Trevor O'Hare - Audiobook Narration - American Male Voice Over
Description
Read MoreVocal Characteristics
Language
EnglishVoice Age
Young Adult (18-35)Accents
North American (US General American - GenAM)Transcript
Note: Transcripts are generated using speech recognition software and may contain errors.
Chapter one Why you need protection? You probably have an image of a hacker in your head, right? Somebody sitting around in a sweatshirt working on a computer somewhere. That's what you probably envision when you think of the word hacker and you probably have the idea that this person lives and works in a dorm room or something. But that's not what we see today. When it comes to hackers, we see big business is staffed by developers focused on one thing and one thing only deploying and detonating ransomware. This is not a single hacker situation. There are teams of people who are coordinated and trying to get into your networks. In fact, one of my biggest fears when I was running an MSP was that I would get a phone call in the middle of the night. Somebody calling to tell me that our entire infrastructure was down because one of our user accounts was hacked that hackers got in and were able to ransom all of our clients at the same time using our remote tools. When I talk to people about this, I get responses like I'm safe. I don't have to worry about it. I then ask why do you feel like you're safe? What do you have in place That makes you feel that way? The answers include. I have antivirus software. I have artificial intelligence. I have yes I am. I have backups. Okay. You get where this is going. But then I often find out later that these people's entire networks were ransomed before I go too much further. Let me talk about backups when I was growing up there was this game called pac man. Do you remember you're the little pac man, you're the little yellow guy and you're going around and around trying to get all the little bits off the board. You're trying to do that before you get caught by the ghosts. Within the first couple of levels of play, the ghosts don't really know where you are, they just bumble around and move all over the board. But as the levels get higher, the ghosts get increasingly interested in where you are and by the time you reach level 20, as soon as you get on the board they're headed your way. If that little yellow guy is your backups then the ghosts are the ransomware. And the thing about this game is that the little yellow guy never ever makes it out alive. And in 2021 we are at level 20 when it comes to ransom where it's pretty sophisticated and it's pretty good at finding your backups. If your backups are on the same network as they are in pac man, you will get caught and your network will be destroyed. Another thing I hear when I ask people why they feel safe is I have cloud backups but that's just another form of pac man. Same game just a bigger board. I also hear I have cloud backups and they're offline but I know the numbers only half of you who have offline cloud backups have them set up properly. This means that ransomware is able to get to not only your on site backup but also your cloud backup and your offsite backup. Yet. Another thing business owners say is my I. T. Guy always figures it out. But if you're ransomed and the ransomware gets to your backups you're not going to figure it out. The I. T. Guy is not going to figure it out. And guess what the client knows that the I. T. Guy is you? Right, so that's not going to work out for you. I keep saying that ransomware is getting worse in 2017 there were $2.3 million dollars in ransomware payments In 2019 which was also a record year. It jumped to 7.5 billion. Think about that, Think about how much money that is we paid hackers 7.5 billion in 2019 In 2020 there was a 37% increase in ransomware attacks and payments and 25% of those payments resulted from ransomware that was specifically targeted at MSP. S. Now, do you understand why hacking is big business and why there are teams of people focused on detonating ransomware Inside networks like yours. The first thing you can do to protect yourself is create a ransomware plan. Now we give this a lot of lip service. A lot of people say that they have already created a ransomware plan if you have great but out of the 22 MSP s we studied in 2020 only a couple of them had actually written down their plans and communicated them to their teams. The next thing you can do is practice the plan. Do you remember when you were in elementary school and you would have a fire drill and an alarm would go off and you would have to leave the school and line up somewhere maybe by the gymnasium or outdoors on the playground. This was so that everybody would understand what to do in the event of a real fire. That's why they call it a drill. It's not a real fire, but everybody rehearses their emergency procedures. I'm suggesting you do this at least once per quarter with your own emergency procedures. A key piece of this drill is servicing your clients with your are mm offline. That means you don't have the ability to connect to them remotely. You don't have the ability to log a ticket. Let me share with you an experience to help you understand where I'm coming from and why this is so important to me often I'm engaged to do a third party audit or a penetration test depending on the situation. one of the first things we do is an interview On one occasion I was interviewing an MSP to learn about how it configured a hospital network. After the interview, I went to meet the owner of the MSP at the facility to do a walkthrough and some additional testing a brief aside. Firewalls are one of the first things we test when it comes to ransomware because they are a last resort protecting your organization. If one of your users clicks a malicious link in an email, you can pretty much guarantee there will be a ransomware payload in the future. First the malicious application will scan the computer, then it will call back to the person who wrote the ransomware for next steps and a ransomware key. If you have a good firewall that is, if you have a smart firewall that's capable of recognizing this type of traffic, it will stop the callback and alert your team, then you can take care of the problem before any data is exfiltrate. Id, the ransom spreads throughout the organization and often before the computer gets encrypted to begin with. This is really important when it comes to protecting your environments. So I'm sitting in one of the hospitals conference rooms. I'm across the table from the owner of the MSP that supports the hospital and I start my testing. One of the first things we do and we test a firewall is actually push a payload that looks a lot like ransomware through it. Usually the firewall will stop the traffic and alert the S O C saying, hey, there's ransomware