Check out our companion blog!
July 10, 2023

Former Green Beret advises us on Cyber Security

Former Green Beret advises us on Cyber Security

Today we are proud to have as our guest, Zach Fuller, a founding partner of the Silent Sector, a cybersecurity firm -- and a former Green Beret who served in combat. We talk a little about how his service made him the person he is today, and how it lead him ultimately into helping people protect their own data. We talk about his top few things he wishes people would do to secure their environments (in addition to Mr. Backup's usual suggestions of password management, MFA, and patch management). we found Zach a very engaging person, and we know you'll learn a lot.

Mentioned in this episode:

Interview ad

Transcript
Speaker:

you know, it's not every day.

Speaker:

You get to talk to a former Green Beret and it's my pleasure to do that today.

Speaker:

We're talking to Zach fuller, a founding partner of silent

Speaker:

sector, a cybersecurity firm.

Speaker:

About our favorite subject and yes, he does happen to be a farmer Green

Speaker:

Beret I hope you enjoy the episode.

W. Curtis Preston:

Hi, and welcome to Backup Central's Restored All podcast.

W. Curtis Preston:

I'm your host, w Curtis Preston, a k a, Mr.

W. Curtis Preston:

Backup, and have with me a guy that is determined to cause me to spend

W. Curtis Preston:

every last dollar I have on stuff.

W. Curtis Preston:

Persona Malaiyandi, how's it going?

W. Curtis Preston:

Prasanna

Prasanna Malaiyandi:

the I, I'm a little offended by that.

Prasanna Malaiyandi:

I don't know if I've, I don't know if it's every single dollar, but I would probably

Prasanna Malaiyandi:

say it's at least 50 cents on the dollar.

W. Curtis Preston:

You keep sending me cool stuff.

W. Curtis Preston:

You're like, Hey, have you heard of this thing, this cool thing?

W. Curtis Preston:

Cuz you did, you did sort of convince me.

W. Curtis Preston:

I.

W. Curtis Preston:

Remember there was, uh, you know, I wanted to replace the front door lock, right?

W. Curtis Preston:

Well, I needed to, and, uh, because the, the key broke off in the, in the

W. Curtis Preston:

deadbolt, it wouldn't work anymore.

W. Curtis Preston:

And so my wife was like, you should get one of those smart lock things.

W. Curtis Preston:

So then I was looking at stuff that costs like, Like a hundred

W. Curtis Preston:

dollars and you're like, if you looked at this one, that costs $200.

W. Curtis Preston:

It's much better.

W. Curtis Preston:

And now you're, and now August, basically you talked me into the August

W. Curtis Preston:

lock, which by the way has been great.

W. Curtis Preston:

I bought the August lock for my front door.

W. Curtis Preston:

Um, and, and it's pretty cool to, you know, the, the coolest feature of

W. Curtis Preston:

the August lock is that if I have my smartphone with me, It unlocks, uh,

W. Curtis Preston:

as I'm walking up to the front door.

W. Curtis Preston:

Right?

W. Curtis Preston:

Uh, you that's

W. Curtis Preston:

an

Prasanna Malaiyandi:

I,

W. Curtis Preston:

feature.

Prasanna Malaiyandi:

I, I don't know if that's probably the best feature for you.

Prasanna Malaiyandi:

I think the best feature for you is Locke, ensuring that the door is locked.

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

I

W. Curtis Preston:

are you saying, are you saying that I'm absent-minded

W. Curtis Preston:

and that, that, for me personally would be the best feature?

W. Curtis Preston:

No.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

So just so you know, It's just funny that you sent, so what, so what

W. Curtis Preston:

happened is you sent me today this link of, Hey, did you know sell?

W. Curtis Preston:

They also sell a key, right?

W. Curtis Preston:

Because mine is the one, the one that I bought is the one that

W. Curtis Preston:

goes on the back of the door.

W. Curtis Preston:

So from the front of the door, it looks just like I have a normal, uh, deadbolt.

W. Curtis Preston:

Um, and that's the way I like that method versus, you know, it's the whole security

W. Curtis Preston:

by obscurity, it's something, right?

W. Curtis Preston:

Um, and so I don't have somebody driving past my house

W. Curtis Preston:

trying to hack my smart lock.

Prasanna Malaiyandi:

they listen to this podcast.

W. Curtis Preston:

Unless I listen to this podcast, all they all they

W. Curtis Preston:

know, they'll, they'll know all they need to do is steal my smartphone.

W. Curtis Preston:

Cuz I did turn on that, that feature, which I don't know, at least right

W. Curtis Preston:

now, I still really enjoy having the door say, hello Curtis, welcome home.

W. Curtis Preston:

And opening, uh, a So it's just funny that you sent me this, this thing, the, the

W. Curtis Preston:

keypad as you were sending me that I was in the process of ordering the August,

W. Curtis Preston:

uh, The lock for my two other doors.

W. Curtis Preston:

So

Prasanna Malaiyandi:

telling

W. Curtis Preston:

I, I, and you know it, you're right, is the feature,

W. Curtis Preston:

the feature that I enjoy the most and which is what causing me to buy

W. Curtis Preston:

it, is the fact that I, I turn on the feature that basically says after.

W. Curtis Preston:

A time period that you determine the longest of which is 30 minutes, is that

W. Curtis Preston:

it locks the door automatically and the backdoor again, if anyone's listening

W. Curtis Preston:

to this podcast, the backdoor has a, has a habit of seemingly coming unlocked

W. Curtis Preston:

and, uh, left unlocked for, and then I'll come down at some random time and

W. Curtis Preston:

notice that the back door's unlocked.

Prasanna Malaiyandi:

so, you should be careful though, Curtis, just

Prasanna Malaiyandi:

given your tendency to sometimes leave your phone elsewhere.

Prasanna Malaiyandi:

You probably wanna make sure you don't get locked out of the house.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Especially if all of 'em, like maybe your garage door, you

Prasanna Malaiyandi:

may not want to have auto lock.

W. Curtis Preston:

We, we've discussed this, we've discussed this.

W. Curtis Preston:

Uh, let's just say, given who I am, there are backup systems in place.

W. Curtis Preston:

Um, and also we've gotten into the habit of locking the front door as

W. Curtis Preston:

we leave via our smartphone, right?

W. Curtis Preston:

So since I'm using the phone to.

Prasanna Malaiyandi:

You always have it with you.

W. Curtis Preston:

I, I, yeah, I always have it with me.

W. Curtis Preston:

And also if I can call anyone else who lives here, which there are three other

W. Curtis Preston:

people who live here, I could call them and I could say, can you unlock the, the,

Prasanna Malaiyandi:

The door.

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

Now, here's a question for her.

W. Curtis Preston:

is pretty cool.

Prasanna Malaiyandi:

Speaker:

Here's a question for you.

W. Curtis Preston:

Yeah.

Prasanna Malaiyandi:

Do you remember any of their numbers?

W. Curtis Preston:

Um,

Prasanna Malaiyandi:

Because, because

W. Curtis Preston:

my wife's number, I know my wife's number

W. Curtis Preston:

and I know my daughter's number.

W. Curtis Preston:

I do not know my son-in-law's

Prasanna Malaiyandi:

Okay.

Prasanna Malaiyandi:

That's okay.

Prasanna Malaiyandi:

At least you know two outta the three, so that's fine.

Prasanna Malaiyandi:

Because I was just thinking like a lot of people, like with smartphones these days,

Prasanna Malaiyandi:

they don't know people's numbers anymore.

Prasanna Malaiyandi:

Or you just look it up and you're like, Hey, call

Prasanna Malaiyandi:

so-and-so.

W. Curtis Preston:

was, if I was at a payphone, like

W. Curtis Preston:

what, what would that be like?

W. Curtis Preston:

Uh, is there a payphone anywhere?

Prasanna Malaiyandi:

Or you just walk over to your neighbors, right?

Prasanna Malaiyandi:

You're like, Hey, can I borrow your phone?

W. Curtis Preston:

I don't talk to my neighbors.

Prasanna Malaiyandi:

Oh

W. Curtis Preston:

My ne the neighbor on that side would go, bleep, itty bleep.

W. Curtis Preston:

No, no, not

W. Curtis Preston:

gonna, yeah.

W. Curtis Preston:

Neighbor

Prasanna Malaiyandi:

I'm sorry

W. Curtis Preston:

They're new.

W. Curtis Preston:

I don't know.

W. Curtis Preston:

I don't know what they're,

Prasanna Malaiyandi:

so I'm sorry for getting you to spend extra money.

Prasanna Malaiyandi:

But not really.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Especially at a time right now.

W. Curtis Preston:

Uh, you know, well, we don't know when this episode goes live at a time

W. Curtis Preston:

right now, when I am currently, as we say, looking for opportunities, uh,

W. Curtis Preston:

so, you know, need to preserve cash.

W. Curtis Preston:

Cash is king right now, but, uh, anyway, um, let us get onto our guest

W. Curtis Preston:

who's

Prasanna Malaiyandi:

like, what are you guys talking about?

Prasanna Malaiyandi:

Just blabbering on about smart logs.

Prasanna Malaiyandi:

I thought this was like something else.

W. Curtis Preston:

Yeah, exactly.

W. Curtis Preston:

So we have, uh, I think, um, a very interesting guest today.

