CRAIG: Hey everyone. Welcome back to the 101 Digital Podcast.

Today I’ve got a very special guest with us here, one of our cybersecurity partners, Joe Yetto, with Cyberstone.

Today we want to talk through a couple of security things, talk through pen testing, vulnerability scans, all sorts of things that they offer and why they’re so important.

CRAIG: So one of the first things I want to touch on is some of the common security threats faced by small businesses and medium businesses, the SMB space, and why it’s so important for us to really focus on this because we get a lot of customers that will say we’re either too small, the data that we have isn’t important, different things like that, right? I feel like you guys hear it all the time as well but can you kind of just go through why it is so important to look at these cybersecurity threats that are happening in the space and not just to say we’re not big enough and it’s not going to affect us essentially?

JOE: Yeah, Craig. So, it’s interesting because the SMB demographic continues to be one of the more popular, in fact, the most popular target for adversarial threat actors for the computer hackers, right? And it is that way for a couple of reasons. You mentioned one of them indirectly which is the mindset of the owner operator of the typical SMB. “I’m too small, I’m insignificant, I don’t have the critical mass or value that that the larger organizations do. What would a hacker want with my computers or my data?” And because of that mindset we tend to see the information security controls that would prevent or detect some of these attacks
tend to be more casual in the SMB environment. And what happens as a result is you have to understand that that the hackers, the threat actors, they’re looking to monetize their efforts as quickly as possible. It is all about financial gain and so if you consider the path of least resistance from their perspective, am I going to spend my time and effort and, by extension, resources? Am I going to spend all of those resources trying to compromise a larger organization that has a very mature and sophisticated control framework? Or am I going to target 20 or 25 smaller organizations and accelerate the desired outcome which is to monetize my efforts? I’m going to get there one way or the other, right? And so that reason alone should cause the owner operator of a small medium business to consider the fact that they their organization has value, right?

CRAIG: Yeah, and I think the way you stated that is very similar to when a lot of our customers will say, “Hey, we don’t want to go to the Cloud, you know, security concerns”. But the one thing I’ll bring up is Microsoft and some of these other bigger companies they’re spending millions, if not billions, of dollars on security. So, to your point of this “We’re not big enough” and the threat actors will actually go after those smaller organizations for that exact same reason. They’re not putting that financial commitment to cyber security. So, yeah definitely makes sense.

CRAIG: The next thing I want to talk through that you guys do for a lot of our customers is vulnerability scans, but also pen testing. And just a quick thing on that: Typically, you wouldn’t want to, as the managed IT provider, to also provide those services because you’re kind of giving the answers to the tests type of thing. And obviously you can go into more detail on that, but also that there should be a cadence to it, right? You shouldn’t just do it one time and be like, “Okay, we’re good forever.” Can you just talk us through why that’s important? Those cadences and everything else behind what vulnerability scans and pen testing is?

JOE: Yeah true. So, there is a segregation of duty aspect, which you alluded to, right? Where the folks that are managing and responsible for your information technology function should not also be the ones that are responsible for building the security controls and ultimately testing the effectiveness of those controls, right? We want two different parties or people doing those functions. No different than in the accounting world where you have accounts payable and accounts receivable for obvious reasons. Number two, I think it’s important to consider the fact that information security is not an event. It’s not a one-time event. It’s an ongoing process and there’s reasons for that.

So, when we think about vulnerability scanning, the exercise itself, if I could really quick, what we’re going to do is use a tool to scan the technology environment and we’re looking for security flaws. These are publicly known and available. So, there’s a database of what’s called common vulnerabilities and exposures — publicly available to us, to you, even to the threat actors — to the hackers. So, these are flaws that are existing in systems and applications and operating systems that can be exploited resulting in some kind of disruptive cybersecurity incident. So the idea is if you scan your environment on a regular basis — remember this is an ongoing process — If you scan the environment on a regular basis, you will identify these flaws and vulnerabilities that otherwise you would not know exist and you have a chance to go and remediate those conditions so you can go and patch the computers or turn off the port or reconfigure the security parameters of any given device so that you limit your exposure.