coming through or something along those lines, but in this case it went right out and I pulled another payload back in. I mean there was nothing even slowing it down. This network was open wide. I asked, you know, Mr MSP owner, you guys have an advanced firewall installed? Right. That's what we discussed during our interview. And he said of course, do you want to see it? I'm thinking that if somebody offers to show me his network room, I'm definitely interested. This would be the nerd in me coming out. We get to the network room and he opens it up and we start looking around. I'm expecting to see a brand new advanced firewall capable of I P S I D s, deep packet inspection, https proxy and net flow identification. There are a couple of things about this type of advanced firewall you should know first, there's usually a management port, that's how you manage the firewall. When the rest of the network is down. Then there are other ports that are used to run the traffic that's going in and out of the network. We get there and we look at the rack, The rack is beautiful, nice wiring job and at the very top is an old green and white router. This is a 10-15 year old rounder and there are two of them, you know the type command line only great layer three router back in the day but today they belong in a museum below them. The brand new advanced firewalls are sitting in place, but there's something odd going on? There's just one green light lit up in the front and it's solid. It's not blinking at all. The lights are on but nobody's home. So I walk around and look and there's one purple cable coming out the back of each router. It's just plugged into that management port, that is all just the management port, Whoever set these up went through and installed the firewall. He got it on the management network. He probably even configured it but he never put it into production. It was just sitting there in the wreck, chowing on power. This managed service provider thought it was installed and that it was protecting the hospital environment, but it wasn't doing anything heck. They might even have been monitoring it on the management port to make sure it's up and you bet the hospital was paying for that thing. And you're probably thinking, well this could never happen to me. Give me a quick favor. I want you to ask your team and want you to ask them how they check that a firewall is successfully deployed? How do you test your I PS and I. D. S Do you actually send a payload through to see if it alerts and trace that alert all the way through the S. O. C. To make sure everybody on your team sees it and responds correctly? Or do you just have somebody review the configuration and call it good. You might find out that you don't do any testing at all when the network is back online, you consider all your work done. How can you avoid the issue that I ran into? How do you avoid being the MSP who set up a brand new firewall to find out that it isn't really doing anything, yep, that's right. If you don't want to be in that position, you'll have to come up with a way to test your work, you'll have to test your team's work. You'll even have to test your vendors work. Here's how we do this type of testing for MSP s. We focus on what would happen if an attacker was able to get someone on your team to click a link. The very first thing they're going to do is establish persistence, create a secondary call back so they can get in. If something gets disconnected then they'll scan that computer to see what they have immediate access to. So when we're doing analyses for MSP s we do the same thing. We look at the machine to see what's on it. Let me share with you some of the results one day we were doing an assessment for an MSP and we came across a few passwords, three passwords to be exact on one of its engineers computers with those three passwords which we were able to decrypt, we could figure out the pattern the MSP was using for all its passwords for all its clients. We used the history of that computer and its browser to identify all the external I. P. Addresses that the passwords were used to manage. I. E. This client's cloud infrastructure. Holy cow. We had found a password treasure trove and gained access to the MSP s entire cloud infrastructure. I scheduled an emergency call with the Ceo of that MSP. Then I sat down with him over a quick video call and we got started imagine for a minute that you or me and that you're about to tell this guy that you have all the passwords for all his clients and access to his entire cloud infrastructure. I got a little nervous. I don't know why maybe I was nervous for him. Anyway. I started to describe the situation. We need you to change these passwords right away. I said then he said we use two factor authentication. It's okay. It doesn't matter because we're still safe. Duh He has two factor authentication. Let's dig into what two factor authentication is. Just so we're all on the same page. Two factor authentication means you have something that only you know and you have something else that only you have an example might be a password and a phone that receives a text message. This allows you to confirm the identity of the person accessing the system by having two separate indicators of their identity. The Ceo believed that since users had to factor losing a password or all your passwords in this case it wasn't a big deal. Even though the passwords were compromised, the hackers would have to compromise the user's cellphone as well in order to gain access. So instead of trying to school him about two factor authentication, I said do you mind if I share my screen and we tried to connect to one of these cloud infrastructure clients? It would just be like you're logging in long pause then he said sure go ahead. I typed in the I. P. Address I put in the user name I put in one of the passwords that I had and I clicked log in bam. We were in the back end of his cloud infrastructure. We could see all his servers. We could see all his backups. Just imagine what I could have done. If I were a hacker, I could have deleted the backups then ransomed all of the data on those servers. I could have even changed his password All told there were 113 client environments on his cloud. Think about what a tasty morsel that would have been for a ransomware gang. Being able to infect and ransom 113 clients all at once. Well over a $10 million dollar haul. He was so surprised. I mean that call wrapped up very quickly because he had to go figure out why two factor authentication was turned off inside the cloud infrastructure. He also had to figure out how to get all these passwords changed a SAP why the password change because his team was using a pattern that contained the year and a few letters and symbols that spelled out the MSP? S name. You're probably thinking why does