W. Curtis Preston:

He's actually a former member of the Special Forces Turn Cybersecurity Expert.

W. Curtis Preston:

He's a co-host of the Cyber Rans Podcast and founding partner of Silent Sector.

W. Curtis Preston:

I like that phrase, A company that builds cybersecurity.

W. Curtis Preston:

Programs for B2B companies.

W. Curtis Preston:

I'm pretty sure he's our first former Green Beret on the show.

W. Curtis Preston:

Welcome to the show, Zach Fuller.

Zach Fuller:

Thank you, Curtis.

Zach Fuller:

Pleasure to be here.

W. Curtis Preston:

Always nice to have a fellow veteran.

W. Curtis Preston:

I was, uh, I was not.

W. Curtis Preston:

In the Special Forces.

W. Curtis Preston:

I was in the um, uh, I was in the, the phrase we used to say was,

W. Curtis Preston:

there ain't no sense running around the bushes if there's no war.

W. Curtis Preston:

I was in the Navy.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, and um, cuz I was in the Navy, technically most of my

W. Curtis Preston:

time was during peace time.

W. Curtis Preston:

But I did, I was in, during the OG Modern War Operation Desert Storm,

W. Curtis Preston:

uh, we actually invaded Kuwait.

W. Curtis Preston:

On my birthday in whatever year that was, two, was that like 2090?

W. Curtis Preston:

Yeah, you're right.

W. Curtis Preston:

It was in the nineties, wasn't it?

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Nineties, like 91.

W. Curtis Preston:

Um, and I, I have, I, I, I absolutely credit where I am today with the,

W. Curtis Preston:

the years that I spent in the Navy, and I'm sure you do as well.

W. Curtis Preston:

Um, you know, looks like you were in about the same amount of time as I was.

Zach Fuller:

I spent five years in, I was 2004 to 2009.

Zach Fuller:

So it seem seems like a, a long time ago, but at the same time,

Zach Fuller:

it seems that time has flown by.

Zach Fuller:

I don't know where it went, but, um, but uh, yeah, here, here we are.

Zach Fuller:

And I wouldn't trade it for the world, but, uh, it's a rougher lifestyle

Zach Fuller:

than being, than doing what I do now.

Zach Fuller:

I'll tell you that my, I've soft keyboard hands now, um, and a, and a sore back.

W. Curtis Preston:

Yeah, I, I, um, I, you know, I, I went in the

W. Curtis Preston:

Navy, you know, for, for those that you know, for whatever.

W. Curtis Preston:

It's a podcast.

W. Curtis Preston:

You don't wanna listen to me, you're on the wrong podcast.

W. Curtis Preston:

Um, but back in the day, so I went in the Navy for a very specific reason.

W. Curtis Preston:

I was working real jobs, right?

W. Curtis Preston:

Like, like, you know, for, for companies with Paychex from the time I was 15.

W. Curtis Preston:

And when I, uh, like I worked part-time as a, as a phone salesman.

W. Curtis Preston:

Um, I was selling carpet cleaning and police benevolent association stuff.

W. Curtis Preston:

I sold cars, I worked at McDonald's.

W. Curtis Preston:

By the time I turned 21 in bootcamp, I had had 19 jobs.

Zach Fuller:

Wow.

W. Curtis Preston:

Right.

W. Curtis Preston:

And, and I, I went into the Navy, uh, specifically with the goal of having a job

W. Curtis Preston:

that I couldn't quit because I had, I know this is gonna come as a great surprise.

W. Curtis Preston:

I had an issue with authority and, um, I was like, yeah, yeah.

W. Curtis Preston:

And I, you know, so I went in the Navy to have a job that I couldn't quit.

W. Curtis Preston:

And I remember, I, I still remember the moment.

W. Curtis Preston:

My first, you know, we'll call it f you moment, right?

W. Curtis Preston:

The moment where typically when I was a civilian, I would've said, f

W. Curtis Preston:

you and I would've walked out, and that would've, and then I would've,

W. Curtis Preston:

would've gotten another job, right?

W. Curtis Preston:

And that was the moment that, uh, an E nine, so that's a senior chief, an E nine.

W. Curtis Preston:

In my mind, an E nine asked me to move this thing.

W. Curtis Preston:

You know, it was something simpler, like move this chair from there to there.

W. Curtis Preston:

And I said something along the lines of, at the time I didn't think I was arguing.

W. Curtis Preston:

I didn't think I was dis disobeying an order I.

W. Curtis Preston:

I just was like, well, I think it makes more sense for the

W. Curtis Preston:

chair to be over there, whatever.

W. Curtis Preston:

Whatever it was.

W. Curtis Preston:

Right?

W. Curtis Preston:

And and he immediately just went to to 11, right?

W. Curtis Preston:

And he just was like, let me explain to you the E nine E four relationship.

W. Curtis Preston:

I say, you do thinking is beyond your bleeping pay grade.

W. Curtis Preston:

Right?

W. Curtis Preston:

And I remember thinking at that exact moment.

W. Curtis Preston:

Okay, Curtis, this is, this is what you, this is that moment that you,

W. Curtis Preston:

this is what you signed up for.

W. Curtis Preston:

And I did not say those magic words.

W. Curtis Preston:

I did not get booted outta the Navy.

W. Curtis Preston:

And uh, and here I am.

W. Curtis Preston:

How about you?

Zach Fuller:

Um, well, I, I definitely have.

Zach Fuller:

Have been tuned up by higher enlisted before, so you're not alone there.

Zach Fuller:

Um, that's, uh, that, yeah.

Zach Fuller:

Saying that to an E nine s, never, never a good idea.

Zach Fuller:

It's basically whatever they say you do, if jump off that cliff, better jump

Zach Fuller:

off that cliff, cuz the ramifications are gonna be less than if you don't.

Zach Fuller:

But um, yeah.

Zach Fuller:

That being said, I mean, I was, I.

Zach Fuller:

I was just felt drawn to the, the military.

Zach Fuller:

Um, and nine 11 happened when I was in high school.

Zach Fuller:

And I, you know, and then I went on to, on to college and was at University of

Zach Fuller:

Colorado and I was kind of, I kind of felt I was doing fine in school, but

Zach Fuller:

I didn't feel that challenge that I was looking for at that point in life.

Zach Fuller:

And I had, I just felt this calling to go join the military and then, and then, um,

Zach Fuller:

in the, The, there was an opportunity if you could go through all the assessment

Zach Fuller:

and selection process and all that, you could go from civilian to becoming a Green

Zach Fuller:

Beret, um, rather than prior, they, you had to be in the army for a handful of

Zach Fuller:

years and like an infantry or something.

Zach Fuller:

So, Having that opportunity, passing all the tests, going through selection,

Zach Fuller:

getting selected, going through the, um, qualification course for about

Zach Fuller:

two years, um, was just a, that was the challenge I was looking for,

Zach Fuller:

you know, and that, that was a game changer for me and just was the.

Zach Fuller:

You know, brought, brought me to that next notch of maturity that I really

Zach Fuller:

needed at that, that point in life.

Zach Fuller:

And, and so I, I wouldn't trade it for the world.

Zach Fuller:

You know, I got to work with guys that, you know, small team of guys that are

Zach Fuller:

the best in the world at what they do.

Zach Fuller:

They there's, and there's no place else they would've rather been, you

Zach Fuller:

know, so it's kind of funny because.

Zach Fuller:

It was just an incredible environment to work in.

Zach Fuller:

Incredible people.

Zach Fuller:

We went out, we did our operations overseas, global war on terror,

Zach Fuller:

um, and did some amazing things.

Zach Fuller:

Now, when my enlistment came to an end being naive, 20

Zach Fuller:

something, mid, mid twenties.

Zach Fuller:

At the time, I thought that that's how the rest of the world operated.

Zach Fuller:

You know, where you, you could ask, you could tell somebody to do something,

Zach Fuller:

and it was basically already done, even if time hadn't caught up yet,

Zach Fuller:

there was no checking in to see if it had happened or anything like that.

Zach Fuller:

And so going from that environment into the business world was an eyeopener.

Zach Fuller:

And it, it, it took a lot of adjustment and expectations and, and how things

Zach Fuller:

work and operate, but, I love it.

Zach Fuller:

I wouldn't trade it for the world.

Zach Fuller:

I, we learned a lot during that time that I wouldn't have picked up anywhere else.

Zach Fuller:

And, and I try to, uh, share those, those, those concepts and those

Zach Fuller:

methodologies and ideas that we ran by in the unconventional warfare world

Zach Fuller:

and share those with business leaders, with technical, technical leaders

Zach Fuller:

and, and, um, people just getting started in their careers as well.

Zach Fuller:

Um, so lots.

Zach Fuller:

Yeah, I could, I could talk all day about that stuff.

Zach Fuller:

It's a fun.

Zach Fuller:

Um, group to be around because there's, they don't, they don't

Zach Fuller:

accept anything but the best, the very best performance all the time.

Zach Fuller:

But they also have fun doing it.

Zach Fuller:

And there's lots of jokes, there's lots of laughs.

Zach Fuller:

It's where they want to be.

Zach Fuller:

So, um, yeah, I, I just, um, got so much out of that.

Zach Fuller:

People as a veteran people will come up and say, thank you for your service.

Zach Fuller:

I say, well, thank you for your tax dollars, first of all, cuz

Zach Fuller:

I probably wasted a lot of them.

