Advanced Ransomware Prevention
In this important episode of "The Backup Wrap-Up," we continue our discussion on ransomware, and dive deeper into the world of ransomware prevention. We assume you've done the basics (password & patch management, and MFA), and want to do more. As cyber threats continue to evolve, it's more important than ever to stay ahead of potential attacks. We discuss a range of strategies to protect your organization, from application whitelisting to securing service accounts.
Among other things, our conversation covers the importance of restricting risky network protocols, implementing multi-factor authentication, and employing reputable anti-malware software. We also explore the benefits of penetration testing and red team exercises. Additionally, we emphasize the significance of establishing relationships with blue teams and law enforcement resources before an attack occurs.
Join us as we provide actionable insights on ransomware prevention, helping you build a robust defense against this pervasive cyber threat. Whether you're an IT professional or a business owner, this episode is packed with valuable information to enhance your cybersecurity posture.
Speaker:
Welcome to the backup wrap up.
Speaker:
The only podcast dedicated to the underappreciated heroes of
Speaker:
the data center backup admins.
Speaker:
We're continuing our coverage of ransomware, and today we're
Speaker:
again talking about preventing it.
Speaker:
We'll cover a range of preventative measures including application
Speaker:
whitelisting and blacklisting, inventorying service accounts, restricting
Speaker:
risky services, and the importance of establishing relationships now with red
Speaker:
and blue teams as well as law enforcement.
Speaker:
Let's keep ransomware out of your environment.
Speaker:
By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I've been passionate about backup and recovery for over 30 years.
Speaker:
Ever since.
Speaker:
I had to tell my boss that there were no backups of the
Speaker:
database that we had just lost.
Speaker:
I don't want that to happen to me ever again.
Speaker:
I don't want it to happen to you.
Speaker:
That's why I do this podcast.
Speaker:
Here we turn Unappreciated backup admins into Cyber Recovery Heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
Before we get started, I just want to ask you to press the follow or subscribe
Speaker:
button so that you can always get this show, whether you're following
Speaker:
on an audio format or on YouTube.
Speaker:
Uh, either way we'd love to have you.
Speaker:
I'm your host, w Curtis Preston, AKA, Mr.
Speaker:
Backup, and with me, I have my.
Speaker:
Non-standard air conditioning installer, sympathizer Prasanna Malaiyandi.
Speaker:
How's it going?
Speaker:
Prasanna?
Speaker:
I am doing well, Curtis, and here's a question.
Speaker:
Do you have working air conditioning as of this moment?
Speaker:
No,
Speaker:
I do have, it's, it's at 95%.
Speaker:
Um, I'm doing a very non-standard.
Speaker:
I'm installing.
Speaker:
One of those portable air conditioners, but I'm installing it up on the wall so
Speaker:
that, because where I live, you know, I have an HOA and they won't let me
Speaker:
put like a window unit air conditioner.
Speaker:
Right.
Speaker:
So I have the, you know, but I don't, I don't have a spot to put it on the
Speaker:
floor, so I'm mounting it up on the wall.
Speaker:
So it involves lots of heavy.
Speaker:
Brackets and things like that, and lots of, uh, literal sweat
Speaker:
equity and putting it up.
Speaker:
And sadly I put it up and then, as you know, uh, had to take it down and
Speaker:
put it up again because I neglected to account for the distance between the
Speaker:
exhaust port and the window oopsies.
Speaker:
Yeah, that's not good.
Speaker:
Oopsie.
Speaker:
Do you, did you also cut a hole for the cord?
Speaker:
I did, I cut a hole for the,
Speaker:
Okay.
Speaker:
I cut a and, and I cut a very nice hole, a very nice hole for the cord.
Speaker:
That was the, another mistake in the first version.
Speaker:
Uh, it's what happens when you're just sort of winging it, you know?
Speaker:
Like, oh, I just need a shelf.
Speaker:
I just need a shelf.
Speaker:
And some brackets, I bought some nice brackets, you know?
Speaker:
might I recommend,
Speaker:
Yeah.
Speaker:
I know it's like above like a bed and things like that, that
Speaker:
sometimes people sleep in.
Speaker:
Yeah.
Speaker:
I recommend telling people whenever they sleep to put their head on the
Speaker:
other side away from the AC unit?
Speaker:
Well, they can sit up.
Speaker:
No, no, no.
Speaker:
I'm
Speaker:
What
Speaker:
in case something falls.
Speaker:
are you questioning?
Speaker:
The structural integrity of my air conditioning unit.
Speaker:
no, but just say that there we live in California.
Speaker:
There might be an earthquake, it might be enough that it shakes off even
Speaker:
though you do have a lip to keep it in
Speaker:
Yeah.
Speaker:
I.
Speaker:
Yeah, I do have a lip to keep it in place.
Speaker:
saying that having a 65 pound or whatever air conditioner fall on your head is
Speaker:
probably a lot worse than a 65 pound air conditioner falling on your foot.
Speaker:
Uh, yeah, that's probably true.
Speaker:
That's probably true.
Speaker:
So, uh, but thanks for that image.
Speaker:
Um.
Speaker:
So we're gonna continue our series in ransomware.
Speaker:
Uh, this one is gonna be talking about ransomware prevention.
Speaker:
In terms of other things that we can do, we've already talked about,
Speaker:
um, the, you know, we've talked about protecting the backup server.
Speaker:
We've talked about the, the three things that everyone
Speaker:
should do to prevent ransomware.
Speaker:
What are those three things?
Speaker:
Prasanna?
Speaker:
Patch
Speaker:
Yeah.
Speaker:
Patch management.
Speaker:
password
Speaker:
Password management.