this happen? I mean why would somebody turn off two factor authentication? Was the tech who turned it off trying to bypass something or get his owner in trouble or open a door for hackers? Was there some script he needed to run in a short amount of time and it was taking too long to log in using two factor authentication. So he decided instead to just turn it off. No It happened for one reason. Human nature it's human nature to underestimate future risk. Let me repeat that. It's human nature to underestimate future risk. You might be thinking I don't believe you. Well do you know anyone who understands that smoking increases the risk of cancer? Of course you do. The warning is on the package for gosh sake but people still smoke. Why? Because they think it can't happen to them. It's not this cigarette that's going to cause cancer. How do you fix human nature? You create policies and procedures right then you punish people who break them. It's pretty simple. Well the MSP whose two factor authentication was turned off had spent thousands of hours perfecting policies and procedures, thousands of hours. In fact that MSP is probably way ahead of you in that department. Not only have they invested the time to create the policies and procedures. They actually paid a third party to audit them and sign off on S. O. C. To compliance. So why did it happen to answer that? I'll ask you another question. Do you ever speed? I do I'll let that secret out of the box. The next question. Have you ever been caught speeding? Yes. And another question if you've been caught, do you still speed? Really? I know I do. Even after I've been caught and even after I've gotten a ticket, what's going on here? There's a really simple policy in place. The speed limit is 65 mph. It's super easy to understand. It's three words long. It's not hidden anywhere. It's not like this policy is buried in a binder in someone's office in the back. Now this policy is posted in plain sight. I pass it three times daily on my way to work. It's all over the place. Yet you still violate the policy and you're even proud of it sometimes back to me for a minute. Even after I got that ticket and paid the fine. I still speed. In fact I drive a fast car. I mean if you have to drive you might as well make it fun right? What we have here is a cultural problem. This is why policies and procedures don't change behavior. What happened at the MSP is about culture and when you try to fix a culture problem, you can't just create rules. You've got to help your team experience moments when the danger sinks in. You could get a penetration test, you could pay hackers to break into your network and figure out where your vulnerabilities are. Well, I'm going to save you between $32,047,000 right now because that's how much a penetration test usually costs. Your team already knows where the holes are. They already know where they are taking unnecessary risk. Your people already know the shortcuts they took. You could hire an MSP to be your MSs P. But who's to say that's going to keep you safe. And by the way, MSs PSR hot targets for hackers to you could build a security team among your existing engineers. I've done this before. I remember when our first C. I. S. S. P. Got his certification. I was so excited. I mean we had a party, we paid for his training, we were paying him above market wages and he was pretty excited too. When he left for Lear, just six months later we lost a total of four C. I. S. SPS to organizations such as Lear and G. Why your MSP is just a stepping stone to the next big gig. You could hire a security hot shot from the outside. I've done that too. I spent the money to get the guy into our organization. But then three months after he comes onto our team, one of his buddies contacts him from the pentagon poof, he's gone. And so is my security program. You could start a security committee, but a committee doesn't change culture. It might work for a day or two. It might get you through a quarterly or an annual goal, but in the end, committee stall out and get lost in their own upkeep. Just imagine if I approached you and said, hey, I have an idea. If you want to increase your sales to grow your business, why don't you start a sales and marketing committee? You think that would work out? Do you think you'd have double digit growth because you have a sales and marketing committee? Meaning on a biweekly basis, you could buy more products, but why bother if your team is just going to turn them off? You could stick your head in the sand and ignore the problem. But if you intend to do that, I want you to go through a mathematical exercise first. Let's say that you get 75 help tickets per day And 1.3% of the time there's a defect. That's a low defect rate that's lower than the one we had at my MSP. But let's say that 1.3% of the time you have a deep defect, which means you get 0.975 defective tickets a day And let's assume there are 20 working days in a month. Now let's assume that 8% of the time those defects create vulnerabilities that would leave you with 1.5 new vulnerabilities in your environments per month, 75 tickets times 1.3% equals 0.975 times 20 equals 19.5 defective tickets times 8% equals 1.56 vulnerabilities. Bottom line. None of these options are viable. Worried. Here's what you can do. Start with your house, analyze your computers, make sure you have the right tools in place, turned on and working. Then start focusing on your clients. Where do you start? Take a look at the cyber hygiene of your engineers. You need to understand what your engineers are doing. Just imagine if you were still going on site to examine every single computer you worked on and weren't washing your hands between computers. Think about all the germs you would move from computer to computer. This is the same thing. You're trying to analyze your team's hygiene. What if you could just run a small utility on your computer and find out how your team is doing when it comes to hand washing. I have a solution that makes understanding where you are and where you're headed? Simple. All your team does is run a small utility on its computers. This will take between three minutes and an hour. It doesn't slow anything down. It doesn't get in the way you might be thinking, Well, I have people working from home. That's no problem. It will analyze the user's home environment and identify any network devices that are susceptible to hackers. There's no need to run it on a server or use administrative credentials. It can do the analysis as a normal user. If you own an MSP, you need to analyze your engineers cyber hygiene, you want to find out how your tools are working. If you would like to see exactly what an attacker would get, too. If one of your employees was fished, go to galactic scan dot com slash stack and get an analysis of your cybersecurity stack.