W. Curtis Preston:

thank you for the paycheck.

Zach Fuller:

Yeah.

Zach Fuller:

And, and also it's, you know, really it's the, the, the, the

Zach Fuller:

pleasure is mine to be able to, to do that in, in that environment.

Zach Fuller:

So,

Prasanna Malaiyandi:

So what made you go from that into cybersecurity?

Prasanna Malaiyandi:

Like how, why choose this area?

Zach Fuller:

so I was always a, I was always kind of a, a, well, not kind of,

Zach Fuller:

it was definitely an a, you know, Tech nerd growing up, I spent lots of time

Zach Fuller:

on computers, grew up in tech, family.

Zach Fuller:

Both my parents worked in Silicon Valley and, and, um, so I was on computers

Zach Fuller:

since I was as young as I could remember, you know, starting with the Apple

Zach Fuller:

two E and, uh, going up from there.

Zach Fuller:

But I got started getting kicked outta computer classes for hacking

Zach Fuller:

the networks and locking the teachers outta their own systems and stuff.

Zach Fuller:

And in, uh, that was in middle school.

Zach Fuller:

Um, so

W. Curtis Preston:

Thank you for your service.

Zach Fuller:

Oh yeah.

Zach Fuller:

So, um, I, I had fun, you know, breaking stuff and putting it back together,

Zach Fuller:

and I think that's the root of a lot of people in cybersecurity now.

Zach Fuller:

Um, I took a different path though.

Zach Fuller:

I realized that, uh, when it, when it came down to really, as I realized that,

Zach Fuller:

and, uh, later on in middle school and high school, I realized girls weren't

Zach Fuller:

super interested in my tech skills.

Zach Fuller:

So now, now it's a cooler thing, you know, but now, but back then, you, you

Zach Fuller:

know, They weren't very interested in that stuff, but, um, I actually took

Zach Fuller:

a path of more the entrepreneurial realm and so started building

Zach Fuller:

websites for companies when that was a cutting edge thing to have a website.

Zach Fuller:

I started outsourcing work to Russia that I didn't know how to do at the

Zach Fuller:

time before outsourcing was really.

Zach Fuller:

A known thing.

Zach Fuller:

I found developers that could do work that I didn't know how to do for much cheaper

Zach Fuller:

than it could be done here in the us.

Zach Fuller:

And so, um, did that and, and really took an interest in the entrepreneurial side,

Zach Fuller:

the business, um, development and so on.

Zach Fuller:

And so I did, did different ventures, um, throughout my career.

Zach Fuller:

E even in a college and exterior painting company door.

Zach Fuller:

I've done everything from door to door sales to.

Zach Fuller:

Implement Salesforce for, or, you know, mid-market companies.

Zach Fuller:

So, um, had a lot of, lot of crossover between that tech and then

Zach Fuller:

that business development world.

Zach Fuller:

Um, after the Army I went into, uh, the real estate private equity world.

Zach Fuller:

Well, real estate investment world.

Zach Fuller:

Because it was 2009 and everybody said how terrible real estate

Zach Fuller:

was and stay away from it.

Zach Fuller:

So being the hardheaded person that I tend to be, sometimes that's exactly where

Zach Fuller:

I went, is where I was told not to go.

Zach Fuller:

So, um, that was fun.

Zach Fuller:

Learned a lot, um, helped a private equity company build and grow and, and,

Zach Fuller:

and just build a tremendous organization.

Zach Fuller:

But, but, um, I realized that what I got to do in the Army, I.

Zach Fuller:

Was, I, I got to protect great people in our nation from kind of

Zach Fuller:

behind the scenes doing things that people never really hear about.

Zach Fuller:

I mean, some of the stuff made the news, but it, it, who was behind

Zach Fuller:

it never, never came out, right?

Zach Fuller:

And so I thought that was a really awesome thing and I, I

Zach Fuller:

really felt called to be able to.

Zach Fuller:

Protect our nation again in some way.

Zach Fuller:

Um, I wasn't necessarily gonna do it by slinging lead and high explosives.

Zach Fuller:

Again, that, that was, you know, my, my prior life.

Zach Fuller:

Um, but I recognize there's a need in the cybersecurity realm.

Zach Fuller:

Um, when we started Silent Sector in 2016, we're starting to see our

Zach Fuller:

uptick in, um, breaches on the news, and it was becoming more and more.

Zach Fuller:

Uh, these, these activities of cyber criminals were becoming

Zach Fuller:

more prevalent and the, the public was becoming more aware of 'em.

Zach Fuller:

So I said, well, you know, there's probably something that needs to be done

Zach Fuller:

here, something that we can do different.

Zach Fuller:

And, um, that's, that's really, I.

Zach Fuller:

How I entered into this industry, um, you, you know, and, and have two incredible

Zach Fuller:

partners that both have 25 years as, um, you know, both in, in technical

Zach Fuller:

and leadership roles in cybersecurity.

Zach Fuller:

So, um, the three of us came together, brought different skillsets, and we

Zach Fuller:

said, Hey, let's build this thing.

Zach Fuller:

Let's do something different.

Zach Fuller:

And that's what we've been doing and it's been, it's been great.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

That's pretty cool.

W. Curtis Preston:

I, I like that.

W. Curtis Preston:

You know, I, I liked hearing, I.

W. Curtis Preston:

Sort of applying the stuff that you learned in the military.

W. Curtis Preston:

I, I think there's things that I learned in the military that have stuck with me,

W. Curtis Preston:

but for me it was longer ago than you.

W. Curtis Preston:

So I think I learned things and then forgot that that's where I learned them

W. Curtis Preston:

one, one of, one of the thing that, um, When I think back on things is one

W. Curtis Preston:

thing that I learned in, at least in my military or my part in the military, was

W. Curtis Preston:

the value of well tested documentation.

W. Curtis Preston:

Um, because, which, which I'm thinking do, which not a, was not

W. Curtis Preston:

a situation in your, in your field.

W. Curtis Preston:

But, uh, I mean, you've

W. Curtis Preston:

got

Zach Fuller:

be surprised.

W. Curtis Preston:

I'm sure.

W. Curtis Preston:

Okay.

W. Curtis Preston:

Uh, yeah, probably explosives are probably very well documented.

W. Curtis Preston:

We had this, um, uh, this system for doing preventative maintenance on the equipment.

W. Curtis Preston:

I was in, electronics, I was in.

W. Curtis Preston:

Um, uh, I operated and maintained the video system for the flight deck of an

W. Curtis Preston:

aircraft carrier and then also the, the lighting system that allowed the planes

W. Curtis Preston:

to land in the same spot every time.

W. Curtis Preston:

And, uh, we had a system for, um, doing preventative maintenance

W. Curtis Preston:

on these, uh, on these systems.

W. Curtis Preston:

And they had those procedures had to be vetted and vetted and vetted and

W. Curtis Preston:

tested, and then put onto a card.

W. Curtis Preston:

Those procedures you, you lived and died by, you had this card and you followed it.

W. Curtis Preston:

Even if you were trained in that piece of equipment, you followed that card.

W. Curtis Preston:

I.

W. Curtis Preston:

Step by step by step, and, and that's the way when I think about like cyber

W. Curtis Preston:

recovery, disaster recovery, that's the way the procedure should be.

W. Curtis Preston:

It should be fully tested and vetted to the point that you should be able,

W. Curtis Preston:

you should be able to hand it to a.

W. Curtis Preston:

Um, a, a technically proficient person who isn't familiar with the process and they

W. Curtis Preston:

should be able to execute the plan, um, what, what, what do you think about that?

Zach Fuller:

yeah, absolutely.

Zach Fuller:

Well, I was, I was, I was kind of laughing over here when you're saying

Zach Fuller:

the system, cuz I was thinking, well, in the army they're saying is if

Zach Fuller:

it ain't broke, fix it until it is.

Zach Fuller:

And so, so that, that's their version but no, um, seriously,

Zach Fuller:

it, no, that's exactly it.

Zach Fuller:

Um, I, I think of it in terms of airborne operations, right?

Zach Fuller:

And jumping out of airplanes.

Zach Fuller:

Um, the riggers have a tremendous job in getting the shoots packed the

Zach Fuller:

same exact way every single time.

Zach Fuller:

And it is me meticulously done.

Zach Fuller:

There's no room for variants.

Zach Fuller:

There's not any, any there.

Zach Fuller:

So I think regardless of all joking aside, regardless of where you.

Zach Fuller:

You are in the military and those listening with military backgrounds,

Zach Fuller:

I think that's a tremendous asset to bring into your security program,

Zach Fuller:

especially when you're talking about incident response, disaster recovery.

Zach Fuller:

We, we find a lot of organizations in the mid-market and emerging size company

Zach Fuller:

space will have, and I'm sure this is true in, you know, large enterprise

Zach Fuller:

in a lot of cases too, but there's a lot of times the I R D R plans are.

Zach Fuller:

Uh, very loosely put together, if at all, oftentimes off a template that

Zach Fuller:

has been downloaded from somewhere.

Zach Fuller:

Um, and they're not necessarily kept up and maintained.

Zach Fuller:

So one best practice is that, um, if you can, I mean, I,

Zach Fuller:

I'd say everybody can do this.