Speaker:
M-F-A-P-P-M.
Speaker:
if you're not using, um.
Speaker:
If you're not using MFA at this point, uh, you're gonna hear, it's
Speaker:
gonna come up again in this episode, but this is in addition to that.
Speaker:
In addition to all the stuff that you did to, to, you know,
Speaker:
this is assuming you did that.
Speaker:
What's the next step?
Speaker:
These are the, please do these things.
Speaker:
Um, it will also make it harder for you to be attacked by
Speaker:
ransomware and the, the first one.
Speaker:
could make it harder for you to also use things too.
Speaker:
What
Speaker:
It's
Speaker:
this, this is true, right?
Speaker:
A lot of times security is at war with usability,
Speaker:
Yep.
Speaker:
right?
Speaker:
Um, and I, I tell the following, uh, story, which I know I've told here
Speaker:
before, but I remember back when I first.
Speaker:
Um, you know, did backup software.
Speaker:
We used this lovely thing called RSH.
Speaker:
Right.
Speaker:
And all you had to have was, uh, you know, an entry in, uh,
Speaker:
I forgot the name of the file.
Speaker:
There was a file in the, the, you know, the, your, your, your home directory,
Speaker:
which even if it was root you, if you had that file, um, and, and it had
Speaker:
the name of the host you were coming from in that file, you could RSH.
Speaker:
As root without a password.
Speaker:
And, and I happen to know that one company where I, um, installed backup software.
Speaker:
One of the many that I did throughout the years, household name company.
Speaker:
Um, when I got there, they had RSH as root from every Unix
Speaker:
host to every other Unix host.
Speaker:
And this was like a major company.
Speaker:
yeah.
Speaker:
Um, why, why do I bring that up?
Speaker:
Um, it, it, you know, I, I just remember how much the security people hated that.
Speaker:
Right?
Speaker:
Yeah,
Speaker:
And, but, but lemme just finish.
Speaker:
But the reason was that the tool in question was our dump.
Speaker:
Our dump wouldn't work if you didn't, if you couldn't RSH
Speaker:
as root without a password.
Speaker:
Yeah.
Speaker:
Okay, so that's one side.
Speaker:
Now let's go to the other extreme, right where I think you've told a
Speaker:
story on the podcast before the one company you worked at where the network
Speaker:
people locked down every single server.
Speaker:
yeah, yeah.
Speaker:
It was the most secure company that I'd ever worked at.
Speaker:
It was the complete opposite of that other company and, um,
Speaker:
where we, we were prepping for Y 2K and that they were really.
Speaker:
It was, it was a very secure environment where they did, they did all the
Speaker:
things that we asked people to do and, and you weren't able to get
Speaker:
from one server to another server.
Speaker:
It's like, the question was, why do you need to get from server A to server B?
Speaker:
Right?
Speaker:
Uh, you, you needed a reason to be able to communicate between those
Speaker:
two servers and then they would open up only the port that you needed.
Speaker:
And I was the, the one crazy guy that, you know, my server needed
Speaker:
to talk to all the servers because.
Speaker:
Backup.
Speaker:
And they didn't like that, and they kept trying to shut it down.
Speaker:
And then, and, and then they, and then they kept trying
Speaker:
to like sniff the problem.
Speaker:
The problem with net backup, uh, well, one of the problems with net backup is
Speaker:
that it uses a random series of ports.
Speaker:
And, um, so they did not like that and they kept shutting things down.
Speaker:
And Yes, uh, it, it just, it was, uh, so let's just say this.
Speaker:
This thing of security, being at war with usability is not, it's not a new problem.
Speaker:
Yep.
Speaker:
Um, and the first thing that I want to talk about it, it's just something that
Speaker:
I want you to think about because as I recall the last time you and I talked
Speaker:
about it, I think you were against it.
Speaker:
Um.
Speaker:
And, and, and we'll, we'll see.
Speaker:
Um,
Speaker:
yeah.
Speaker:
that is this concept of application white listing.
Speaker:
Uh, and in my notes, I have this as the silver bullet.
Speaker:
And why do I say that?
Speaker:
And we can argue as to whether or not it's a good silver bullet.
Speaker:
But why do I say it's a silver bullet,
Speaker:
Because you're basically restricting what runs in the environment.
Speaker:
right?
Speaker:
I.
Speaker:
you control what runs, then there's less likelihood that you will be
Speaker:
using something that is malicious.
Speaker:
Right, right.
Speaker:
So if we, if we say only, you know, Microsoft Word and SQL Server and
Speaker:
SharePoint are the only things that are allowed to run on this box.
Speaker:
If there's something other than that malware based, then it just
Speaker:
won't be able to run because it's not whitelisted, right?
Speaker:
Yeah.
Speaker:
It is a giant pain in the butt.
Speaker:
Geez.
Speaker:
Can, can we agree that application white listing is a giant pain in the butt?
Speaker:
What do you think?
Speaker:
Yeah.
Speaker:
No, I agree.
Speaker:
Yeah.
Speaker:
Is it however, something that we should think about in certain circumstances?
Speaker:
For example, if you have a very well, uh, understood.
Speaker:
End user community, that they all use the same 17 applications.
Speaker:
Right?
Speaker:
Yeah.
Speaker:
And you could, you could lock it down to the same 17 applications for all of those.
Speaker:
And then of course you will absolutely have some users who are special.
Speaker:
Their name will probably be Curtis or Prasanna.
Speaker:
'cause we always want to do stuff that's outside of the norm.
Speaker:
Right.
Speaker:
Um.
Speaker:
You, you, you'll have a handful of power users that will end
Speaker:
up with 37 other applications.
