Alright. I think we're live, Tony. Welcome to another episode of unhacked. Tony, thanks for being here. Thank you for having me.
Speaker 1:Good to see you. Appreciate it.
Speaker 2:Alright. Well, guys, I'm I'm here with Tony Ruchi. Now I was introduced to Tony through one of my vendors, and I just asked him. I'm I'm looking for people to come on here and, honestly, what I do so, Tony, just a little background on this podcast. I you mentioned when we were talking beforehand about sleeping at night.
Speaker 2:I don't sleep well at night because my job is making sure people stay in business through protecting their their computers or data, their personal information from cyberattacks, and then also, as you pointed out, you know, fixing printers in the middle of the night too. So right. Anyway, so it's this this job is it's intense. It's there's never a dull moment. And because so much is on the line, I love to have people checking my work.
Speaker 2:I believe we all have major blind spots. And so while I will go out to my clients and call myself a cybersecurity expert and I can look them in the eye, and I can say that, and I can be comfortable with it. I still want guys like you looking over my shoulder. Right? So that's that's why you're here.
Speaker 2:I really appreciate you being here. And just as a quick introduction, guys, Tony is, and, I mean, some of this stuff I'm looking at and just thinking, damn, I am not a cybersecurity expert, because, this is pretty impressive stuff. Counterintelligence special agent and US army warrant officer with more than 39 years of technical security experience. So I can't claim most of that. That that's pretty impressive stuff.
Speaker 2:You've been involved in, private and public government sector. Right? Right. So tell me a little bit, one of the things you mentioned is that you do penetration testing, which we also call pen testing. I imagine that if I was to talk to pretty much any of my clients and say, hey.
Speaker 2:Would you like us to run a pen test on your network? They're gonna look at me and just say, how much does that cost? Because they don't even know what else I'm saying. So can you just tell us a little bit about what a pen test is? Because that
Speaker 1:that's kinda your focus. Right? Isn't that mostly what you do? Yeah. It is.
Speaker 1:It it's really split right down the middle. We do the proactive security solutions
Speaker 2:Okay.
Speaker 1:Which involve the penetration testing and vulnerability assessments as well as the, you know, incident response. When things go sideways for somebody and they get compromised, whether it's a data breach or leak or, ransomware is is kind of the the, you know, the most popular, familiar term with a lot of folks these days. You can't turn the news off. So we we respond to those types of incidents as well.
Speaker 2:Okay. So you're doing incident response, which probably is less fun than a penetration test, I would guess. Is that correct?
Speaker 1:It is. Because it's it's very, in a lot of cases, very disorganized, and it's triaging up on the front end. You're really just trying to understand the landscape because in most cases, it's somebody that I've not worked with in the past. And a lot of our businesses' word-of-mouth. Somebody just calls you up and says, you know, go get on a plane.
Speaker 1:Have one of your guys get on a plane and, you know, either show up or we're gonna send you hard drives, that kind of thing. And No.
Speaker 2:Fun. Yeah. So so kind of the the reason for this podcast I I mean, there I have a lot of reasons that I'll probably talk about, but, one thing is that I I like my clients to understand that, you know, because you're talking about incident response. You can go in. You can, and try to dig them out of the hole that they're in.
Speaker 2:But it's, I think, we can all easily agree that, it's much better to prevent this stuff. Right? Absolutely. So incident response, this is this is nightmare. This is worst case scenario that you're you're drugged into.
Speaker 2:You don't have a lot of information. Nobody wants to be in that situation. The the title here, I call it unhacked, and what I what I'll say, the longer version of the title is most and I'll I'll put 97% on there. That's kind of the number that I've found to be accurate. But 97% of breaches were preventable with basic security measures in place.
Speaker 2:But once you get hit, you cannot get unhacked. And so the unhacked title is kind of a, maybe even a misnomer, or or a false lead in because we're not gonna talk about how to get unhacked because I personally don't think you can. I mean, at 1 right? When you when you go in and do these instant responses, you're not coming out a 100% the way you went in. Right?
Speaker 2:Isn't the client like, they're they there was loss. There is major loss, major damage. Correct?
Speaker 1:There's always something in the background there. There's always that question, Mark. You're never gonna be back to what you might consider a 100% if you were ever there. And Right. You you seldom have, you know, a 100% data recovery in those instances.