Zach Fuller:

It's whether they'll make time or not, but do tabletop exercises once a quarter, dust

Zach Fuller:

off that I R D R plan and work through it.

Zach Fuller:

Um, even if you're not doing.

Zach Fuller:

A, a actual full blown exercise.

Zach Fuller:

Just a, a tabletop will tell you a lot about where things are and we'll, we'll

Zach Fuller:

bring up a lot of, um, considerations and, and not enough companies do that.

Zach Fuller:

A lot of times it's, yeah, we, you know, we built out our plan and it, we

Zach Fuller:

haven't looked at it in three years, so.

W. Curtis Preston:

You know, right out of the military, I went into a bank, I.

W. Curtis Preston:

That's where I got my start in it.

W. Curtis Preston:

And we were required by the occ, right?

W. Curtis Preston:

That's the office of controller of currency.

W. Curtis Preston:

We were required by the OCC to do a DR test twice a year.

W. Curtis Preston:

And so, you know that comment that you made when you got outta the

W. Curtis Preston:

military, you were surprised that.

W. Curtis Preston:

Um, that people, you know, that when people are told to do something, they

W. Curtis Preston:

don't just, they just don't do it.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, I was surprised when I left the bank to find out that everybody didn't do that.

W. Curtis Preston:

Right.

W. Curtis Preston:

Uh, so to me, this idea of a having a well-documented, uh, dr plan that you

W. Curtis Preston:

then test it, uh, at, at least once a year, uh, you know, we did it every six

W. Curtis Preston:

months and, um, That the, the way we did it was we would take the plan and

W. Curtis Preston:

we would hand it to someone else, right?

W. Curtis Preston:

Zach, you seem like you know what you're doing.

W. Curtis Preston:

You're the new guy.

W. Curtis Preston:

Here's the documentation.

W. Curtis Preston:

Follow it while I stand in the background and figure out what I missed.

W. Curtis Preston:

Right?

W. Curtis Preston:

That, that's, that's the real way to do a test and I am, I am.

W. Curtis Preston:

I, I don't know.

W. Curtis Preston:

I'm continually surprised.

W. Curtis Preston:

I know persona, or

Prasanna Malaiyandi:

No, I'm.

W. Curtis Preston:

surprised that the people that don't do the basics, let alone

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

Well, yeah, and y no, and I agree with that.

Prasanna Malaiyandi:

And as I was actually gonna ask Zach, I'm like, for customers

Prasanna Malaiyandi:

you've been talking to, how many of them actually have a IR or DR.

Prasanna Malaiyandi:

Plan documented?

Prasanna Malaiyandi:

Forget about actually testing it or verifying it, but even actually

Prasanna Malaiyandi:

having a plan that seems feasible for recovering their environment.

Zach Fuller:

Yeah, it's, it's more, more rare than it should be.

Zach Fuller:

We, we work.

Zach Fuller:

Because we work with a lot of mid-market and, and smaller organizations.

Zach Fuller:

These aren't startups and stuff, but these are, you know, established companies.

Zach Fuller:

They're in compliance regulated industries, healthcare,

Zach Fuller:

financial services, uh, defense contractors, all that.

Zach Fuller:

And, and the ones that tend to be a little more on top of it are the ones that are,

Zach Fuller:

uh, that their hands are forced, right?

Zach Fuller:

They have an audit, um, on a annual basis or every three years even.

Zach Fuller:

And, and so they, they kind of have to do something about it.

Zach Fuller:

Um, so.

Zach Fuller:

It's, it's, it's much more prevalent than it should be to

Zach Fuller:

not have any type of, of DR plan.

Zach Fuller:

I mean, even, even just lack of independent backup solutions.

Zach Fuller:

You know, companies, Hey, we're, well, we're in aws.

Zach Fuller:

Okay, well, where, where else?

Zach Fuller:

No.

Zach Fuller:

Well, you know, aws, Amazon's

Prasanna Malaiyandi:

don't need anything

Zach Fuller:

It's like, no, that's not how it works.

Zach Fuller:

So, um, so yeah, it's, it's not, um, as prevalent as it should be.

Zach Fuller:

The other thing too is the, the quality and then making assumptions

Zach Fuller:

that people actually know what to do.

Zach Fuller:

So I like Curtis, your, your methodology, hand it to somebody else.

Zach Fuller:

What we do is we've created a gamified approach that actually

Zach Fuller:

involves dice and everything.

Zach Fuller:

So think of like a Dungeons and Dragons type type situation.

Zach Fuller:

We're rolling dice, and then we're figuring out, well,

Zach Fuller:

what's the scenario that's next?

Zach Fuller:

Is the next scenario is, hey, John is, um, head of it and is the one that

Zach Fuller:

usually runs all this for us, but he's out in the mountains for a week and we

Zach Fuller:

can't get ahold of him, so who's next?

Zach Fuller:

And then, and then on down the line.

Zach Fuller:

And then another thing that can be done is oftentimes these

Zach Fuller:

exercises are in, uh, group format, whether it be remote or actually

Zach Fuller:

sitting around a conference table.

Zach Fuller:

Well, instead of that, maybe we kick it off.

Zach Fuller:

We let everybody know, Hey, this is going to happen at some point this week.

Zach Fuller:

Be expecting a phone call.

Zach Fuller:

So they know this is part of the exercise, but we actually

Zach Fuller:

kick it off in a live chain.

Zach Fuller:

Like it actually would go down in real life.

Zach Fuller:

Hey, somebody you know is getting, um, bug pulled, you know, pulled

Zach Fuller:

outta their meeting or whatever, and we're going through this sequence of

Zach Fuller:

events in order to follow their plan.

Zach Fuller:

So, um, a lot of ways you could go about it, but I think just.

Zach Fuller:

Making the time to do it is, is something that should be on the

Zach Fuller:

calendar, um, minimum once a year, but we, you know, two to four is ideal.

Prasanna Malaiyandi:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

I, I think I like that idea of, of gamifying it, right?

W. Curtis Preston:

I, I, I just see, I mean, just in general, the idea of gamifying it, I like that,

W. Curtis Preston:

uh, you know, I like, I've got this idea, you know, you got this dice, you're

W. Curtis Preston:

like, and what, and what do we win?

W. Curtis Preston:

You get a zero a day exploit, let's go.

W. Curtis Preston:

Right.

W. Curtis Preston:

I like it.

W. Curtis Preston:

I like it.

W. Curtis Preston:

Um, yeah, I, I, I think maybe I.

W. Curtis Preston:

Because when I think back to those, uh, those DR tests that we did, and

W. Curtis Preston:

this is way before anyone said the word ransomware, um, although as I've

W. Curtis Preston:

been studying up, uh, on ransomware, it turns out ransomware has actually

W. Curtis Preston:

been around longer than I thought.

W. Curtis Preston:

I first started hearing about it in 2014, but it's actually goes all the way back

W. Curtis Preston:

to, believe it or not, the eighties.

W. Curtis Preston:

There was a ransomware case in the eighties, but it

W. Curtis Preston:

wasn't really a, a, a thing.

W. Curtis Preston:

Uh, and I, I think it's been, um, It's been Bitcoin and things like that, that

W. Curtis Preston:

have really, I think, enabled it right in the, in the, in the recent era.

W. Curtis Preston:

So when I think back to those days, I remember those being

W. Curtis Preston:

high stress events, right?

W. Curtis Preston:

We only did it once every six months.

W. Curtis Preston:

We wanted it to be successful.

W. Curtis Preston:

Successful was defined as the recovery worked.

W. Curtis Preston:

And Curtis didn't have to get involved, right?

W. Curtis Preston:

So y you know, I handed it to Zack.

W. Curtis Preston:

Zack followed the procedures and the recovery was a hundred percent successful

W. Curtis Preston:

and I didn't have to do anything.

W. Curtis Preston:

We were never successful by that, by that standard, but we

W. Curtis Preston:

learned a lot along the way.

W. Curtis Preston:

And so the point was that it was an incredibly stressful situation.

W. Curtis Preston:

So I think this idea of gamifying it and doing it more often and having it,

W. Curtis Preston:

you know, just something that we do.

W. Curtis Preston:

As a way of both, um, creating the esprit core as well as, um, increasing

W. Curtis Preston:

knowledge and doing it more often.

W. Curtis Preston:

Um, that's actually a, I think, a fascinating idea, um, versus

W. Curtis Preston:

what, what we used to do.

W. Curtis Preston:

Um, what do you think persona.

Prasanna Malaiyandi:

Yeah, no, I think doing things more often, like

Prasanna Malaiyandi:

practice makes perfect, you know, and you can't predict each and every

Prasanna Malaiyandi:

single one of these events, right?

Prasanna Malaiyandi:

Like you were saying, Zach, you rolled the dice and it might be this scenario

Prasanna Malaiyandi:

or that scenario, but at least you're going through and getting used to the.

Prasanna Malaiyandi:

Process and what things look like and dealing with that.

Prasanna Malaiyandi:

Because when it really happened, it's gonna be a very high

Prasanna Malaiyandi:

stress environment, right?

Prasanna Malaiyandi:

But if you know how people are gonna react, how they behave, you've

Prasanna Malaiyandi:

gone through these exercises, it builds up the confidence that you

Prasanna Malaiyandi:

can handle whatever comes your way.