Speaker:
I, I think that in those scenario, like we don't, maybe we don't have to
Speaker:
do it for, well, there, there's just, there are areas where maybe it's harder
Speaker:
to do than others and I'm thinking
Speaker:
or functional units.
Speaker:
Right, right.
Speaker:
Yeah,
Speaker:
Um, if there's an area where you can do this, I guess I'm
Speaker:
just saying think about it.
Speaker:
yeah.
Speaker:
If you application white listing, I think it would be, it would go a long
Speaker:
way to stopping ransomware or any
Speaker:
I think there's different ways you can implement application whitelisting,
Speaker:
One way is to sort of say, Hey, here is a list of approved IT applications
Speaker:
that you are allowed to install and deploy, but don't necessarily prevent
Speaker:
people from installing other things.
Speaker:
You sort of use the honor system or IT policies just like everyone has, right?
Speaker:
You sign a code of conduct when you join a
Speaker:
right.
Speaker:
right?
Speaker:
Or the employee handbook, right?
Speaker:
and then could we perhaps monitor for anything that is outside
Speaker:
the white list and then send off the, the CLS and alerts when it
Speaker:
Yep.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
Right.
Speaker:
So you can at least start a process so you're not getting in the
Speaker:
way, but at least you're having an ability to monitor and figure
Speaker:
out, okay, what are people doing?
Speaker:
Does this make sense?
Speaker:
And maybe you also have a list of applications, because I think in
Speaker:
addition to having a list of applications that you approve in that white list,
Speaker:
it's also important to have a list of applications that you block.
Speaker:
Yeah.
Speaker:
Which is also as equally as important,
Speaker:
what would, what would the name of that process be?
Speaker:
Application blacklist.
Speaker:
Yes.
Speaker:
Okay.
Speaker:
You, you said that like, it, you weren't sure.
Speaker:
Yes.
Speaker:
It's the opposite of a white list, right?
Speaker:
Application blacklist.
Speaker:
Right.
Speaker:
So you could, you could have a, a series of apps.
Speaker:
Um, and, and I would put a lot of the security software that is
Speaker:
often installed by, um, uh, cyber attackers as, um, bl blacklisted.
Speaker:
Again, there are exceptions to the blacklist where you need to install
Speaker:
it, and then you want to find out who, who is actually trying to
Speaker:
install such, such tools, right?
Speaker:
Um.
Speaker:
And I think another thing Curtis, that becomes interesting is days a lot
Speaker:
of people just use SaaS application.
Speaker:
So by using a SaaS application, you don't even have to worry about
Speaker:
application whitelisting as much anymore.
Speaker:
Isn't SaaS so great?
Speaker:
There are things I don't like, as, you know, there are things I
Speaker:
don't like about the SaaS world.
Speaker:
I'm concern very much about all the data that's out there, but, um, but this is
Speaker:
definitely a, an advantage of the SaaS.
Speaker:
Uh, you know, we're, I mean, as we are talking, we are using a SaaS application.
Speaker:
Mm-Hmm.
Speaker:
I don't know how we would do this back in the day.
Speaker:
Right.
Speaker:
I guess we could, what, what was that tool that we used to O-B-O-B-C-O-B-S-O-B-S.
Speaker:
We, we used to use OBS, um, and theoretically we could do that, but we
Speaker:
would still need a way to see each other.
Speaker:
Um, which,
Speaker:
have FaceTime running in parallel.
Speaker:
would be a SaaS.
Speaker:
Yeah,
Speaker:
Yeah.
Speaker:
There.
Speaker:
You know what I remember back in the very early days, I remember
Speaker:
software that you used on your laptop.
Speaker:
You had a piece of software running on your laptop.
Speaker:
They had a piece of software running on their laptop, and those two pieces
Speaker:
of software directly communicated, um, to, to webcam to each other.
Speaker:
Man, those were such, so, so bad in terms of quality.
Speaker:
Yeah.
Speaker:
Oh yeah.
Speaker:
So yeah, that the, the SaaS world makes things a lot easier.
Speaker:
Um.
Speaker:
All right, so enough of that.
Speaker:
So now let's talk about disabling other attack vectors.
Speaker:
Now, one of the things that came up when, um, we had Dwayne on with the, the, the
Speaker:
red team, uh, episode, which at this point is now about five or six episodes back.
Speaker:
Is this idea that there are service accounts out there that are running
Speaker:
with like, no, no password default passwords are really crappy passwords.
Speaker:
Right?
Speaker:
What's a, what's a service account?
Speaker:
Why does this matter?
Speaker:
So a service account is like a special privileged account that runs on the system
Speaker:
and is used for things that need to happen without necessarily user interaction.
Speaker:
an example, backup.
Speaker:
Right.
Speaker:
So normally you have a backup service account that runs on
Speaker:
the system and kicks off backups that need to happen on the system
Speaker:
Do you remember the special thing he said about the backup service account?
Speaker:
that it had access to everything.
Speaker:
It had a access to everything without logging,
Speaker:
Yeah.
Speaker:
right.
Speaker:
Oh, that's right.
Speaker:
Right,
Speaker:
Yeah.
Speaker:
so it can access all the files that it wants, download all the files it wants,
Speaker:
because that's what backup is, right?
Speaker:
Override all the files it wants, because that's what Restore is without
Speaker:
triggering any alarms of any kind.
Speaker:
Yeah,
Speaker:
here you have it installed with the password of backup
Speaker:
or, or maybe it's installed with net backup or networker or TSM.
Speaker:
Um.
Speaker:
Yeah.
Speaker:
Or Veeam, right?
Speaker:
Uh, please, please don't do that.
Speaker:
Right?
Speaker:
So, so I wanna talk about, so we need to figure out how many
Speaker:
service accounts are out there.