Speaker 1:It's it's, you know, you got yourself back in functional operational. You've recovered 80% of your data because, you know, recoveries don't necessarily work out as planned Right. If they even have them, where they have to rebuild or, rebuild that data. And if they paid the attackers and decrypted the data, a lot of times, there's some corrupt data down that chain somewhere where they still don't get it all. And it it you hate to use that answer of it depends.
Speaker 1:You know, there's always that it depends. Yeah. That's that's just an IT, you know, standard lie in a lot of cases, but it's very, very true there. And, you know, one of the big questions is, alright, after we get done and we and we button down, you know, all the hatches and we lock this all down, The I like your term because a lot of people say or the commissioners or whoever might be, you know, do we're gonna be unhackable. Right?
Speaker 1:I says, oh, no. Yeah. You might get compromised tomorrow night. Right. But you're gonna be in a better, you know, sense of recovery.
Speaker 1:You're gonna have a better methodology. And Yeah. There there's so many different ways that it goes sideways beyond the initial hack, or breach itself. Their recovery strategy, if they have 1, their instant response plan, who they bring in, their transparency to their clients, the public. If they're a public entity, you know, and they have to have public disclosure meetings and, you know, are they transparent?
Speaker 1:You always hear the, you know, yeah, it's just a couple 100 emails, and that's all it was and no private data, no PII, and you go, woah. First report's always wrong. Wait wait a couple weeks. They do a little bit more diving, and then it's, oh, okay. Well, we give you an update.
Speaker 1:It's 1,500,000 accounts and passwords and credit cards and everything, you know, is out the window. You go, ah, there you go. Now we're pregnant. Right.
Speaker 2:Yeah. Yeah. So, I mean, it's that that's kind of the line that I run with is it's you can't get on once this happens, like, just it it's a mess. It's a nightmare. And if nothing else, you're losing, emotional energy, like, the the drain.
Speaker 2:I I'm sure you could tell stories about how, I was I opened this with talking about not being able to sleep for fears and worries, but, man, when you're in the trenches, that's a whole different story. Now you're really not sleeping. Right? Because you don't even know if you're coming back.
Speaker 1:There's no sleeping during
Speaker 2:Yeah.
Speaker 1:Triage and, you know, rants to where we create. I I tell this story to a lot of the folks when I'm, you know, kinda doing intros or something like that. And and we're talking they're always talking about the up tempo and the craziness, the chaos in the storm of of recovery from ransomware. And I'll fly out across country, you know, responding, and a couple of us will converge on a site. We show up out there after flying all day, and we go straight to work and start cracking gear open, and we start, triaging.
Speaker 1:And then, you know, the host IT guys, they'll start packing up in in 4 o'clock. And I'm going, what where are you guys going? No. No. We're gonna go to dinner.
Speaker 1:And, my wife's making lasagna tonight, and I go, what are you do ordering pizza or something there? There's no and he was like, yeah. I've been here since 6 AM, so I've already put in my 10 day 10 hour they're not gonna do overtime. I said, there's no sleep during ransomware. You know?
Speaker 1:We're here for about 3 or 4 days before anybody's going to a hotel. I don't even check-in, man.
Speaker 2:Yeah. Yeah. Just just nightmarish.
Speaker 1:Makes you feel bad when you care more about their network than they do in a lot of cases.
Speaker 2:That's a tough, yeah, that's a tough situation to be in. I I kinda have a personal philosophy that I can't care about your stuff more than you do. Yeah. However, in this case, it actually turns out to be the other way around. So, okay.
Speaker 2:So this is what we wanna avoid. Right? This is my whole mission in life is to get people like, never let them get to that situation. I know that's not a 100%. You can't do it a 100%.
Speaker 2:We could come pretty damn close. Yeah. We can we can do a lot of things to prevent this from happening. And one of the things you do is the penetration test. So tell me, let's do layman terms right now, and I may, you know, pride you for a little bit more details.
Speaker 2:But if you were just talking to somebody who knows nothing about technology, what is a penetration test?
Speaker 1:In in very raw terms, it's trying to break into that business network. I I'm I'll caveat things. I don't do, you know, residential work. When people call me at their house and say, hey, can you come break into my home network or can you come provide consulting my home network? They don't wanna pay business prices, you know.