W. Curtis Preston:

So I just realized I haven't thrown out our disclaimer,

W. Curtis Preston:

uh, persona and I work for different companies and, uh, we're not representing

W. Curtis Preston:

either of them on this podcast.

W. Curtis Preston:

This is an independent podcast and the opinions that you hear

W. Curtis Preston:

are ours, not necessarily theirs.

W. Curtis Preston:

And, uh, be sure to rate us, uh, by going to your favorite pod catcher.

W. Curtis Preston:

Scroll down to the stars and give us all the, all the stars.

W. Curtis Preston:

You know, unless you hate us, then don't bother rating us.

W. Curtis Preston:

If, if you hate us, don't rate us.

W. Curtis Preston:

I like that.

W. Curtis Preston:

I've never said that before.

W. Curtis Preston:

Um, you know, it helps other people find the, the episode and, and share it

W. Curtis Preston:

with your friends, um, assuming that you have friends that care about their data.

W. Curtis Preston:

And, uh, also, uh, if you'd like to be part of the conversation,

W. Curtis Preston:

just reach out to me.

W. Curtis Preston:

I'm easy to find.

W. Curtis Preston:

I'm at WC Preston on Twitter.

W. Curtis Preston:

W Curtis Preston gmail.

W. Curtis Preston:

Uh, and you can also find me at linkedin.com/in/mr backup.

W. Curtis Preston:

And, uh, you know, we'll get you on the show.

W. Curtis Preston:

We love talking to other people that care about data.

W. Curtis Preston:

So, so, uh, Zach, let's talk about some of the things that have been

W. Curtis Preston:

happening, uh, in the news lately.

W. Curtis Preston:

And I'm gonna start with this, um, the Veeam story, and

W. Curtis Preston:

this one frustrates me a lot.

W. Curtis Preston:

And by the way, I'm just gonna right up front.

W. Curtis Preston:

Say, I am not upset with Veeam.

W. Curtis Preston:

Right?

W. Curtis Preston:

This is not an issue with Veeam.

W. Curtis Preston:

Um, because there was a vulnerability announced in March, which as of

W. Curtis Preston:

this recording is two months ago, they patched the vulnerability days.

W. Curtis Preston:

Uh, I don't know exact the exact number of days, but it was very shortly after the

W. Curtis Preston:

announcement, uh, of the vulnerability, and then you would think that.

W. Curtis Preston:

Every Veeam customer would then immediately apply the patch.

W. Curtis Preston:

But I'm pretty sure you saw this same news article that came out a couple of days

W. Curtis Preston:

ago, and it was, I forgot which federal agency, but it was some federal agency

W. Curtis Preston:

basically saying, Hey, uh, we've been looking out there and this Veeam exploit

W. Curtis Preston:

that happened two months ago is still in the wild, meaning that there are still

W. Curtis Preston:

attacks that are happening because of it.

W. Curtis Preston:

There are still, there was some company or some entity, I don't

W. Curtis Preston:

remember if it was an agency or some like threat hunter out there.

W. Curtis Preston:

They went out and just scanned for vulnerable Veeam servers and the

W. Curtis Preston:

number was in the, like the five digits and that just, I don't know what to

W. Curtis Preston:

think about that, Zach, cuz because, you know, I mean, tell, tell me.

W. Curtis Preston:

Well, first off, tell me if you agree with me.

W. Curtis Preston:

Like if you do nothing else, right?

W. Curtis Preston:

Good passwords, MFA pass or, and patch management.

W. Curtis Preston:

Like if you, if you do nothing else from a cybersecurity perspective,

W. Curtis Preston:

those three will go a long way.

W. Curtis Preston:

Right?

W. Curtis Preston:

Um, but, but here we have.

W. Curtis Preston:

Like this is, this is, you know, the backup system is, I like to

W. Curtis Preston:

say it, it's, it's Helms deep.

W. Curtis Preston:

I don't know if you get the Lord of the Reference, reference or Lord,

W. Curtis Preston:

Lord of the Rings reference there.

W. Curtis Preston:

But, um, you know, it's, it's the final line of defense

W. Curtis Preston:

and you're not patching it.

W. Curtis Preston:

I, I, how, how do you deal with that out there?

Zach Fuller:

yeah, so that's, and that's not patching with, you know, the, the

Zach Fuller:

Veeam, uh, the Veeam vulnerability aside.

Zach Fuller:

That's, I mean, that's prevalent throughout.

Zach Fuller:

Everything right.

Zach Fuller:

The CVE comes out and, and, um, there's, there's a known vulnerability.

Zach Fuller:

The vendors are generally very good about patching 'em quickly

Zach Fuller:

and getting notice out to their customers and everything else.

Zach Fuller:

So, and so that's,

W. Curtis Preston:

want, uh, Zach, you wanna define, uh, CVE for those

W. Curtis Preston:

that aren't familiar with the term?

Zach Fuller:

C CVEs, your, your, essentially your vulnerability database.

Zach Fuller:

So every vulnerability that's identified by researchers out there has a number

Zach Fuller:

associated with it and the year and such.

Zach Fuller:

And so you can basically pull up a, a, a list, um, and look at all the.

Zach Fuller:

You know, vulnerabilities for a certain, uh, type of environment

Zach Fuller:

or, um, scanners run off of these.

Zach Fuller:

So if you're running a vulnerability scanner, it'll match up a known

Zach Fuller:

vulnerability with a potentially exploitable, um, uh, device.

Zach Fuller:

Now, it doesn't mean that device is actually exploitable.

Zach Fuller:

There are false positives, there are deeper layers of control and so on.

Zach Fuller:

But, um, it's a, it's a methodology of marking a, um, a vulnerability.

Zach Fuller:

With a, a specific number so you can go back and, and look it up.

Zach Fuller:

Right.

Zach Fuller:

And, and identify what's there.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

I think it's critical.

W. Curtis Preston:

Vulnerabilities and exploits, I think.

W. Curtis Preston:

But it, it, yeah.

W. Curtis Preston:

This database where, and it's like CVE dash.

W. Curtis Preston:

0 9, 7, 5.

W. Curtis Preston:

Um, and, and that tells you like in case the Veeam vulnerability,

W. Curtis Preston:

there is a CVE number, uh, so that everybody knows the same, so that

W. Curtis Preston:

we're all, we're all on the same page,

Zach Fuller:

Yeah, exactly.

Zach Fuller:

And then, and then your scanning tools will mark it.

Zach Fuller:

You know, you generally like one through five rating or one through 10, and, um,

Zach Fuller:

so you'll have a different severity level, um, depending on what it is and so on.

Zach Fuller:

Now, again, that doesn't.

Zach Fuller:

Tell you the true exploitable nature of that.

Zach Fuller:

But, um, it's, it gives you an idea of where to look when something's wrong.

Zach Fuller:

So one of the things companies need to be doing is continuous

Zach Fuller:

vulnerability scanning.

Zach Fuller:

So the whole vulner, oh, we scan once a quarter for PCI compliance.

Zach Fuller:

That just doesn't, doesn't cut it.

Zach Fuller:

They should be running continuous scans because it's simple to do.

Zach Fuller:

The tools are out there, especially externally, I mean internally too,

Zach Fuller:

ideally, but, um, at, at a minimum.

Zach Fuller:

Do continuous external scanning.

Zach Fuller:

So these vulnerabilities are popping up, um, and you're seeing them, and

Zach Fuller:

that way you're not trying to keep up with the articles and such that are

Zach Fuller:

coming out or the, the notifications from the vendors, those scanning tools

Zach Fuller:

that you're paying for whatever, whether it's Qualys or Nessus, rapid seven,

Zach Fuller:

whatever, whatever tool you're using.

Zach Fuller:

There's a bunch of 'em out there, but they're, they're constantly

Zach Fuller:

loading their databases with these new vulnerability signatures.

Zach Fuller:

And so if you're running this continuously, you're, you're.

Zach Fuller:

You have a third party, um, provider of the scanner platform that's, that's

Zach Fuller:

loading these signatures in, so they're on the ball cuz that's their business.

Zach Fuller:

They're, you know, very, very quick with this stuff.

Zach Fuller:

So you should be getting red flags and getting, getting notifications when

Zach Fuller:

a new vulnerability is identified.

Zach Fuller:

So the problem is, Mo a lot of organizations in the mid-market

Zach Fuller:

and emerging space are, it's been often a year more since they've done

Zach Fuller:

a vulnerability scan if, if ever.

Zach Fuller:

Um, and so it's, it, they, a lot of the, you know, it like MSPs and things, they're

Zach Fuller:

focused more on the day-to-day operational things and running, running tools like

Zach Fuller:

antivirus, managing firewalls and such.

Zach Fuller:

But this, this proactive activity of vulnerability scans v vulnerability scans,

Zach Fuller:

the first thing that's gonna tell you.

Zach Fuller:

Um, you know, whether it's Veeam or anything else, if you have something

Zach Fuller:

to look at, look deeper into.

Zach Fuller:

So, and then you get into the patch management whole discussion

Zach Fuller:

and that's a thorn in the side for lots of organizations.

Zach Fuller:

But, um, you can't look to go, you know, jump on a patch out of your

Zach Fuller:

normal schedule if you don't even know that that vulnerability is there.

Zach Fuller:

So,

Prasanna Malaiyandi:

So two questions for you, Zach.

Prasanna Malaiyandi:

I think that all makes sense.