Speaker:
And so there is this, uh, there is this concept of a service account inventory.
Speaker:
Um, and when I, when I googled that there, you know, there, there, there were
Speaker:
some, uh, some things that you could do.
Speaker:
Obviously they talked about things like reviewing the documentation, uh, you know,
Speaker:
any documentation you have as to where you would typically install service accounts.
Speaker:
Uh, there are active directory tools such as, uh, you know, PowerShell
Speaker:
that you can look for, things like.
Speaker:
Special account flags and two special account flags pop up.
Speaker:
Do you know what they are?
Speaker:
I'm gonna guess no.
Speaker:
Why would you know this?
Speaker:
Right?
Speaker:
The two special account flags that they popped up are, don't expire.
Speaker:
Password or password?
Speaker:
Not required.
Speaker:
Ugh.
Speaker:
Password not required.
Speaker:
Um, you know, look for group membership, like domain admins, enterprise admins,
Speaker:
um, you know, and look for the types of applications that need service accounts.
Speaker:
What kinds of applications besides backup would you think those are?
Speaker:
Right,
Speaker:
Anything that runs as like a Damon process right in the background on the system,
Speaker:
right.
Speaker:
Um.
Speaker:
security software
Speaker:
Right.
Speaker:
Security software, ironically enough, u uses a service account antivirus.
Speaker:
Right.
Speaker:
Um, the, um, go ahead.
Speaker:
But I think though a service account, you cannot, normally, you're not allowed
Speaker:
to log in using a service account,
Speaker:
Right.
Speaker:
right.
Speaker:
It is just for things that are already on the system to be able to operate
Speaker:
with different privileges on the system.
Speaker:
Yeah.
Speaker:
Right.
Speaker:
You can't log in like in the traditional sense, but you can log in from an
Speaker:
API perspective and do the things that that thing is supposed to do.
Speaker:
And so all I'm saying is figure out what those are and give them real passwords.
Speaker:
If you've got accounts, service accounts that say, don't, you know, no password
Speaker:
required, it seems like that is bad.
Speaker:
Yeah, and I think the other thing to mention is the service accounts are
Speaker:
basically on a per machine basis.
Speaker:
Yes.
Speaker:
So it's not like you can go look in active directory and say, Hey, where,
Speaker:
what are all my service accounts?
Speaker:
You have to hit every single box and say, what are the service accounts available?
Speaker:
And that's why you use things like PowerShell and other things
Speaker:
make sure, okay, what is there?
Speaker:
And this inventory shouldn't be on a one-time basis either
Speaker:
Right.
Speaker:
applications get added.
Speaker:
Remove systems come online, get decommissioned.
Speaker:
Yeah, a very regular thing.
Speaker:
You should be out there looking for new service accounts.
Speaker:
So I'm hearing that the most common way that systems are compromised these
Speaker:
days is, um, sole and credentials.
Speaker:
What's the second?
Speaker:
Most common way.
Speaker:
What was that for those not watching the video version on YouTube?
Speaker:
Uh, Prasanna just made a, a, I think that was, was that like a phishing reel?
Speaker:
Uh,
Speaker:
it's a phishing reel and then, uh, pull it back in
Speaker:
um, yeah.
Speaker:
phishing with a pH, uh, phishing and, uh, and spearphishing, which
Speaker:
is a very specific type of phishing.
Speaker:
The, and this is often via, um, email, right?
Speaker:
And so another thing I'd like you to consider is, again,
Speaker:
these are all optional things.
Speaker:
Um, you know, some less optional I think than others.
Speaker:
But this is something to consider and that is the idea of putting in some
Speaker:
type of monitoring system, filtering system in your email system in
Speaker:
order to, uh, see if you can catch.
Speaker:
You know, use ai, um, and, and other tools to identify phishing,
Speaker:
uh, attacks on the front end.
Speaker:
and I believe that many of the SaaS email providers like Microsoft and
Speaker:
Google have pretty extensive phishing protections already built in, but
Speaker:
it doesn't mean you shouldn't use a third party solution as well.
Speaker:
I think that's true everywhere, right?
Speaker:
That there's often
Speaker:
Yeah.
Speaker:
os tools that are available, but there are, um.
Speaker:
Uh, third party tools that may be more extensive.
Speaker:
The question, they will also be more expensive,
Speaker:
Yeah.
Speaker:
Extensive and expensive.
Speaker:
Um, all right, so we gotta talk about my favorite boogieman.
Speaker:
What, what is it?
Speaker:
Port 3 9, 2 2, I
Speaker:
Is that.
Speaker:
Or is it three?
Speaker:
Five.
Speaker:
Five, three.
Speaker:
Is that the port for RDP, the Ransomware deployment Protocol?
Speaker:
Um, yeah.
Speaker:
I,
Speaker:
Nine.
Speaker:
what's that?
Speaker:
3, 3, 8,
Speaker:
3, 3, 8.
Speaker:
get that tattooed on your forehead.
Speaker:
Um, I'm, I'm suddenly, I'm thinking about, um, 2 4, 6 0 1 from, um, Les Mis,
Speaker:
Yeah.
Speaker:
so.
Speaker:
Please shut off RDP at, at a bare minimum, restrict RDP, so that it,
Speaker:
you know, so that the RDP port is only accessible via a particular network.
Speaker:
And that network should only be accessible via A VPN, which
Speaker:
is only accessible via MFA.
Speaker:
We're gonna get back to that and, you know, restrict s and b as much as you can.
Speaker:
Um, I'm sorry.
Speaker:
Restrict RDP as much as you can.
Speaker:
Uh, and then also, you know, I threw out SMB.