Speaker 1:They wanna pay her $20 an hour like the guy down the brake fix shop down down the road. But, you know, we we focus on emulating the most realistic adversary for their business, sector. You know, if somebody were a competitor or somebody wanted to take your your network down, how would they do it and, you know, where would they get information to be able to compromise? So we we take it from that macro to micro. What kind of information is is out there about that organization or that company that is in public domain, data leaks, website misconfigurations, those basic things, and use that as we collapse in, you know, the wireless inspection, looking for crosstalk between, you know, can somebody connect up to your guest wireless and see your production, your business network inside?
Speaker 1:And and then we look at the business network itself from the inside out. And so it's really looking at the vulnerabilities that are there. What are the broadcast? What are what are the the very clear telltale signs? And then the business process themselves, the policies, procedures.
Speaker 1:Do you have a resilient backup strategy? Are you using multifactor authentication? Do you have default credentials on your on your network appliances and everything connected? Usually, printers are answer is yes. And, you know, are you updating, patching?
Speaker 1:You know, and do you have a methodical incident response plan in place? If it does go sideways at some point, it might. And, you know, it's either you or your business partners or somebody you're you're vending with, it goes sideways. You've gotta have that process in place that makes life a lot easier, and so we help them all the way down that road. So it's it's some companies will say, we want you to come in brute force.
Speaker 1:Just take us down. Act like you're the Russians and and come at us. You know, we got new firewalls up there. I says, man, you don't want that. Yeah.
Speaker 1:Yeah. It'll be a 30 minute job and will be died and your network will be broke. And so, you know, so there's a there's a lot of ways you can really stage that, and we even call them for a lot of organizations that we know they don't have a lot of resiliency, we call them passive network assessments. We identify that vulnerability, and instead of attacking it and proving to them that we can break their their firewall, you know, process down, we snapshot it and, you know, demonstrate to them, you know, here's here's what we found. Here's why you should care because here's some known threats and proof of concept exactly.
Speaker 1:We can peel it off and do it in a virtual machine for them and and, you know, demonstrate the exploit. Okay. And, you know, here's how I would remediate it if it were in MyStat, and then we provide them the technical references for, you know, for their IT folks there and, you know, click. Here's how you reconfigure your firewall. You've got old, you know, configuration on it.
Speaker 1:Here's how you can, you know, build whitelisting, blacklisting, that kind of thing in there.
Speaker 2:Okay. Perfect. So, give me an example. So my client base is where we we handle a lot of smaller clients, so usually a 100 computers and lower. Do you work in that space as well?
Speaker 2:Are you more on the, like, larger, you know, employees?
Speaker 1:It it varies because I do a lot of, state, Right. Level, entities, for the insurance communities, the insurance pools. And so they're the people who are paying for cyber liability coverage, and so we evaluate the risk for them for the Okay. For the insurance pools. And so we're doing the penetration testing or or in a lot of those cases, the passive network assessment because they are those smaller, small townships and counties where they may only have 50 computers in their entire space, and they got one domain controller, if they even have a domain controller.
Speaker 1:So they may be just running it like a home network in a lot of cases. So Right.
Speaker 2:Would have
Speaker 1:come at it with, you know, exploits on them, running exploits, it would take them down. Now we've just taken some small city who probably doesn't even have an IT, person on staff, you know, they're they're they outsource everything to the local guy. So we do that for the that small and medium size, although we do. I just finished one up, last week where we had, you know, little over 5,000 machines in their environment. And so, you know, a little bit richer environment there with more resiliency built in.
Speaker 2:If, let's say I brought somebody to you that had what's called a 75 workstation, 75 users. Yeah. And and I don't know. Let's let's make it a law firm just for fun. Can you give me just a basic idea on, you know, how long would it take you to run one of these pen tests, and what would somebody expect to pay for that?
Speaker 2:Is that something you're comfortable sharing?
Speaker 1:Yeah. Yeah. The the pay I'll I'll caveat everything I say on the the price range because it depends. Sure. You are in the country.
Speaker 1:You know? Okay. And Atlanta or a DC for that same size, scope, and complexity is gonna be a whole lot different than rural Tennessee. Gotcha. Yeah.
Speaker 1:You know, out here where I'm at in the country. So it's it's a whole different ballpark. And the same thing with incident response. If I go to Chicago for incident response, their you know, the the hourly rate on that is a lot different than, you know, somebody sending me a hard drive and and me going through it,
Speaker 2:that type. Yeah.
Speaker 1:Yeah. But with regards to the pen test, the window on that is usually a 3 week window. And and, you know, from where we start and our our kickoff date, we'll have a kickoff meeting usually the Friday before we start that Monday. And that first Monday through Friday is what we call the OSINT, basically open source intelligence collection. What can I learn about you as an organization and all the disclosure and the data?