Now in terms of why we do this ongoing and “Why can’t I just scan the environment once?”, there are new vulnerabilities that are discovered every day. Most of the vulnerabilities actually exist because of some kind of human mistake that happened on the front end, developing the code of the application. So, there are new vulnerabilities that are discovered almost daily, and you can scan the environment and come back and say, “We’ve fixed everything, we have got it clean,” and then a month later, find that there are actual new critical vulnerabilities. So that’s why you want to look at this as an ongoing process. So that’s vulnerability assessments.

JOE: Penetration testing is different, and a lot of people actually confuse the two exercises. They think they’re the same. So, with the vulnerability assessment, we’re scanning all assets, looking for deficiencies so that we can fix those. With a penetration test, we’re simulating an actual attack. So, we’re doing way more than just scanning the environment. We’re going to simulate the attack efforts of an actual hacker and the outcome is not to identify vulnerabilities, but it’s to test the effectiveness of your security controls. So, a lot of organizations will say “I have a firewall, I’ve got some kind of antivirus protection, I’m using multifactor authentication,” and they’ll rattle off all these different controls that they have in place. And the question is: Do you know if they’re working as advertised? Because we routinely see controls that are compromised and circumvented every day. So, what if you leave your house in the morning and you lock the front door, which is a control, to prevent unauthorized access into your home. You turn around and you do what? You give the door knob a little jiggle, just to make sure that the door’s latched and that you did, in fact, lock it, right? So that’s the same concept with penetration testing. We understand that there’s controls in place, the firewall is implemented, and we think it’s configured correctly. Can we turn around and give that door knob a little bit of a jiggle and if it does pop open again, have a chance to fix some of those things.

CRAIG: Yeah, we’ve obviously done that with your guy’s team already, right?
So, it’s good to kind of see how that works. Most recently, one of our customers is going through that exercise where essentially, you can explain this better, but we have a warhead type thing, right? That we kind of deploy on-site. Do you want to go into that because I feel like that’s one of the cool hacker type things that people see on TV, but we in a way are utilizing that, right?

JOE: Sure, yeah. So, the warhead device is a computer, is really all it is, but it has all of our tools loaded on to it that you would use as an ethical hacker. So, if we’re looking to test the internal or private side of a network environment, we would ship this device to the client and ask them to plug it into their network environment so that our team can run the tools and do the ethical hacking from inside. So, simulating an insider threat or simulating an internal foothold that’s already held by an external threat actor. And so, the warhead is just a creative name that the team developed way back when at Cyberstone to name these computers that we shipped on-site to perform the penetration test.

CRAIG: I feel like that makes it a little fun too. Even our team gets excited, they’re like “All right, they’re shipping the warhead.” But also, with one of our customers recently, Cyberstone started that pen testing and as Joe mentioned, luckily, we do have those things in place. Some of our customers, we are actually monitoring their logs 24/7 and we saw an event where, I think it was SMB share, was trying to be accessed with a new account. Something happened where our SOC and SIEM were able to see that happening real time, right? And it was obviously you guys. So, it’s, again, making sure that we’re actually looking into the procedures we put in place versus just saying, “Hey, we’ve put a firewall AV this that in place therefore we’re okay, right?

JOE: Well, it’s a great example because so many people will invest in a SOC or a SIEM technology and they assume that it’s monitoring the environment and it’s working only to find out that it wasn’t tuned correctly, or it wasn’t configured correctly. So, we’re able to evade that control and go undetected. When you see that it actually works and it triggers the alarm and more importantly that people respond to that alarm, high fives all around right? Yes, we validated the effectiveness of that control.

CRAIG: Exactly.

CRAIG: Next thing I wanted to go over is some of the best practices for employee training, but also some security policies and procedures that businesses should put in place, and I guess why it’s so important. Again, what we just talked about was putting firewalls in place AVs in place, potentially SIMs monitoring all that data, but as you know the last line of defense is always the employee. So, can you just give some — why that’s so important? And then the policies and procedures that any business can just look at to harden their security.

JOE: Sure. So, the most popular way to compromise or circumvent the security controls that we make significant investments in is by social engineering. A human being, right? And we see evidence every year. It’s not stopping, it’s not slowing down and so we have to consider our employees and even contractors, anyone who has authorized access to our environment, there’s a responsibility to teach those folks how to be good cybersecurity stewards and the reality is, most of them have very good intentions. They want to do the right thing in the name of cybersecurity. They don’t want to make a mistake and put the organization in some kind of undue risk exposure, right? But we do have a responsibility to train them because they need to be able to detect when there’s a social engineering attempt happening. They need to know how to report that, and they need to know the actions that they should take and more importantly, the actions they shouldn’t take.