Speaker:
Lemme just throw that out.
Speaker:
Um, windows has a default administrative share.
Speaker:
What's up with that?
Speaker:
Right?
Speaker:
it admin dollar?
Speaker:
Yeah.
Speaker:
Um, that's what it's, and, and, and you can access the entire, uh, c drive, right?
Speaker:
Um, turn that sucker off.
Speaker:
Why, why is it there?
Speaker:
Um, you know, why is it there?
Speaker:
Why is it on by default?
Speaker:
I, you know, I, I'm sure you know if you've got, by the way, if
Speaker:
you disagree with me, uh, feel free to do so in the comments.
Speaker:
I would love to hear, uh, why the default administrative share.
Speaker:
Is not just fundamentally evil like RDP, um, but this is an s and b share
Speaker:
that is on by default in Windows server.
Speaker:
Uh, and when Windows desktop
Speaker:
Is it?
Speaker:
Isn't it at Windows desktop though?
Speaker:
Yes.
Speaker:
'cause I've used it.
Speaker:
Okay, because, so I was recently setting up my mom's new
Speaker:
Mm-Hmm
Speaker:
windows
Speaker:
mm-Hmm.
Speaker:
And when I went, because I was copying data over and I went to go
Speaker:
access it another laptop, and it basically said sharing is disabled.
Speaker:
Network sharing.
Speaker:
That's a good question, right.
Speaker:
Um, I'm not a Windows person.
Speaker:
Uh, I.
Speaker:
Neither am I.
Speaker:
It took me a while and I wanted to pull out my hair,
Speaker:
Yeah.
Speaker:
But, um, the, um, you should tell your mom to upgrade to a real computer.
Speaker:
Um,
Speaker:
she likes her windows.
Speaker:
Laptops.
Speaker:
I'm not gonna argue with her.
Speaker:
uh, yeah, uh, I know a lot of people like windows.
Speaker:
I just, you know, I close windows whenever I can.
Speaker:
Anyway.
Speaker:
Um, so the next thing, uh, let's talk about, and I, I alluded to
Speaker:
it already, and that is if your.
Speaker:
Normal workday process requires A VPN.
Speaker:
What do you think about having an MFA on that VPN?
Speaker:
Oh, you definitely should.
Speaker:
Yeah, this is
Speaker:
but,
Speaker:
of, of everything on this list.
Speaker:
If you are allowing computers outside your company to access your company resources,
Speaker:
and you're not using A VPN and you're not using MFA for that VPNI, you know, this.
Speaker:
I, I don't know what to say.
Speaker:
I have the question for you.
Speaker:
Okay.
Speaker:
Is it still technically considered MFA if you have an OTP in
Speaker:
order to be able to log into
Speaker:
I think, yeah, I think the, the OTP, um, you know, uh, I think
Speaker:
that, well, assuming that OTP has, uh, MFA built into it, right?
Speaker:
Um.
Speaker:
it's like an RSA token, right?
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
I mean, so I'm assuming, I, I'd assume that if you're using Okta or something
Speaker:
like that, that you are going to enforce
Speaker:
MFA.
Speaker:
on your entire environment.
Speaker:
If you do, I'm, I'm good.
Speaker:
I'm just saying if you're remotely letting people access stuff inside
Speaker:
your computing environment and you're not using MFA, uh, you know.
Speaker:
Yeah.
Speaker:
That's like you're asking for it kind of thing, right?
Speaker:
Going back to what you previously said about credential stuffing
Speaker:
Yes, exactly right.
Speaker:
Why is that, by the way?
Speaker:
What, what do you mean by that statement you just made?
Speaker:
Because if you don't have MFA, then someone might compromise credentials
Speaker:
somewhere else and say a user happens to reuse their passwords, they have access
Speaker:
to your environment because they're able to connect via VPN without requiring MFA.
Speaker:
There you go.
Speaker:
But I wanna add one thing to
Speaker:
Yeah.
Speaker:
Even with MFA, train your users not to get hit by MFA fatigue.
Speaker:
Yeah.
Speaker:
Right.
Speaker:
We've seen so many attacks where the attacker bombards the system
Speaker:
with MFA requests and then the user's like, fine, fine.
Speaker:
I give up.
Speaker:
I don't know what's going on.
Speaker:
Yeah.
Speaker:
like, okay, it's me.
Speaker:
Yeah.
Speaker:
This, this goes back to the stuff that we talked about last week, about training
Speaker:
the people that work in your environment.
Speaker:
Right?
Speaker:
Um, let them know what MFA, you know, an MFA fatigue attack is, and
Speaker:
Yeah.
Speaker:
to watch for it and to not, I.
Speaker:
Respond to it the way that you just described.
Speaker:
Yeah, yeah.
Speaker:
Whatever.
Speaker:
Just leave me alone, you know?
Speaker:
Or
Speaker:
that's what happened with the Okta attack,
Speaker:
Yes.
Speaker:
Yeah.
Speaker:
many months ago.
Speaker:
Yeah.
Speaker:
Um, so here's another one that, that the link that you shared
Speaker:
me, I think is fascinating.
Speaker:
Um, the next thing I have on the list is reputable antivirus
Speaker:
or anti-malware software.
Speaker:
Uh, what, what did that article talk about?
Speaker:
Yeah.
Speaker:
So this was an article which happened to be published today.
Speaker:
We're recording this.
Speaker:
Um, and it was from the register, uh, and it basically said that.
Speaker:
More than half the people.
Speaker:
Even though antivirus tools are available on the operating system,
Speaker:
Mm-Hmm.
Speaker:
install third party antivirus solutions.
Speaker:
Yeah.