Speaker 1:What we if a bad guy were driving by and happened to see something about your organization, and he decides, hey, I'm gonna target them. What can I develop that's gonna help me along the way to gain access and compromise your organization? And and then that starting up that second week is, you know, showing up on-site, either flying out there, driving out there. And then for a lot of these small and mediums, it's, you know, for a 100 machines, I mean, that's a day, day and a half maybe on-site. But a lot most times, it's 2 to 3 days on-site for those small and mediums.
Speaker 1:And, you know, we'll do the wireless inspection, do a wireless heat map to help them with their there's some things that aren't really, you know, necessarily security, really, but it's just we're there. We've got the ability to do it, and why not help them, you know, tighten up their security, but help them do some distribution of their of their wireless signal. And everybody's always complaining about, you know, crappy wireless where where you're at. Right. And and then, you know, looking at that crosstalk, that's the important thing for us between your wireless and your, terrestrial network and private wireless.
Speaker 1:You might you might have a really nice, tight, and and disciplined network. But if you've got you feel like you need to have guest wireless out there, you're and you're just wide open, and I can connect up from the parking lot and then see your, you know, your your mission systems in there, it's game over for
Speaker 2:you. Right.
Speaker 1:And, you know, so we see that. And then we look for rogues, the, you know, unintended, kind of the, shadow IT type of stuff. You know, somebody just put a a wireless access point in there because they don't wanna sit at their desk. They wanna sit out towards the window and what you know, whatever. Yep.
Speaker 1:So that type of thing. But that's the you know, that week. And then when we leave, we take another week to do all the report writing and production of the deliverable. And then we also provide a little bit different than some of the companies that I I know and deal with. We give them all the raw traffic.
Speaker 1:So as we're doing all the scanning, we give them all of that in a in a package. In case they are doing any monitoring or they have any interest in being able to kinda cross correlate any of that data with their systems. That way they can look and see, hey, when, you know, on this date and time, there was an IP that was, you know, external, and it was scanning, oh, that was you, you know, on that week when we were doing that that early collection, that type of thing. So we give them all that, and then we give them all those reports. And we follow-up with them about a week later to to have the formal out brief.
Speaker 1:But we really close that window, you know, on that deliverable. That's the 3 week window.
Speaker 2:Okay.
Speaker 1:And then we go through that the out brief with them. We do a Zoom call a lot of cases because we're already back and and, walk through the may master report with them and address any questions they've had, you know, as they got chance to look at it themselves. And, you know, in that, it's got the remediation strategy. So if they're not able to handle the remediation strategy themselves, then that, you know, becomes either follow on work or making referrals said, hey, you know, call call Justin and his guys. They're down the road.
Speaker 1:They're local to you, and they can, you know, probably put some bandwidth on it. High and
Speaker 2:low, what what does this something like this cost? This sounds pretty expensive.
Speaker 1:No. It it it really isn't in in the grand scheme of things when you think about it in terms relative of what's it gonna cost for, you know, is there a response?
Speaker 2:Correct.
Speaker 1:So so the reality is, you know, for, you know, a 100 machines, I mean, it may be, and depending on where you're at regionally, it's it's between 5 and 10 k for something like that. And and, you know, even up to, you know, a 1000 machines in a lot of cases, I mean, we're still right about capping out at the 10 k mark.
Speaker 2:That's actually way less than I thought.
Speaker 1:You start running into the the the gov space and, you know, having to deal with all these RFPs, and they you generate a lot of paperwork ahead of time. In the commercial market, it's, you know, hey. We have a cup of coffee. You want a pen test? Yeah.
Speaker 1:Here's who we are. Check us out. And, you know, tomorrow, we've got a 3 page contract drawn up, you know, that lawyers are all in agreement with, and, you know, we put you on a calendar kind of thing. Yeah. So it's it's I I love that commercial work, and then there's that the gov community.
Speaker 1:You know, it's just, you know, you gotta go out and get 400 quotes and all that stuff and
Speaker 2:Right.
Speaker 1:I'm consuming process.
Speaker 2:Yeah. Yeah. For sure. Okay. Well, I think that gives us enough of an intro.