Prasanna Malaiyandi:

Uh, the first is, What is the category like if someone wanted to

Prasanna Malaiyandi:

look up a category for what these vulnerability scanning tools are

Prasanna Malaiyandi:

called, what would they go search for?

Prasanna Malaiyandi:

I know you gave a couple of vendors, but what's that

Prasanna Malaiyandi:

general category of tool called?

Zach Fuller:

Yeah, I, I just look up network vulnerability scanners.

Zach Fuller:

Um, you can, yeah, there's, there's, um, there's a hand.

Zach Fuller:

The big names really are, are Qualys, um, Nessus.

Zach Fuller:

You got, um, tenable.

Zach Fuller:

There's a couple others, but you, but they're all gonna

Zach Fuller:

accomplish really similar things.

Zach Fuller:

It just depends on your, your budget and

Prasanna Malaiyandi:

And, and then the other question I had also is, especially

Prasanna Malaiyandi:

since you've been talking a lot about sort of small and medium businesses,

Prasanna Malaiyandi:

do you find though that these tools are practical for these organizations,

Prasanna Malaiyandi:

either from a budget cost perspective or even from a skillset perspective?

Prasanna Malaiyandi:

Because some of these organizations are very strapped when it comes

Prasanna Malaiyandi:

to IT personnel especially.

Prasanna Malaiyandi:

And in addition to that, you're looking at someone who's like cybersecurity

Prasanna Malaiyandi:

focused and so, Is this something that they can easily pick up and start to use?

Prasanna Malaiyandi:

Or is this such a burden for the organization that they're like, Hey,

Prasanna Malaiyandi:

we have 50 other things to deal with.

Prasanna Malaiyandi:

I can't worry about this.

Zach Fuller:

Yeah, they can easily hire a third party provider, uh,

Zach Fuller:

to, to run continuous scanning.

Zach Fuller:

We're talking.

Zach Fuller:

Couple hundred bucks a month, depending on the size of their, their environment.

Zach Fuller:

Um, it can larger, it, it is of course, the more time it takes

Zach Fuller:

to actually look at those skins.

Zach Fuller:

So you wanna, you can, you can always hire a third party and it's, it's

Zach Fuller:

pretty simple, pretty inexpensive, um, for a lot of companies.

Zach Fuller:

Some of the tools can be pretty costly.

Zach Fuller:

So for a lot of the companies, it's much more cost effective.

Zach Fuller:

If you have, you know, five or 10 external ips, you might as well just

Zach Fuller:

have a service provider do that for you.

Zach Fuller:

And then, um, hopefully that service provider also has an actual human

Zach Fuller:

looking at the scan results, right?

Zach Fuller:

So not just kicking you a scan report, but even if they kick you

Zach Fuller:

a scan report, um, you, you can.

Zach Fuller:

Teach somebody pretty quickly how to look through those.

Zach Fuller:

And most of 'em are just Excel exports, so you can just sort 'em however you'd like.

Zach Fuller:

Uh, if there's specific ips, things that you wanna focus on, or say you

Zach Fuller:

wanna only look at severity four and five, then we, you could, you could

Zach Fuller:

do that, um, really simply with Excel.

Zach Fuller:

So it's not, um, it doesn't get too technical.

Zach Fuller:

And I think the time it takes, even if you're looking at those.

Zach Fuller:

Yourself.

Zach Fuller:

Um, it's, it's well worth it compared to the

Prasanna Malaiyandi:

Cost of not doing it.

Prasanna Malaiyandi:

Yeah, exactly.

Zach Fuller:

Yeah, absolutely.

W. Curtis Preston:

and where do those, because I know I've also seen

W. Curtis Preston:

a number of um, uh, sort of automated.

W. Curtis Preston:

PIN test, pin testing as a service.

W. Curtis Preston:

So this is like vulnerability scanning as a service.

W. Curtis Preston:

What about PIN testing as a service?

Zach Fuller:

So, yeah, there's the, the pen testing market's been interesting.

Zach Fuller:

It's been, be, become a bit commoditized.

Zach Fuller:

Um, and so it's hard for consumers.

Zach Fuller:

That are not in this business every day to kind of decipher what's, what.

Zach Fuller:

Mostly what we've seen out of automated pen testing is it's

Zach Fuller:

good for certain scenarios.

Zach Fuller:

There are some companies that all they wanna do is check a block and

Zach Fuller:

they say, we got a pen test done.

Zach Fuller:

Um, and, and it can be good for.

Zach Fuller:

Ongoing, um, continuous automated pen testing where you actually do, maybe you

Zach Fuller:

do a, a, a human driven pen test twice a year or, or once a quarter or something

Zach Fuller:

like that, or on every major release of your software, whatever the case may be.

Zach Fuller:

But then you have automation going in in the meantime.

Zach Fuller:

That can be a good use for it.

Zach Fuller:

The problem that we see is that, um, we'll have, we'll have, you know, potential

Zach Fuller:

clients come to us and say, Hey, we just got this, we got this pen test.

Zach Fuller:

We don't really know what to do.

Zach Fuller:

A lot of times there's a lot of fluff in there.

Zach Fuller:

The, the idea of saving money from an automated, a approach, we haven't

Zach Fuller:

really seen that be effective because, The companies that, that don't have

Zach Fuller:

the, the resources to, to decipher this stuff, they, they take this huge data

Zach Fuller:

dump from the automated tools and they go start trying to ta trying to tackle

Zach Fuller:

every vulnerability that's identified.

Zach Fuller:

So a good pen tester will show you.

Zach Fuller:

Really the, the areas that are truly exploitable in your environment, right?

Zach Fuller:

Just because a web application, you know, a tool says, Hey, there's

Zach Fuller:

potential for a sequel injection here.

Zach Fuller:

Doesn't mean you need to rebuild the app.

Zach Fuller:

It's okay maybe that, maybe there's a form field that lets arbitrary characters

Zach Fuller:

go through, but that doesn't mean.

Zach Fuller:

That the database is gonna spit out a bunch of information

Zach Fuller:

based, you know, based on attack.

Zach Fuller:

There are various layers of protection between them.

Zach Fuller:

So it, so as long as a company has, you know, a defense in

Zach Fuller:

depth approach, um, a lot of the automation stuff is, is limited.

Zach Fuller:

Um, I, again, I think it's, I think it's evolving.

Zach Fuller:

I think they're, it's getting better, but we have a ways to go.

Zach Fuller:

There are also.

Zach Fuller:

Uh, issues within environments that take, um, kind of human logic to identify

Zach Fuller:

still that, uh, tools won't pick up.

Zach Fuller:

So, for instance, we had a client, uh, who, who came to us for a pen test.

Zach Fuller:

They had a, uh, web application that when every, every time a user would sign up as

Zach Fuller:

financially based organization and they.

Zach Fuller:

They, every time a user would sign up, their data would go off to

Zach Fuller:

a third party that would charge 'em 10 cents, uh, a submission to

Zach Fuller:

validate that this is indeed a fact.

Zach Fuller:

Indeed a real person, and the financial information is valid and so on.

Zach Fuller:

So, third party service, 10 cents a shot.

Zach Fuller:

Well, the scanners and tools and stuff didn't.

Zach Fuller:

Pick up anything.

Zach Fuller:

There's nothing wrong with that per se, but our team found that, oh, hey, we can

Zach Fuller:

write a quick Python script here that can inject 5 million, uh, new users into this

Zach Fuller:

platform within a matter of hours or less.

Zach Fuller:

Right?

Zach Fuller:

And so at 10 cents a piece that can start to get costly.

Zach Fuller:

So we did proof of concept, you know, run 10 users through kind of thing, um,

Prasanna Malaiyandi:

Only 10.

Zach Fuller:

Right.

Zach Fuller:

Yeah.

Zach Fuller:

But here, you know, here's what could happen.

Zach Fuller:

So we need to stop, you know, so, so that kind of stuff sometimes, um, won't be,

Zach Fuller:

won't be flagged and we just need to look at, we need to look at it objectively.

Zach Fuller:

Um, you know, from the, from the business logic perspective.

W. Curtis Preston:

So earlier I was mentioning, um, that my top three

W. Curtis Preston:

are a good password system, um, and, uh, MFA and patch management.

W. Curtis Preston:

So, Past that.

W. Curtis Preston:

What, what, what would you, you know, cuz we talked about like, these are

W. Curtis Preston:

the things you need to do first, right?

W. Curtis Preston:

If, if, if you're concerned about the security of your environment, that

W. Curtis Preston:

these are the things you need to do first, what would you do after that?

Zach Fuller:

Mm.

Zach Fuller:

Well, most breaches occur because of well-meaning, but unaware individuals.

Zach Fuller:

So this, and this is a tough one cuz if I, if I could give a condensed

Zach Fuller:

list of top 10, that would be ideal.

Zach Fuller:

But the, the reality is there's a lot that goes into policy and, and process

Zach Fuller:

around how we use our computing devices.

Zach Fuller:

So thinking through that.

Zach Fuller:

A lot of times it's, um, the, uh, old user accounts aren't deprovisioned, right?

Zach Fuller:

Somebody leaves the company and HR isn't communicating with it,

Zach Fuller:

and, and then those accounts get compromised and nobody knows about it.

Zach Fuller:

So it's stuff like that.