Speaker:
And one of the things that I found at the very bottom of this article,
Speaker:
which I thought was interesting, they said malware writers, the first thing
Speaker:
that they do is they'll probably go and test against the standard tools.
Speaker:
Right.
Speaker:
And by having a third party, you're now adding an additional layer of defense to
Speaker:
protect you against being attacked and being, uh, infected by these malware.
Speaker:
Yeah.
Speaker:
You know, and those tools are, they're just like any of these tools.
Speaker:
Nothing is.
Speaker:
Um, what's that?
Speaker:
Nothing is perfect,
Speaker:
Yeah, nothing is perfect, but, um, you know, you know, maybe I'm an old
Speaker:
schooler here and I, I believe in the concept of these third party tools.
Speaker:
Um,
Speaker:
another stat which I will call out, said that,
Speaker:
oh,
Speaker:
when they
Speaker:
I don't like the stat.
Speaker:
I don't.
Speaker:
they looked at the statistics.
Speaker:
They found that twice the number of people had third party software for if they
Speaker:
were in the age group of 65 and above, versus in the age group of 45 and below.
Speaker:
To that, I just wanna say bleep,
Speaker:
uh, whatever.
Speaker:
Um, all right.
Speaker:
The, the final.
Speaker:
But antivirus is important though,
Speaker:
Antivirus is important.
Speaker:
Yeah.
Speaker:
Antivirus, anti-malware.
Speaker:
Um, the, um, um, the next group of things that I want to talk about are, again,
Speaker:
this isn't so much preventing, um, you know, preventing an attack as much as
Speaker:
it is, you know, preparing for one.
Speaker:
Well, no.
Speaker:
Yeah.
Speaker:
I guess this is.
Speaker:
preventing,
Speaker:
This is all also preventing, nevermind.
Speaker:
yeah.
Speaker:
The, the next group of things are, are a little bit different.
Speaker:
And that is this idea of proactively going and doing things
Speaker:
to see, to see what you can see.
Speaker:
Right?
Speaker:
Uh, and the first is this concept of an automated pen test.
Speaker:
What is that?
Speaker:
So a pen test is a penetration
Speaker:
Mm-Hmm.
Speaker:
where you can hire a company, you can procure software, where it will basically
Speaker:
test your network, your systems, to see are there any common vulnerabilities?
Speaker:
Are ports closed?
Speaker:
Do you have RDP exposed to the internet?
Speaker:
Things like that to help you understand, okay, where are
Speaker:
the gaps in my systems today?
Speaker:
Right.
Speaker:
And, and they range, um, everywhere from like, uh, 29, 9, 9, you know, uh,
Speaker:
we'll do a pen test of your company.
Speaker:
And I don't mean to imply that there's no value there, but there's definitely less
Speaker:
value there than the the, the next option.
Speaker:
And that is this concept of a red team.
Speaker:
Again, we had Dwayne Lalo on here from Pulsar Security.
Speaker:
They are a red team, right?
Speaker:
It's a fascinating episode, by the way, if you didn't, if you didn't
Speaker:
Mm.
Speaker:
take a look at that.
Speaker:
Uh, it's about, I don't know, six weeks or so ago at this point, the
Speaker:
idea that this is for those of you that have seen the movie sneakers,
Speaker:
this is the guys in the movie sneakers.
Speaker:
Those of you that haven't seen the movie sneakers, go watch the movie sneakers.
Speaker:
it.
Speaker:
It's.
Speaker:
It ages actually pretty well.
Speaker:
There's some stuff in there, just like any movie that centers around computers.
Speaker:
There's some stuff in there that's complete bs, but, you know, um,
Speaker:
You're not gonna recommend hackers or the net
Speaker:
no, I'm not gonna recommend Hackers or the net or swordfish.
Speaker:
Um, the net that, oh man, can't even.
Speaker:
You remember it was about hitting the escape button.
Speaker:
You remember how the escape button was like the
Speaker:
uh, Sandra Bullock, right?
Speaker:
Wasn't that Sandra Bullock?
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
Um, interestingly enough that when you, when you, when you bring up those three
Speaker:
movies, the only thing I remember, the pretty girls that were in those
Speaker:
three movies, I don't, and the fact that the computer stuff was, was crap.
Speaker:
Right?
Speaker:
Um, anyway.
Speaker:
Somehow I got distracted.
Speaker:
What?
Speaker:
Where were we talking about?
Speaker:
red
Speaker:
We were talking about red teams, right?
Speaker:
So this is a professional team whose job it is to infiltrate
Speaker:
your environment at your request.
Speaker:
And this is hardcore stuff, right?
Speaker:
Yeah, they're think like the hackers, right?
Speaker:
They
Speaker:
Yeah.
Speaker:
almost ethical hackers if you think about it.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
Um, I remember Dwayne said that they kind of backed away from that
Speaker:
term that they use, they use, um, I forgot what the term that they use
Speaker:
instead, but basically Yeah, yeah.
Speaker:
That, that there, there's like a more all inclusive term that
Speaker:
they now use, but the, um.
Speaker:
This is a company that you hire that is going to do all sorts of things to
Speaker:
try to break into your environment.
Speaker:
And, um, I, I remember one of his stories was about they hacked this
Speaker:
company via a TV that was in the lobby.
Speaker:
Right.
Speaker:
And they did it by going and getting, they got, they figured out what the TV was.
Speaker:
They figured out the brand of the tv.
Speaker:
And then they went and got that TV and they tore it apart and then, you
Speaker:
know, um, this is hardcore stuff.
Speaker:
insecure wifi
Speaker:
Yeah,
Speaker:
in it that
Speaker:
yeah, yeah.