Speaker 2:Let's dig in. You you gave me a couple of good case studies, and this is really my favorite part because, one of the frustrations in my job is, like, I need to learn from other people so that I can prevent this stuff from happening. But short of being in the trenches and and being involved in these incident responses, which, you know, I I try to prevent them so I don't get there a lot of times, it's hard for me to learn from other people's mistakes because this stuff well, I mean, like, if I get hit, I'm hiding that shit from people. I'm not gonna go and publish it. I'm not gonna tell people what right?
Speaker 2:I mean, at least this is kind of the the general atmosphere of IT and cybersecurity. It's embarrassing, and and it's a shaming environment if if something goes wrong. It's not like, you know, somebody breaks into my house and, like, beats up my family and steals my stuff. Man, I'm a victim, and people come blocking to support. No.
Speaker 2:Poor Justin. Like, how can we help you? But if my business gets broken into by Russian hackers, I'm an idiot. Like, what how did you not see this coming? How did you not prevent it?
Speaker 2:What were you doing wrong? Right? So it's it's just this really weird environment, and then it makes it hard for us as IT consultants and cybersecurity specialists, short of being involved in those instant response plan or processes, it makes it hard for us to learn from from these situations. So that's what I love to dig into on the podcast is actual real world cases. What went wrong?
Speaker 2:How could it have been prevented? What was the damage done? You know, what toll it'd take? Stuff like that. So, if if we could start with you've got one about a fire department, and I'm just gonna let you roll with it.
Speaker 2:I'll probably ask questions, but tell me that story.
Speaker 1:Yeah. So, you know, spot on with where where you're talking about, you lose a lot of credibility and industry credibility no matter where you are, who what your business space is. That's the the big challenge. There are a lot of requirements these days for reporting, depending on where you're at in the gov space or the or even private sector now. Especially if you're in the financial space, you've got some SEC record reporting requirements as well.
Speaker 1:But that is the challenge that wasn't there, you know, 5, 10 years ago in a lot of cases. And so Right. You know, when people ask for references for pen tests, it's easy to give those because people are okay. Hey. Yeah.
Speaker 1:We we've got, you know, we got another look. We got another set of eyes looking at us. But if they say, hey. Can you give me a reference for somebody that you dealt with with ransomware? And I said, well, I'll ask a few and ask them if they are okay with making the connection.
Speaker 1:But in most cases, you know, that's not something they're putting on their website, you know, other than their public disclosure if they had to, you know, mandatory. Nobody's putting that on there. Call us up. We'll tell you about who helped us out, you know, and they're not doing that.
Speaker 2:No. Nobody wants to admit
Speaker 1:it. Yeah. So with with the fire department, this is a case that that took place back in, last quarter of last year. And, you you know, everybody thinks and and recognizes ransomware and, you know, you can't turn the news on without hearing about data breach. It automatically goes to ransomware.
Speaker 1:But we all get these emails and Yeah. That's shifting. Right?
Speaker 2:More to Rat somewhere is shifting to BEC, which is I think where you're going. Right? The business
Speaker 1:is Absolutely. BEC is just long past ransomware. Right. I think it's something like $22,000,000,000, or 2 in the 2,000,000,000 I'm sorry. 2,000,000,000, last year alone, where ransomware was, you know, nowhere near that number, you know, in the in the United States.
Speaker 2:I mean, well, because and here's my theory on why. I'll go to a a prospect and say, hey. We wanna come in and and protect your network and protect your data, and they'll let me square on the eye and say, I don't have anything to protect. Yeah. I don't have anything for them to come after.
Speaker 2:Because in a ransomware attack, maybe they're act maybe they're true. Maybe they just really don't know what they're talking about, and they do have. But now my counter question is, do you have a bank account? Yeah. Because that's what they're coming after.
Speaker 2:Right? That's what these BEC attacks are all about. So that's that's what happened in the fire department. Right? Was,
Speaker 1:an email You should agree. It's it's email compromise and, you know, the fake invoices, you know, is right. They may not compromise your network and your email may not be compromised, but somebody that you're doing business with was compromised. And now I see this vendor that is you know, their email was not protected with 2 factor authentication. And so it's pretty easy these days when you see those data leaks out there.
Speaker 1:Their password is leaked somewhere where they've signed up for services, and it's leaked in ClearTax, pick the company, they're dumped a few times a year in a lot of cases. And so your vendor, for in this case, for fire department equipment sales, they do all kinds of sales to the fire and health care and the whole 9 yards. They've got all these these clients. And so now you're one of those clients, and these the fire department that we're dealing with was, And they're used to getting invoices from them, so their accounts payable folks know what the invoices look like, and they see them regularly, and here's just another invoice. They spent, you know, a 160,000 plus on, some equipment, and here comes an invoice in.
