of privilege escalation flaw. So you don't need administrative rights to run this thing. It will take it.

Shiva Maharaj:

Oh, at least

Eric Taylor:

that way. Those two CVE's are not patched

Shiva Maharaj:

yet. Tomorrow, Patch Tuesday, maybe,

Eric Taylor:

maybe, or maybe out of band push today. That'd be nice. And then Hyper V or tank or something, because that's never had by happen by a patch.

Shiva Maharaj:

Going back to the pipeline hack and some of the other instances. My opinion on all these breaches is that the foreign aid pts are mapping out our responses. I don't think this is meant to cause disruption. I think it's meant to find out how would we respond? And it's also an attack on the morale of the country? I would say, what do you guys think about that?

Eric Taylor:

I think that's fair. I mean, I think we are in a time where we are doing mock war games. You know, we're doing it by cyber security. You know, we had, you know, I keep thinking this entire time, the whole solar winds was, you know, as we keep finding out more and more, like we found out earlier that they had access to 365 tenants as far back as 2019. I think Russia was in there so far. There's like, you know, what, whatever, just let's just set off some red flags and see, you know, how this drill goes,

Shiva Maharaj:

that I think it's Miss direction, have our resources focus in one place while they continue to exploit the other 1000 places. They found persistence. I mean, Brian, or I don't know if you operate in the federal space or even the local government space, but how different are their systems from what you deal with on a normal basis, in terms of security,

Brian J. Weiss:

very lacking, definitely not a thought that they are leading with, that's for sure. We actually last year picked up a city, a local city, they got hit by ransomware from their old MSSP. That was, they got hit, you know, the MSP actually got targeted. And then they got into the msps clients through their RMM software,

Shiva Maharaj:

Kaseya or Connectwise,

Brian J. Weiss:

connect wise.

Shiva Maharaj:

Yess!

Brian J. Weiss:

And so we got called in because we're the ransomware experts in our area, because of our experience with it ourselves back in 2018. And we came in and help them clean it up, remediate it worked with their insurance company, and then develop the relationship with them, and then ended up getting them as a client. But it wasn't like the ideal client because they needed so much work. Luckily, because of this event, they now had a bunch of funding to put towards that, right, it took this event for them to want to invest in security. So we're getting hardened when it comes to security. But then I've got like two construction companies that are in the supply chain, they do federal government work. And they The last thing they wanted to do was spend money on security until they got an RFP that said they had to be up to Well, it was claiming CMMC that the assignment finalized yet, so it ended up falling back to NIST 801 71 is what we had to get them, you know, certified or not necessarily certified, but assessed for so and they were they're kicking and screaming all the time. You know, this is gonna cost me X amount, oh, my goodness, you know, and so people are fighting it. And then what I what I hope to see is the federal and state governments providing extra budget funding, obviously, for security. But that doesn't help all the supply chain vendors, especially the smaller businesses, who can't afford that. So I think you're gonna see supply chain vendors pull out of the government space, because it's too expensive to be able to afford just to be up to par with security to bid these RFPs that are coming out

Shiva Maharaj:

that municipality that you helped, where did they end up getting the funding from post incident to remediate not remaining? Sorry, too hard.

Brian J. Weiss:

So they, well, they had reserves, luckily, that they ended up paying for the damages. And then they submitted for, they had this like questionnaire that they were given to, to basically look at their security posture. And so we helped them fill it out and pointed out all the gaps and and said, this is how much it's going to cost. And I'm assuming that they submitted for for funding on that because it came up with the money somehow I didn't really question it. raise taxes.

Eric Taylor:

Well, this brings up a great question that I think I've asked you before Brian, but I definitely have asked, or, you know, made the comment several times as shivah that I firmly believe that companies are going to do things as cheap as possible for as long as possible, until somebody dictates to them that they have to do something different.

Shiva Maharaj:

Who's gonna dictate the lobbyist?

Eric Taylor:

Yeah, that's what we've always thought about is like, who is going to be that governing body? You know, the, you know, we we've seen this stuff that comes out what was it Louisiana or Mississippi that did the MSP and MSP registration in Louisiana and Virginia, I want to say, was it up? We always we've talked about maybe the insurance company being the hope, but at Christmas, they don't friggin follow their own recommendations. Half the time

Shiva Maharaj:

CNA got popped three, four weeks ago. Big time.

Eric Taylor:

I mean, I've had four or five insurance companies in the past, probably 4560 days. So I hate to see it where it comes down from a federal regulation

Shiva Maharaj:

that does, what are they going to do tell us to follow sieges, which is a hot steamy pile of shit. Let's be here.