Speaker:
Um, and uh, this involves, this involves things like, uh, it could be phy, there's
Speaker:
also physical, uh, penetration tests.
Speaker:
Right.
Speaker:
So, you know, I remember, um, uh, listening to Kevin Mitnick,
Speaker:
which I know not everybody.
Speaker:
Uh, liked or appreciates Kevin Mitnick, but, uh, I, I did learn
Speaker:
a lot from his talk and it was, uh, this, it, it was about him.
Speaker:
Um, basically, I.
Speaker:
Going into a building.
Speaker:
It was like a, it was like a commercial building and he went into the bathroom
Speaker:
and he just waited into the bathroom for some other person to come and he
Speaker:
used his badge scanner, which works up to like six feet away or something.
Speaker:
And he's sitting in a.
Speaker:
Bathroom skull waiting for some other kind of coat.
Speaker:
And then he is scanning the guy's badge and then he uses that
Speaker:
badge to get into the building.
Speaker:
Right.
Speaker:
This is the, you know, this is some, some, some hardcore stuff.
Speaker:
It's like something outta Hollywood.
Speaker:
Yeah.
Speaker:
It is like something outta Hollywood, but the, you know, these are people that this
Speaker:
is what they do and, um, they enjoy it.
Speaker:
They're good at it.
Speaker:
And you should definitely look into the concept of a red team.
Speaker:
Now, what about a blue team?
Speaker:
They're the ones who are trying to protect your environment
Speaker:
Right?
Speaker:
potential attackers.
Speaker:
Right.
Speaker:
And so.
Speaker:
They're like the defense.
Speaker:
Right.
Speaker:
Yeah.
Speaker:
They are the defense and they're also the ones that you would bring
Speaker:
in when you have a cyber attack.
Speaker:
Right?
Speaker:
Yep.
Speaker:
Um, and so one of the things that I talk a lot about is that
Speaker:
you need to establish that.
Speaker:
Um, and again, another one of the, another one of the experts that we've
Speaker:
had on here that uh, is from a blue team is Mike Sailor from Black Swan
Speaker:
Security, and we're gonna have, we're gonna have him on some more, and I.
Speaker:
He, uh, he talks a lot about, he's been in many of these attacks
Speaker:
and he completely agrees with me.
Speaker:
Of course he does.
Speaker:
'cause this is what he does.
Speaker:
That now is the time to form a relationship with the blue team.
Speaker:
Why would, if, if there's somebody that I would call in, in the time
Speaker:
of a cyber attack, why would I want to get a relationship with them now?
Speaker:
Because a cyber attack attack is very stressful.
Speaker:
You'd rather have that relationship prebuilt so you understand what's
Speaker:
expected, what each person is gonna do, the roles and responsibilities
Speaker:
such that when you do have that cyber attack, everyone can just be
Speaker:
like, okay, let's go, go, go, go, go.
Speaker:
Everyone knows what they need to do.
Speaker:
Yeah.
Speaker:
You know, uh, the analogy that I'm gonna use is gonna be kind of funny and,
Speaker:
and I know you know this story, but it has nothing to do with cyber attack.
Speaker:
The time, the time to get a relationship with somebody like
Speaker:
this is before you need them.
Speaker:
Right.
Speaker:
And I'm thinking about the time that I cut into the main supply line of my
Speaker:
house, uh, the water sup, the water, the, the water main for my house.
Speaker:
And uh, this was when I was replacing my front yard.
Speaker:
I have a 400 square foot front yard.
Speaker:
Right?
Speaker:
It is very, you know, it's California, so my yard is not that big.
Speaker:
And, uh, I was digging it up to put down, um, you know, the, I was
Speaker:
gonna put down artificial turf.
Speaker:
And it's kind of funny that when you put our artificial turf, the first
Speaker:
thing you have to do is you have to dig up the yard and you have to, you
Speaker:
dig down like six inches and then you put paver, uh, uh, base there.
Speaker:
So you basically pave your yard.
Speaker:
And then on top of that you put an inch of sand.
Speaker:
And then on top of that you put the grass.
Speaker:
Now.
Speaker:
I was digging and I knew where my water main was.
Speaker:
And the really funny thing is, was I don't want to damage my water main while
Speaker:
I'm doing this, but I'm not a hundred percent sure what a water main is.
Speaker:
So I'm just gonna dig around my water main to find my water main, to
Speaker:
make sure I don't hit my water main.
Speaker:
In the process, process of doing that, I hit my water main.
Speaker:
Now, what does this have to do with this?
Speaker:
The point was that I knew exactly where to go because there was, there's
Speaker:
a guy that lives that way, like.
Speaker:
300 yards from my house, and I went right to that guy's house and I was like,
Speaker:
um, you know, I just did this thing.
Speaker:
Luckily, luckily, I will say it was on the, on the other side of the valve that
Speaker:
off.
Speaker:
the water department supplies, because if I had broken it on their side, then that
Speaker:
would've been a, a whole different thing.
Speaker:
Right.
Speaker:
Yeah.
Speaker:
But, uh, it was, I remember it was like a Sunday.
Speaker:
And, and by the way, cyber attacks never come when it's convenient.
Speaker:
They do it on purpose, right?
Speaker:
They, they, there, there will be a bunch of cyber attacks, uh, tomorrow.
Speaker:
Yep.
Speaker:
Uh, we're in the US tomorrow, the, the day we're recording this, tomorrow is
Speaker:
July 4th, and there will be a bunch of, uh, a lot of people have a four day
Speaker:
weekend because, um, you know, I think, I think it should be a federal law that
Speaker:
July 4th, can't fall on a Thursday, but it is, it's on a Thursday tomorrow, so
Speaker:
a lot of people will just take Friday off, so they have a four day weekend.