Zach Fuller:

So I, I'd say, um, if, if this is a big category, but your policies and

Zach Fuller:

procedures and standards, documentation for the organization, Is, is so critical

Zach Fuller:

because that's going to encompass a lot.

Zach Fuller:

Um, I If you're referring more to technical controls

Zach Fuller:

specifically, then absolutely.

Zach Fuller:

You know, your backups and such.

Zach Fuller:

Um, I think that, that there's, um, Another.

Zach Fuller:

Well, and all the major frameworks call for this is the, one of the first

Zach Fuller:

things they're gonna say to do is inventory and control of your assets.

Zach Fuller:

Whether that's hard hardware and software, both.

Zach Fuller:

Um, a lot of organizations struggle with knowing exactly what

Zach Fuller:

they have in their environment.

Zach Fuller:

And so if a rogue device is coming in there, or it, and it could just be.

Zach Fuller:

You know, somebody's tired of working through the controls that

Zach Fuller:

are set up on their work computer.

Zach Fuller:

So they bring their laptop and plug it in, and, um, and now they're on the

Zach Fuller:

network and, and who knows what their kids were doing on social media with

Zach Fuller:

that, you know, a couple hours ago.

Zach Fuller:

So those types of things need to be thought through.

Zach Fuller:

Um, but I, I would say that, um, the, the, the human element,

Zach Fuller:

um, is the biggest thing.

Zach Fuller:

If, yeah, if I had to pick one piece, it'd be staff awareness training,

W. Curtis Preston:

Yeah, I, I, I think that's, I think I

W. Curtis Preston:

would completely agree with you.

W. Curtis Preston:

Um, I, you know, I, I am a, like if my choice is off, Are.

W. Curtis Preston:

Build really good defenses against mistakes versus train everybody

W. Curtis Preston:

which mistakes not to make.

W. Curtis Preston:

I'm gonna go with the first, not the second, but you.

W. Curtis Preston:

But you have to do it, right?

W. Curtis Preston:

You have to train the users.

W. Curtis Preston:

The problem with people, it's that, where do I start?

W. Curtis Preston:

Right?

W. Curtis Preston:

Well, first off, there's always new people.

W. Curtis Preston:

Second, we are incredibly, we're just, we're just flawed.

W. Curtis Preston:

So, so really if we could just get rid of all the people, um, you

W. Curtis Preston:

know, You're good to go.

W. Curtis Preston:

Um, I mean, we all know that AI doesn't make mistakes.

W. Curtis Preston:

So once we replace everyone on the planet with some sort of piece of

Zach Fuller:

Right.

W. Curtis Preston:

uh, there will be no more hacking.

Prasanna Malaiyandi:

This podcast brought to you by ai.

W. Curtis Preston:

Absolutely no, I, I remember that, I remember, uh, back

W. Curtis Preston:

again, that, that bank that I, that I, um, worked at, we were constantly,

W. Curtis Preston:

we constantly did user training.

W. Curtis Preston:

And one of the things that I remember that, that, that you were

W. Curtis Preston:

always told in the regular training that we went to was no one in

W. Curtis Preston:

the, you know, the IT department.

W. Curtis Preston:

No one will ever call you and ask you for your password ever.

W. Curtis Preston:

Right.

W. Curtis Preston:

And then the next day we would always call them and ask them for their password

W. Curtis Preston:

and like 20% of them would give it to us.

W. Curtis Preston:

It was like,

Zach Fuller:

Oh yeah,

W. Curtis Preston:

it was just like, oh, it's, it's, it's,

Zach Fuller:

We've been led in, we've been led into, uh, we do physical

Zach Fuller:

intrusion testing from time to time, from a data security perspective though.

Zach Fuller:

So we've been led into buildings, you know, tailgating and that sort of thing

Zach Fuller:

during business hours, just looking like supposed to be there kind of thing.

Zach Fuller:

And, and, you know, throw that thumb drive in a, in a.

Zach Fuller:

Computer, um, even led into, um, you know, network rooms and, and server rooms.

Zach Fuller:

I mean, it's, it's, um, pretty amazing.

Zach Fuller:

But yeah, the, the unaware is generally well-meaning, but, you know,

Zach Fuller:

unaware individual is, is always.

Zach Fuller:

Going to be the biggest risk.

Zach Fuller:

And that's, that's where we see most, most attacks come through.

Zach Fuller:

Um, especially those companies that are on.

Zach Fuller:

Um, and well, I want to put this out there because you're on cloud

Zach Fuller:

services that does not make you secure.

Zach Fuller:

Right?

Zach Fuller:

Um, so those, those companies that, those companies that, um,

Zach Fuller:

Think that, hey, we're on Google Workspace or we're on Office 365.

Zach Fuller:

So, you know, Google or Microsoft is taking care of our security.

Zach Fuller:

Um, that if we're, if we're, you know, talking about a list of things to do,

Zach Fuller:

um, another critical mistake is that a lot of these mid-market and smaller

Zach Fuller:

companies are on these environments and it's, it's crazy things like they

Zach Fuller:

set up the, you know, the person that started the company 15 years ago.

Zach Fuller:

Um, you know, ha has their, their normal email account is also the

Zach Fuller:

administrator to that company's account.

Zach Fuller:

And, um, that when once that gets breached, of course

Zach Fuller:

all kinds of things happen.

Zach Fuller:

We've seen cryptocurrency accounts stolen, um, uh, domain names hijacked, uh, from

Zach Fuller:

the registrars and moved to, um, moved to overseas registrars and ha getting a

Zach Fuller:

ransom to get it, you know, demanding a ransom to get it back, that kind of thing.

Zach Fuller:

Um, We, we've seen, you know, and from there pivoting to other cloud

Zach Fuller:

services like Dropbox and such.

Zach Fuller:

So that's more toward the very small company side.

Zach Fuller:

Um, u usually they're, they're more sophisticated in that, but

Zach Fuller:

I wanted to dispel that myth.

Zach Fuller:

I'd say that make sure that your cloud.

Zach Fuller:

Service environments, they, they can be set up to be very well secured.

Zach Fuller:

Most organizations are not leveraging the, the full potential

Zach Fuller:

of their security, and they're not provisioning accounts properly.

Zach Fuller:

So if we think about principle, uh, of least privilege, we want to give

Zach Fuller:

people only what they need to do their job day to day, and then have a.

Zach Fuller:

Methodology in place so they can escalate their access if they

Zach Fuller:

need it in unique circumstances.

Zach Fuller:

Um, but a lot of times companies are just giving everybody the

Zach Fuller:

kind of the keys to the kingdom.

Zach Fuller:

So once their account gets breached, now the attacker can get to a lot more,

Zach Fuller:

uh, than they could have otherwise.

Zach Fuller:

And the, the damage goes further that way.

Prasanna Malaiyandi:

Yeah, but it's so much easier, Zach, if you

Prasanna Malaiyandi:

give access to everyone you know.

Zach Fuller:

Right?

Zach Fuller:

Yeah.

Zach Fuller:

Yep.

Zach Fuller:

Just, uh, open up your firewalls to any, any, just let all the traffic through.

W. Curtis Preston:

there was a famous GDPR case in, uh, Spain, I think it was

W. Curtis Preston:

maybe Portugal, and it was a hospital.

W. Curtis Preston:

And, um, the, it, it was one of the first big G D P R fines and

W. Curtis Preston:

what they had done in the hospital was to make administration easy.

W. Curtis Preston:

They made everybody a doctor.

W. Curtis Preston:

So everybody that worked at the hospital had doctor level access so they could

W. Curtis Preston:

see any record of any patient any time.

W. Curtis Preston:

Uh, and they were like, basically the gdpr, you know, the commission basically

W. Curtis Preston:

said you clearly didn't even try.

W. Curtis Preston:

Right?

W. Curtis Preston:

You clearly.

W. Curtis Preston:

You, you never even heard of the concept of lease privilege.

W. Curtis Preston:

Uh, we, you know, we find you guilty and, and, and find them.

W. Curtis Preston:

I dunno, it's a couple hundred million dollars or something.

W. Curtis Preston:

Uh, persona, can you think of, um, a another, so Zach was

W. Curtis Preston:

saying that, uh, make sure to.

W. Curtis Preston:

Uh, make sure that your cloud services are secured or properly

W. Curtis Preston:

configured for security.

Prasanna Malaiyandi:

Speaker:

Make sure to back it up.

W. Curtis Preston:

add to that?

W. Curtis Preston:

Yeah,

Prasanna Malaiyandi:

Make sure to back it up exactly because like Microsoft

Prasanna Malaiyandi:

365 or Google workspaces, right?

Prasanna Malaiyandi:

They don't care about restoring and recovering your environment

Prasanna Malaiyandi:

to a well-known point.

Prasanna Malaiyandi:

All they care about is making sure their service is up to date, keeping recovery

Prasanna Malaiyandi:

copies to make sure that, but they don't have those copies for your benefit,

W. Curtis Preston:

Yeah, this Zack, the, the, the thing of, you know, and

W. Curtis Preston:

I think in the security world, we're like, uh, you know, MFA is like, man,

W. Curtis Preston:

if you don't have MFA at this point, I, I don't even know what to tell you.

W. Curtis Preston:

Right.

W. Curtis Preston:

Uh, in, in the backup world, this is one of those things where it's

W. Curtis Preston:

like, I, I, I don't know what to tell you if you think that Microsoft

W. Curtis Preston:

is backing up your data, right?