Eric Taylor:

Oh, you know, I've brought brought it up before. And, Brian, I'll let you talk here in a second. The, you know, side comments, Brian, I feel like I tell you that a lot in some of these meetings. But the I really do wonder if the CMMC or whatever facet that gets mandated to businesses will have an exception clause where if your business is under this, whatever, employees, team members, dollar amount, whatever, just like Affordable Health Care Act and a lot of these other ones that you know, you you can go off to the side of the hearing, no big no harm, no foul.

Brian J. Weiss:

I guarantee it'll be like that. Because when California came up with the ccpa, I was I was kind of happy because I was like cool. We've got our GDPR version at the state level. But you you have to be doing at least 25 million to even be put into that category. So, you know, I immediately looked at all my clients, I had one client that fell under it, so I could totally see that. And I think that makes sense, in the sense that you don't want people going out of business overnight. If they do take that approach, what I'm hoping they do is they keep lowering, right? Maybe they start at one gross revenue amount or employee count amount, and then they keep lowering it over time, so that it eventually gets pushed down. Because security will get cheaper as it becomes more commoditized. I guess. I hate to think that our industry is becoming commoditized. But so imagine in the future, I would hope that even smaller businesses out of the gate can afford good security.

Eric Taylor:

Sir, do you think they're going to do with CMMC? Or whatever the facet is? The lot like what they did with Hippo, you know, you by this date, you need to be a certain stage.

Shiva Maharaj:

No,

Brian J. Weiss:

no, yeah, I could see them rolling it out like that. I mean, with the government ever, no, I mean, forget for government entities, they might just overnight, say, Okay, this is the way it's got to be. And if you need extra money, send us a form, and we'll consider it. You know,

Eric Taylor:

it's interesting, because I do wonder, no, which I think it was, in one of our CMMC calls, Brian, that somebody was saying that there's been a lot of companies who are going under CMMC. But because 800, NIST 801 71 was a self hesitation. See, just the other federal government sees are like, Oh, well, there's only 20 or 30 extra controls that you got to do this shouldn't be that big of a deal for you. And you're like, Oh, we got to spend a metric f ton of money to get there as because they weren't doing what they said they were doing to begin with, just like PCI and frickin everything else.

Shiva Maharaj:

That's the problem you run, where you run into with self attestation. And the two poster children for how ineffective it is, is C jus and HIPAA.

Eric Taylor:

Yeah, cuz I mean, there's still businesses that will rather pay the fine of a breach or non compliance and plain and simple non compliance than it is to actually go through it because no offense, it is cheaper to pay the fine than to be compliant.

Shiva Maharaj:

It all boils down to money, let's be honest. So paying a lawyer for a couple 100 hours of work is probably cheaper than paying you, Brian or myself for a year of cybersecurity.

Brian J. Weiss:

Yeah, I mean, there is the aspect of, they could go out of business overnight, if it's a

Eric Taylor:

bad enough breach, but what stops them from just opening up as a new company name and you know, 48 hours,

Shiva Maharaj:

nothing with a, you know, a 24 minute new cycle. There's nothing to stop it, you know, come back around. And the world has a very short memory these days. And with the proliferation of all these ransomware attacks, I keep saying it, the public is desensitized, they don't care. If the government can get popped, who are they?

Eric Taylor:

Exactly? You know, it's almost to the A lot of times, we have these, you know, introductory calls, and they're just they act like they're close, like, oh, nobody ever told us about this Really? Come on, let's just just not be as each other.

Shiva Maharaj:

I kind of believe that because you have a lot of providers out there who don't know what they're talking about. For day to day, it much less cybersecurity. How many msps? Do we know that are using the software with no MFA for their command and control Webroot? Whatever RMM there is, I think, in the MSP community, most RMM Xers, most of the big arms only made MFA mandatory within the last 18 months give or take.

Eric Taylor:

Now, that's Yeah, this Oh, MSP channel software needs to die.

Brian J. Weiss:

thought of something that's kind of interesting take, you know, you think of internal IT and msps and kind of the traditional battle there, right, internal, it kind of tends to be behind the curve, because they're siloed, they aren't getting exposed to new things. They get comfortable. They have one network they're dealing with, versus multiple. And they tend to favor you know, job security over doing the right thing for the company that they work for, you know, especially a lot of times when they know the company needs something. It's going to take them standing up to management saying hey, you need to put this in the budget. And then of course, they get pushback from management. So they're like, Oh, all right, we'll leave things as is. So it's like job security. From internal It is part of the reason that it is so bad. A lot of times for large companies that have internal it. But now on MSP side, we're responsible for securing our clients, but it's almost job security on the MSP side where the msps that aren't up on security like they should be. Don't necessarily go to talk to their clients about security because they're are not prepared to offer it. Because they're afraid of losing the client, right? Hey, you need this security, but I can't really offer it to you. So they're there. They're not telling. They're not educating clients like they should, because they're not educated themselves to be able to do the educating. And then they're worried about losing the client. So you know, it's just kind of when you think about it that way, you know, we're almost doing the clients a disservice. And you're right MFA,