Speaker:
This is when cyber attacks happened, right?
Speaker:
So it was a Sunday afternoon and luckily I had, I had already established a
Speaker:
relationship with this plumber guy, and I went over and I just knocked
Speaker:
on his door and I'm like, I realize it's five o'clock on a Sunday and
Speaker:
you're clearly having dinner with your family, but I just blew up my house so.
Speaker:
Could you help me please?
Speaker:
anything he could do that would be awesome.
Speaker:
And he came over and, uh, repaired my water main, you know, I had to,
Speaker:
we had to dig a big hole, a much bigger hole to get access to the pipe.
Speaker:
Yeah.
Speaker:
And, um, you know, and he repaired it.
Speaker:
And then, uh, he said, uh, I was like, how much do I owe you?
Speaker:
I was prepared for 500 bucks.
Speaker:
Or more.
Speaker:
And he said 150 bucks because he did it like off the clock
Speaker:
and you know, his own thing.
Speaker:
And I was like, dude, you know where, where do I sign?
Speaker:
Right?
Speaker:
You're like, thank you for saving me.
Speaker:
Yeah.
Speaker:
you know, calling a plumber for an emergency repair on
Speaker:
a Sunday AF in the evening.
Speaker:
It was gonna cost him.
Speaker:
least 400 bucks before they even do anything.
Speaker:
Yeah.
Speaker:
And so this is what I'm saying is like, just get a relationship now.
Speaker:
Get a relationship now with your local FBI department.
Speaker:
Uh, by the way, Mike talked about that a lot.
Speaker:
What?
Speaker:
InfraGard?
Speaker:
InfraGard
Speaker:
was the name of the IBM, I'm sorry.
Speaker:
The IRS.
Speaker:
Ah.
Speaker:
Not the I.
Speaker:
Meant to, uh, help, uh, people combat cyber crime and, um, you know, look
Speaker:
into InfraGard, get a relationship with the FBI get, uh, and or whatever
Speaker:
it is where you happen to live.
Speaker:
Yeah.
Speaker:
And, um, but now's the time to do that.
Speaker:
Any further thoughts on that?
Speaker:
No.
Speaker:
I think, yeah, having those pre-established relationships especially
Speaker:
as these blue teams, red teams, right?
Speaker:
They're probably keeping up to date on the latest of what's happening out there, so
Speaker:
Yeah.
Speaker:
also a great resource for that too.
Speaker:
Yeah.
Speaker:
You wanna, you wanna have them on speed dial, right?
Speaker:
Like,
Speaker:
Yeah.
Speaker:
you get the thing, you make the call, they're on their way.
Speaker:
Not, not, you know, I'm having a Google Blue, blue teams or cyber.
Speaker:
Who do I call when I have a ransomware attack?
Speaker:
Um, that's not the time to be doing that.
Speaker:
It's already stressful.
Speaker:
Busters.
Speaker:
What's that?
Speaker:
You said, who are you gonna call when you have a
Speaker:
Oh, Gus
Speaker:
said, ghost busters.
Speaker:
that, that's a old joke, man.
Speaker:
You know, you're dating yourself.
Speaker:
Um,
Speaker:
that's a good movie though.
Speaker:
Movie, um, ruined by later attempts at.
Speaker:
Sequels, but whatever,
Speaker:
go there.
Speaker:
We shall
Speaker:
we should not go there.
Speaker:
Alright.
Speaker:
Good movie.
Speaker:
All right, well, this has been a good episode.
Speaker:
Further things that you can do to prevent ransomware and to prepare
Speaker:
yourself to be able to defend ransomware if and when it happens,
Speaker:
although it's more a win than an F.
Speaker:
Uh, any final thoughts?
Speaker:
Prasanna?
Speaker:
No, uh, was a great conversation.
Speaker:
I'm dying in the heat out here.
Speaker:
Uh, we're in our middle of our heat wave, so
Speaker:
What, what's temperature outside right now?
Speaker:
I think it's 103.
Speaker:
Uh, and what's the temperature inside?
Speaker:
Uh, about 84.
Speaker:
I really should turn on the air conditioner.
Speaker:
Um, so you, you wanna know what the temperature is
Speaker:
outside Where I am right now.
Speaker:
75?
Speaker:
75 is exactly what it's, that is San Diego versus the Bay Area.
Speaker:
Um, you know, in a nutshell, um.
Speaker:
Yeah, just different parts of the Bay Area, right?
Speaker:
Because certain parts of the Bay Area can be quite cold, actually.
Speaker:
I was looking at the thing they said up in San Francisco.
Speaker:
It's in the sixties, like low sixties,
Speaker:
Yeah.
Speaker:
if you go to the East Bay, uh, Livermore Pleasant in that
Speaker:
area, it's I think 108 degrees.
Speaker:
Well, coldest winter I ever spent was the summer in San Francisco, mark Twain.
Speaker:
All right.
Speaker:
Well thanks a lot Pana.
Speaker:
Thank you to the listeners.
Speaker:
Uh, I hope you're getting something outta this and remember to hit that
Speaker:
subscribe or follow button so that you can, um, you can get us every time.
Speaker:
And um, that is a wrap.
Speaker:
The backup wrap up is written, recorded, and produced by me w Curtis Preston.
Speaker:
If you need backup or Dr.
Speaker:
Consulting content generation or expert witness work,
Speaker:
check out backup central.com.
Speaker:
You can also find links from my O'Reilly Books on the same website.
Speaker:
Remember, this is an independent podcast and any opinions that
Speaker:
you hear are those of the speaker and not necessarily an employer.
Speaker:
Thanks for listening.
Listen On