And so, there are a lot of very affordable information security awareness training tools that exist today. Many of them make it super convenient. I know the one that you offer at 101 Digital, little micro clips of training videos, that teach you how to detect an email that’s probably suspicious and has malicious intent, simulated phishing attempts, right? So, we’ll actually train, we’ll send simulated phishing emails to the end users and test the effectiveness of that training. And that’s all great, but when you think about it, consider this: Consider the potential impact that an employee making the wrong decision has at the end of the day. And does it make sense to do a little bit more in terms of training them and making sure that they know the responsibility? So, taking a step back from some of the traditional awareness training programs, there’s greater opportunity for business owners and operators to make sure that their employees know how to react in these situations. For example, you had mentioned policies and procedures. Policies are great. I always ask business owners: do your employees know whether or not they can wear flip flops to work? It’s an immediate yes or no because there’s a formal dress code policy. Then I’ll say: do your employees know whether or not they can use a thumb drive from their house to transfer information at work? Do they know whether or not it’s okay to use personal email for work related activities? Is it okay for them to bring their laptop home and let their child play video games on it? So, all of these things are rules that are undefined and employees make their own decisions and sometimes it’s the wrong one.

So, policies, particularly an acceptable-use policy, can help set the rules and provide the guidelines. This is what we do and what we do not do in the name of information security. Above and beyond that though, even you can start to weave these responsibilities into job descriptions. Even if it’s a small statement like “You’re responsible for protecting the confidentiality, integrity and availability of our information. You’re responsible for reading our information security policies and understanding what they are. You’re responsible for completing our awareness training program.” If you put those in the job description, it gets that much more formal. Then what about evaluation time? The old performance review, right? Is there a way for us to look historically back at whether or not they completed all of the training requirements? How do they perform against phishing simulations? If they did actually have an opportunity to report an incident, did they do it the right way? It doesn’t have to take up too much of that conversation but is there two or three evaluation criteria that we can weave into that performance review just to build that culture of “This is an important topic.” And we’re not just making you go through the annual training and watch the videos. We’re actually going to promote this a little bit more than we have historically and make it feel like it’s an important topic at work.

CRAIG: Yeah, definitely. As you said, it’s the employee that is sometimes overlooked in the security space, right? So doing even the base level, like you mentioned, one of the things that we can offer is the phishing simulation and the micro quizzes and then annual assessment. It at least gives you an idea of where your employees are at. So, if there is needed training, the employees can then get that. It’s just like anything. If you were to do a performance review on their actual performance just in their own role, but also in a security space. You can kind of identify the individuals that may need more of that help. For me and you, we probably take it for granted, right? We see the news, we’re keeping up with the cybersecurity industry, we know the things that are out there but most employees, just like technology, it’s not their space, right? They’re not really focusing on it. So, it is extremely important to you know make sure your employees have good training.

CRAIG: Next thing I want to go over is the strategies for incident response planning. You kind of touched on it in the last part, but essentially one of the things that Cyberstone does as well is they’ll train your staff on how to respond to some of these incidents. So, 101 Digital has gone through this exercise so that we know whether it’s internally or for one of our customers. Say they get malware, they get breached in some way, whether it’s physical in the sense of some object, like a warhead is somehow present on the network, how do we identify that? How do we then respond to it? If it’s malware, how do we make sure that we’re shutting down certain network devices or computers or any of those things? It’s not only us having that training, but even our customers should have that training as well because they may be the first line of defense to see that happening. So, what does that service look like? And why is it so important?

JOE: Sure. So, I have the opportunity to interact with thousands of small medium businesses every single year. And we talk about their information security program, and I can tell you with 100% certainty, the most overlooked element of that program is the organization’s ability to effectively respond to an incident. And I say it’s overlooked because the vast majority of organizations gain this false sense of confidence. They make the investments and the protective and detective controls like firewalls and antivirus, and they assume we’re in a good spot. Those controls are not going to be compromised. I’m not going to have any kind of disruptive incident or worse yet, an incident that escalates into a data breach. And then inevitably when those controls fail, then it’s chaos. I’ll get the phone call, “What do we do now?” And the problem with that is, you can always ask individual service providers or even employees that are on your IT team. You can ask them to provide individual heroics in that moment. But the reality is, if you’re not prepared and organized to deal with it, it will take more time to deal with the response effort and time is your adversary in these situations, right?