Shiva Maharaj:

I couldn't believe when I was talking with datto, about when they forced MFA on on datto RMM. How much pushback they got from their partners about people not wanting MFA on their RMM? Why I mean, Duo Security is free to the msps internally. So it's not like they have to go out of pocket and it's push, you don't get easier, or more secure than that, quite honestly, these days, in terms

Brian J. Weiss:

of free authentication apps out there even to cover that argument. But it was just literally these msps that favored convenience over security. That's all it was. That's, though, there's definitely bad actors in our industry that are making our jobs harder, that's for sure.

Shiva Maharaj:

But I think that's endemic in every industry, whether its internal it or the VR space or Manor services, I don't think it's limited to us at least.

Eric Taylor:

Yeah, but

Brian J. Weiss:

but we're in an information war in our industry.

Shiva Maharaj:

I believe we are in a war. Part of it is an information war. Part of it is the heart and souls of the American public. That's why they're attacking our infrastructure to shake our resolve. But you're talking about a pts who have been preparing for the last 25 years plus to come after us. And they're just starting to sow the seeds of discord? Well, we thought we won. And we were focused on counterterrorism, these AP T's were growing stronger and stronger. And globalism has helped to make us dependent on Asia for manufacturing of everything. So we can have the coolest and cutest software out there. What's the point if the hardware is coming over compromised?

Eric Taylor:

I mean, that goes back to what we've had discussions before is, until we get from a nation of consumption to an a nation of production. Now we're going to be dependent on all these things, and therefore potentially open to these threats.

Shiva Maharaj:

Now, here's the problem with that, right? In the United States, there's a cost associated with life, not a value, there's a cost, because you're gonna have a lawyer that's going to go sue somebody because someone got hurt, or they lost their life in a manufacturing plant that drives our cost of production up in Asia and other countries, that people are doing Swan dives off of buildings, production never stopped.

Eric Taylor:

I mean, you see some of the stuff that come out of the news, like a week ago, where there's a bunch of little kids sitting around in dirt huts, putting these COVID-19 rapid test together and touching the ground on everything. But he said does friggin landed on here, we got to set on fire instead of the orbit.

Shiva Maharaj:

It's a whole different paradigm. And a lot of things I think would have to change for us to bring manufacturing back here. And I you know, I'm going to catch a lot of flack for this, but you're gonna have to make it non union. Otherwise, just tack 30% onto the cost. Yeah,

Eric Taylor:

I mean, the more people that you have in the mix of the supply chain, the complex, more complicated. It's going to get on complexity, on security, on cost on everything.

Shiva Maharaj:

What would you say are the first things we should bring back to production here?

Unknown:

Yes.

Shiva Maharaj:

I'm thinking anything electronic to do with processing. So chips motherboards, video cards. Russia, they manufacture their own. China manufactures their own. We should be too. We can't be fighting China with product that comes from them.

Eric Taylor:

Yeah, I think the easiest ones that we'll be able to be able to migrate back over to us would be hard drives and chipsets.

Shiva Maharaj:

Well, Intel is struggling to produce the two nanometre. And so IBM just produced the first one domestically, but the chip makers in Taiwan have been doing it for a while now. And I think that's part of why China is reinvigorating their actions to go back to reclaim Taiwan.

Brian J. Weiss:

I just noticed one of our vendors switched to Taiwan. What did they move to Taiwan? It was like it felt like earlier this year when we we ordered a bunch of network equipment, because if we do, it's gonna take a while to get and then one of my guys just can't stand China, one of my engineers and he was looking at where it was made. He's like, yes, datto is not getting stuff from China anymore.

Shiva Maharaj:

I heard through the grapevine that datto has some really interesting networking stuff coming out. And I hope at the top of that list is a 48 port switch. With SFP Plus, you know, don't make me commit to a 24 and eight port just to get SFP. Plus, that's just yeah. Come on. We're in 2021 here.