W. Curtis Preston:

Um, and I, I don't care what your, your Tam said to you, your,

W. Curtis Preston:

your technical account manager.

W. Curtis Preston:

I don't care what you read on some blog somewhere.

W. Curtis Preston:

Please go grab your service agreement.

W. Curtis Preston:

And find the word backup and and recovery in there anywhere.

W. Curtis Preston:

Cuz it, cuz it isn't there.

W. Curtis Preston:

Right.

W. Curtis Preston:

Uh, and also look up, uh, Microsoft has what they call the shared

W. Curtis Preston:

responsibility model and persona.

W. Curtis Preston:

They're not the only ones with that are they?

W. Curtis Preston:

Or is that just, that's not just their term,

Prasanna Malaiyandi:

that's not just

W. Curtis Preston:

So basically they show that they're responsible

W. Curtis Preston:

for the infrastructure and the availability of the service.

W. Curtis Preston:

And they're like data.

W. Curtis Preston:

You right?

W. Curtis Preston:

100% the customer.

W. Curtis Preston:

And still I have people that go, I don't think I need to back

W. Curtis Preston:

up these important services.

W. Curtis Preston:

I think that's gonna be, um, uh, the next sort of frontier.

W. Curtis Preston:

It already is starting to be, they're starting to go after her services like

W. Curtis Preston:

365 from a ransomware perspective.

W. Curtis Preston:

And I think at some point, hopefully in the next.

W. Curtis Preston:

Few years, people will start realizing once enough companies lose everything,

W. Curtis Preston:

uh, or are forced to pay a ransom to get their, um, important communi, you

W. Curtis Preston:

know, company communications back from their SaaS provider, uh, once somebody

W. Curtis Preston:

loses, you know, everything they've ever put into Salesforce, right.

W. Curtis Preston:

Um, and, and they're, they're forced to pay a ransom to get it back.

W. Curtis Preston:

Um, maybe this will get better.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

What?

W. Curtis Preston:

What do you think Zach?

Zach Fuller:

yeah, well, yeah, absolutely.

Zach Fuller:

I think, I think there's more and more enforcement of that as well.

Zach Fuller:

So you look at just, um, getting.

Zach Fuller:

In a cyber insurance policy these days, for example, they're, they're

Zach Fuller:

putting you through the ringer, and that's one of the key factors that

Zach Fuller:

you're gonna need to have, right.

Zach Fuller:

Is, is a backup system that's separate from your production environment

Zach Fuller:

where everybody's working now?

Zach Fuller:

Uh, yeah.

Zach Fuller:

I, I think we're gonna see that.

Zach Fuller:

We're also gonna see.

Zach Fuller:

Um, these different regulations that are coming at, it's a compliance requirement

Zach Fuller:

of the week coming up at this point, but, um, yeah, they're, they are absolutely

Zach Fuller:

enforcing more and more of these controls with that being one of them, because,

Zach Fuller:

I mean, I think especially because of ransomware, that's what everybody I.

Zach Fuller:

Thinks about, but I mean, there's just a, there's a common everyday

Zach Fuller:

business use case for it.

Zach Fuller:

You know, it could be the malicious employee that wipes a

Zach Fuller:

bunch of stuff before they leave.

Zach Fuller:

It could be somebody just unknowingly overwrites a bunch of files with

Zach Fuller:

old data and, and just having quick access to get that back.

Zach Fuller:

So it, it's not, it doesn't take a ransomware attack to

Zach Fuller:

have a reason to have a backup.

Zach Fuller:

It's, um, there, there are lots and lots of use cases, or we talked a little

Zach Fuller:

bit about das Disaster recovery before.

Zach Fuller:

Um, that, you know, there's obvious implications there.

Zach Fuller:

So, um, I, I think, I think that's a big piece of it for sure.

W. Curtis Preston:

Preach it, Zach.

W. Curtis Preston:

Um, I could, I could think, uh, so I used to administer, um, a

W. Curtis Preston:

pretty large Salesforce environment and I remember one time I.

W. Curtis Preston:

Uh, where what I was trying to do was I was trying to format, so I'm pretty

W. Curtis Preston:

good with like text manipulation.

W. Curtis Preston:

Being an old Unix guy, I was pretty good at that.

W. Curtis Preston:

And I downloaded, um, the entire database, which was like, I don't know, a couple

W. Curtis Preston:

million records and I went and did my Unix magic on the, uh, phone field.

W. Curtis Preston:

I was good at text manipulation, I was bad at Excel, and so I sorted, I.

W. Curtis Preston:

The spreadsheet, but I didn't sort the whole spreadsheet.

W. Curtis Preston:

I just sorted like the phone numbers and I, which meant that I just

W. Curtis Preston:

scrambled all the phone numbers to.

W. Curtis Preston:

So, and then I uploaded that, uh, and basically in, in, in a matter of a

W. Curtis Preston:

few minutes, I managed to give every contact in our, uh, database, the

W. Curtis Preston:

wrong phone number, some other random person's phone number, and luckily,

W. Curtis Preston:

Uh, I had, uh, this was before I had tried, this is a couple of years ago,

W. Curtis Preston:

I had tried unsuccessfully to find a decent backup service for Salesforce,

W. Curtis Preston:

and so the only thing I could do was like a, you know, an export of that.

W. Curtis Preston:

Um, table.

W. Curtis Preston:

It was the, the, um, the leads table.

W. Curtis Preston:

And so luckily I had, I had saved the download that I had made before I mucked

W. Curtis Preston:

it all up and then I was able to fix it.

W. Curtis Preston:

But that's the kind of thing, like you said, it doesn't take a ransomware case.

W. Curtis Preston:

It could just be a, we'll call it a Curtis.

W. Curtis Preston:

Um,

Zach Fuller:

Well, we, we were talking about humans being the,

Zach Fuller:

the, the weakest link, right?

Zach Fuller:

It's, it's, it's all of us.

Zach Fuller:

You know, it's, it's not, um, it, it's not just, Uh, it's not just people that

Zach Fuller:

ha that are, you know, not technically inclined or, or, or anything like that.

Zach Fuller:

It, it's anybody and everybody.

Zach Fuller:

I mean, we, there's lots of cybersecurity professionals still fall for scams

Zach Fuller:

and different things out there.

Zach Fuller:

I mean, they've, you know, given out data on forums and things like that

Zach Fuller:

on the dark web, you know, it's, it's just, it's crazy what goes on.

Zach Fuller:

But yeah, you're not alone there.

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

Or in the case of cur Curtis, instead of calling it the Curtis, maybe we'll

Prasanna Malaiyandi:

call it the overconfident person.

W. Curtis Preston:

you know, it's funny, uh, it's funny, earlier when, when, when

W. Curtis Preston:

Zach was talking about, um, you know, it's, it's the well-meaning person,

W. Curtis Preston:

uh, that just makes a, a, a mistake.

W. Curtis Preston:

I was gonna float the idea of calling that a persona.

W. Curtis Preston:

And see, seeing if we can, you know how like, like nowadays we, we have the term

W. Curtis Preston:

Karen, and that means a specific thing.

W. Curtis Preston:

If we could, I just, it would be really cool if, like, the well-meaning person

W. Curtis Preston:

that manages to screw up everything, if we could just call out a persona.

Zach Fuller:

we'll call him Steve.

Zach Fuller:

Call him Steve.

Zach Fuller:

Is that a Sorry for their, if there's any, Steve's listening.

W. Curtis Preston:

Yeah, there, there's one or two.

W. Curtis Preston:

I know for a fact.

W. Curtis Preston:

Um, well, Zach, it's been, it's been great having you on.

W. Curtis Preston:

Um, and, um, I wanted to, uh, uh, you know, thanks for the insight

Zach Fuller:

hey, my pleasure.

Zach Fuller:

Great, great chatting with you both and, um, yeah, looking forward

Zach Fuller:

to doing this again sometime.

W. Curtis Preston:

and persona, uh, great as always.

Prasanna Malaiyandi:

Thank you Curtis and Zach, it was nice to meet you by the way.

Prasanna Malaiyandi:

Uh, if people wanted to sort of get more insights into, or figure

Prasanna Malaiyandi:

out what they should do around cybersecurity, how do they get in

Prasanna Malaiyandi:

touch with you and your company?

Zach Fuller:

Yeah, they can, they can check out.

Zach Fuller:

Silent sector.com is our website.

Zach Fuller:

And then we have our book, cyber Rans available on Amazon

Zach Fuller:

and the Cyber Rans podcast.

Zach Fuller:

Um, information across all those, uh, places and, um, you know,

Zach Fuller:

feel free to reach out anytime and uh, on LinkedIn as well.

W. Curtis Preston:

I'll put a link to, I'll put a link to my

W. Curtis Preston:

episode in the, uh, cuz I know I was a guest there at one point.

W. Curtis Preston:

I'll put a link to my episode in our, in our show notes cuz, cuz our

W. Curtis Preston:

people, they just want to hear me talk.

W. Curtis Preston:

All right.

W. Curtis Preston:

Well, you know, speaking of people that just want to hear me talk, uh,

W. Curtis Preston:

I want to thank you to our listeners.

W. Curtis Preston:

Uh, you are why we do this, and remember to subscribe so