And what I mean by that is: Let’s say that a single computer has a malware infection, and it happens to be ransomware. If the user of that computer is able to:

A) Detect that something suspicious is going on
B) Take initial action like unplug it from the network or disconnect it from the network and then
C) Report it to the right people who would then take it from there.

Now we’ve contained that incident to a single computer and the potential loss magnitude is minimized on the alternative If those three things do not happen, the person does not detect that something suspicious is going on, they do not know that they should disconnected from the network and they have no idea who to call. And let’s say they decide to just go to lunch and hope that it all goes away. Now it propagates through your entire network and the loss magnitude It is much more. So, time is your adversary and how do you shorten the time cycle to respond to an incident and ultimately recover normal business operations? Well, let’s be prepared for it. Let’s be organized about it. It’s no different than when we were in elementary school, and they would have us do fire drills. They wanted us to know what to do in that moment. So, understand that controls do fail. They are going to be compromised. They will be circumvented. That doesn’t mean we throw our hands up in the air and invest in no controls. That’s silly, that’s negligent. But what it does mean is that we should take the time to make sure that our organization is prepared to deal with the incident.

And one of the tools that you can use to facilitate that preparedness is an incident response plan. And it’s just simply saying we’re going to have different roles. So, we have our incident reporters, who are typically users of our systems. We have our incident handlers, who are the technical folks that are going to be able to respond to the specific technical details of whatever needs to be done. And then usually some executive sponsorship. Decisions have to be made. Do we have to call a lawyer, call our insurance, etc. So, you define who those people are and make sure that we have the contact information written down. And then, more importantly, we document response procedures because there are so many different kinds of incidents. If you think about it, an individual could lose a laptop that has a large repository of nonpublic information, credit card numbers. That’s a security incident. We’ve got a lost or stolen mobile device and it’s unencrypted: What do we do? What is our response to that? You’ve probably seen examples where people have their email credentials compromised then, all of a sudden, their email account has been “hacked.” What do we do in that moment? All the way up to something more extreme where the entire network has been infected with ransomware and we can’t use any of our systems. All three of those examples have different response procedures. So, thinking through the more common threat scenarios, which is easy to do, and then thinking through, how would we respond and who would be involved in that response effort?

Documenting it, that’s step one, that’s your incident response plan. Step two, once again, let’s train the people who are going to participate in that effort. So, we run through tabletop exercises, right? And it’s a simple conversation where we simulate the idea. Okay, we just got infected with ransomware, you just got a phone call from an end user, what do we do now? And we just train this, right? And through repetition in the moment when it actually happens in real life, you’re that much more prepared and organized.

CRAIG: All of this is extremely important and again, as you explain it even hearing myself, right? I’m like that’s super important, but it is an ROI type thing because whether you want to call it insurance or whatever, that upfront investment is going to save you a ton of dollars if you have an incident because like you mentioned, time is extremely important. So, if people know how to respond to it, you could be saving the company thousands, if not tens of thousands, of dollars.

JOE: Millions.

CRAIG: Yeah, and even bigger ones – millions or just saving the business in general right?

JOE: Right.

CRAIG: I mean, I forgot what the stat is, but it’s a very high percentage of businesses that get compromised go out of business within the next couple of years, right?

JOE: Right. You don’t want to be dramatic, but it’s true. And so, investing in your ability to respond and recover is something that’s typically overlooked. And it’s like if you were going to invest in anything it should be those two areas, right? It’s great to have the protective and detective controls in place but they will fail. There will be a day where they fail. And so if we accept that reality and build our confidence in our ability to respond and recover, that’s the best thing you can do.

CRAIG: 100%

CRAIG: The last thing that we have to touch on because it’s, again, we’ve gone through almost like step by step, right? You’ve got the hardware, you’ve got the software, you’ve got the people. If all else fails then we’re at backups, right? So, just quickly talking through the importance of data backup and disaster recovery. Even the term that also is thrown out there is business continuity. Making sure that if all else fails, you have some sort of plan because businesses do need to, just taking a step back to the last one, is talk through those different situations of how they’re going to respond to something, but also what is their tolerance for downtime. And all of that does come with dollar figures. If you want to invest heavily in redundancy or making sure that if an incident happens, how do you get back up and running? And in some instances, unfortunately, it does then come to backups. If you get ransomware, you’re not going to pay it. You’re going to spin up your backups, but then how are you also going to do all of that? So can you just quickly going through that “when all else fails”, now you’re to backups.