Brian J. Weiss:

Yeah. Well, they had it, you know, they were coming out with it. And then they had supply issues, supply chain issues. And then they were worried about, you know, also demand, right? How much of these would they sell? The reason they got rid of their power line is because they couldn't meet the demand either. And they're having trouble battling up against companies like APC, right, who would put an order in, and they're obviously going to be put to the front of the line, because they deal with a lot more power equipment. So the supply and issues, you know, are definitely causing vendors to make different strategic moves on which products they're going to be focusing on. Because they can't just get anything and everything they want anymore, like they used to be able to. And the other thing that they told me is there's a 12 month lead time, meaning they have to order what they think they need in 12 months, right 12 months beforehand. And so that's another gamble that a lot of big companies are having to deal with now is making sure they're ordering enough. So they don't run out, but not too much to where, you know, they've got profitability issues there. Oh, yeah,

Shiva Maharaj:

that's a big problem for datto. Now that they're public to write their balance sheets are exposed to the world.

Brian J. Weiss:

Yep. Yeah, I hear I guess, Kaseya is the next one that's going to try to go public.

Shiva Maharaj:

I don't like to say, Oh, that's it. That's as politically correct as I can be. I think their tools are trash. And their level of privacy they provide to clients and the clients of their clients is severely lacking,

Eric Taylor:

that they go public, or we just start openly publicly shaming and bashing them now. As opposed to what now?

Shiva Maharaj:

I think we do a good good job of that. Yeah. So anything else you guys want us to cover?

Eric Taylor:

Not today, just please start securing your networks, people, please. Brian?

Brian J. Weiss:

Yeah, I know, you shared an interesting article about stop dropping after cyber security incident. Right? And the fact that, you know, can you trust them, you know, reputation and things like that. It's gonna be interesting, because I think initially, it's definitely, I think the companies in the beginning are gonna lose are going to get hit harder with bad reputation than the companies if there is an end towards the end, or, because like you said, earlier, people are becoming desensitized to this, right? So it's gonna, you know, pretty soon it's gonna be like, Oh, another company got hit, oh, I'm using them no big deal. You know, three other companies got hit last month that I use. Also,

Shiva Maharaj:

I think the problem there is people misunderstand what the transference of risk really is. They think because their supplier got breached. They're in the clear, and it's not their responsibility. And I firmly believe, no matter what industry you're in, you need to vet your vendors and make sure they are providing you with what you need, not necessarily what you want.

Brian J. Weiss:

Yeah. And that can be a whole other discussion, vetting vendors, because I'll tell you in the past, you know, almost three years that I've spent burying my head in security since our incident, that's something I wish I would have knew in the beginning is that, you know, you get in bed with the wrong vendor, you think you think you're sleeping good at night, and before you knew, you know, it, you're sideswiped by something, you thought the vendor had your back turns out, they didn't be in sold a bill of goods, there's a lot of sales fluff in our industry, you know, especially around security, and a lot of offshoring,

Shiva Maharaj:

which scares me

Brian J. Weiss:

a lot of offshoring. So I think I'm hoping more msps are realizing that that you need to vet your vendors, but I think we're gonna, in the future even see that come down to the consumer industry, where you're gonna see consumers doing a better job of vetting who they're using, because ultimately, we're voting with our dollars as consumers, right?

Shiva Maharaj:

I would hope so. But you know, people love that cheap price. I've I've had prospects who got hit with ransomware, they called me and I gave them a quote, and they just said, we can't pay that. We used to pay $400 a month. And, you know, off the cuff, the quote was probably 1500 $2,000 a month for proper cybersecurity and everything else that goes along with it. And these are, this is a company that just got hit with ransomware lost everything, and they still don't want to pay. So it's an uphill battle. I think, you know, and you mentioned earlier, the cost of the stuff is only going to come down with greater adoption, but it's getting that greater adoption. I see the challenge right now, at least in the next couple years. Oh,

Eric Taylor:

well, to me, the biggest problem is a lot of times is out. So you got people or you got these guys are gonna leak the data, unless you know where they're gonna go unless you know where they are, you know who's gonna get all that stuff? The other hackers,

Shiva Maharaj:

they're out of our jurisdiction. I mean, I love seeing all these news reports of DOJ and German BND, or whoever taking down botnets and worms and this and that, but it's not gonna stop anything. Just delays them a little bit. You know, we we said Beetlejuice three times couple of weeks ago saying, you know, it was quiet out there. In the last week, and what's already been coming out this week, you've got a couple dozen high profile breaches. So it's only a matter of time.

Eric Taylor:

Exactly. All right, gentlemen. Well, if there's nothing else, I guess we will wrap it up for this week's edition.

Shiva Maharaj:

I'd like to thank Brian for coming on. We hope to see you again.

Eric Taylor:

Thanks, everybody. Please subscribe to the podcast like our profiles keep up to date with us. All the links will be down below when you're viewing this and we'll see you on the next one.

Shiva Maharaj:

Thank you. Thanks again for joining us for the cybersecurity amplified and intensified podcast.