JOE: Yeah. Having an effective backup strategy and the ability to recover those backups is so important. And the reason why is if we go back to the beginning of our conversation and we talk about the intent of the threat actor, of the hacker, it’s to monetize their efforts. And so, there’s a reason why ransomware, for example, is such a popular attack, why we hear about it all the time. It’s because they know if they encrypt your devices and render them useless, what happens? Business processes stop getting executed. Then what happens, right? A whole bunch of consequences — customer attrition, maybe revenue attrition. You cannot provide the products and services that make the business or organization thrive. So especially when the smaller companies question their own value, that’s the value that the hackers trying to steal, your ability to conduct business. And they know that if they can halt that business operation, you will all of a sudden recognize the value and be willing to pay the ransom. So, from their perspective, that’s what they’re looking to do.

And if you think about the number one way to combat ransomware is to have the confidence that, “Okay, we are hit with ransomware, right? The good news is we’ve got a backup that we can restore from and we know that we’re going to be able to restore critical applications and systems first that allow our business operations to resume even if it’s in a degraded state and that may take hours, maybe a day.” Whereas if you do not have that backup or the ability to restore from it, now you are at the mercy of that threat actor and it could be weeks. I’ve seen it take up to six months even, to restore business operations. And, you know, the other thing that I hear, we haven’t mentioned this, but it means that makes sense to do so now – organizations that say I have an insurance policy I have a cybersecurity liability policy they’ll cover me if I run into this situation. Yes, it is. It is beyond a good idea to have that kind of coverage, but you really don’t want to have to call and make that claim. It’s there for a last resort because when you call make that claim, the insurance company is going to say, “Hey, some things have to happen in a particular order,” like running a digital forensics team into the environment and detecting the root cause and making sure that it’s scrubbed. And that could take weeks to accomplish. So, if you have a good backup of your critical information systems you can restore in a shorter amount of time versus I’m going to fall back on the benefits of an insurance policy. It’s going to take longer. It’s going to take longer. So have the policy, but more importantly have the backups. And when you think about a good backup strategy, we’re going to focus on the crown jewels first and foremost. So, if you don’t know what applications and information are mission critical, go through a simple business impact analysis. Determine what systems are critical to executing the most important business processes and if you need help call an expert like yourself to work through that.

Typically, what happens is that they’ll start to fall into different tiers: Tier One, Tier Two, Tier Three. And that defines what are called recovery time objectives and recovery point objectives. Recovery time objective: how long before it’s painful, in terms of availability, how much time can pass before the system has to be back online? A day? An hour, right? And then recovery point is how much information can I lose? So, the last good backup I have is a week old. Is that okay? Or does it have to be from yesterday? So, you’ll define that for all these different workloads and systems then you can rely on an expert like yourself, Craig, to put that backup strategy in place and understand that we’re going to be able to recover from it. So, when it comes to backups critical systems and informations, we recommend you follow the 3 2 1 rule. Three copies of that backup, two different kinds of media because if we have three copies on the same backup server and that server’s compromised how good is it? So, two different media. One off-site. That way it’s, to some degree, air gapped and we can always leverage that off-site backup. The last part of this is, again, having a recovery procedure documented, a disaster recovery plan/business continuity plan, not the same thing but same idea for the purpose of this conversation, test it. Once a year, test it, right? Pull the plug on the system, run a live test and see if your recovery capabilities are actually working as you intend them to.

CRAIG: Very very informative. I feel like even someone who’s in IT, all of this information, again, even for myself is extremely helpful.

CRAIG: So, I really hope that the SMB community, our customers, potential customers all find this extremely helpful because, again, it’s something that can easily be overlooked in this space specifically, the small and medium businesses. And it is extremely important.

Want to thank you, Joe, for coming on and giving us the cybersecurity knowledge that I think everyone, even just listening to this, can at least make some steps, even without cost, that would be extremely beneficial to their business. So, again, thank you Joe.

JOE: Thank you.

CRAIG: And thank you everyone for tuning in and we’ll see you in the next one. Thanks.