Speaker 1:And it's a regular invoice, and it's from the legit vendor. And they look at it and file it, you know, as they put it in the queue. And the attacker is watching this, and they say, hey. We just saw an invoice go out, and they're waiting on that strategic moment. Usually, it's a couple days before payroll or, you know, end of month or mid month when they send invoices out.
Speaker 1:And now they've watched that vendor send it to the target, the fire department. And so they went out right away, and they started registering domains that were similar to the vendor and similar to the target. And real quick, let me let
Speaker 2:me and you I apologize. You may have already said this, but you said they're watching. How are they did you already say how they're watching?
Speaker 1:If you Yeah. So they're they're in the vendor's email. Right? And so then
Speaker 2:oh, that's right. You started with that. They've compromised the vendor's email.
Speaker 1:Yeah. And if you think about this, you can log in to your email from your phone, your iPad, and a couple different computers. So they're doing that. They're logging in to their Outlook from from a web base. Right?
Speaker 1:OWA. And they're just sitting back. They're not doing any English. They're just watching for the good email. I mean, there you go.
Speaker 1:Yeah. And, and and there's one that's, you know, close to a couple hundred $1,000, and we're gonna make a little money off of this. And what they'll do is they've got their processes already in place to pay it. And right before payday, they'll send, you know, another email or something and say, hey. I'm gonna or if they say, I'm gonna change our our billing process.
Speaker 1:We're going from ACH to wired, transactions now or vice versa. We're gonna give you different routing numbers. A lot of cases, they won't even think about it. This is where that policy procedure comes in place. If anybody changes your billing process, counts payable folks, they're the high value target, you know, they should be on the phone with them.
Speaker 1:They go, hey, Justin. You know, you and I have been working together for several years, and how are we why are we changing this now? What's the deal? And then, you know, it just forces that known person to talk to a known person with a known voice and and, confirm it. And if it's legit, it's legit.
Speaker 1:These cases, it's seldom legit, and they'll put that pressure. Hey. We're running. You know, we're trying to get this invoice paid. It's back due, you know, 30 days or or, you know, overdue for however long it is, especially if they they know that, you know, through their OSINT, collection that they've got a new accounts payable person
Speaker 2:on
Speaker 1:their on their staff because they posted out on LinkedIn, so glad to start working for this company. Hey. Look at my badge, and look at all the good chotchkes they gave me when I checked in. And now I got a picture of their badge even if I wanted physical access. But to to bring it back is, you know, they send them that hasty email, and we need to get this paid by 3 o'clock, almost textbook.
Speaker 1:That should be the big red flag. And so they go through and they they, commit that wire, transaction. And ACH, just for sense of discussion piece, ACH is not quite as concerning in a lot of these cases as wire fraud or wire transactions. ACH is is much easier
Speaker 2:to be pulled back. What's the time frame on an ACH? How how much time do you have to pull that back?
Speaker 1:ACH is usually a couple of weeks. Oh, really? Okay. In that window. Yeah.
Speaker 1:Wire why do they ask you they ask you 15 different ways. You know? It's new. You sure these routing numbers are correct? Yep.
Speaker 1:You're not being coerced, and there's no duress. And they're asking, yes. Yes. Just just send me send the dang money. You know?
Speaker 1:And, they're they're very cautious about it. Once they click it, it's gone. And and mostly the window for for, wired transaction is 48 hours. And if you are able to stumble back and and catch it in time and then you reach out to your financial institution, then, you know, you've got a much better chance. But after that 48 hour window I've been doing this a long time, and I've only had 2 cases in probably the last 15 years alone that we're able to get any money back on wired transaction after, you know, a a week long window type.
Speaker 2:I'm surprised it's 48 hours. I I thought it was more like 24, and even then, I wasn't sure. So that's that's actually better news than I thought, honestly. Yeah. I just real quick.
Speaker 2:FDIC is not helping anybody. Right? Like No. They're not. No.
Speaker 2:That's a misconception.
Speaker 1:Yeah. Yeah. And and it and they'll they'll take record of it. Yep. Sure.
Speaker 1:Okay. And and that's really it. And, you know, the Secret Service and FBI, they've got the ic3.gov reporting. You report through there, then the local agent will reach out, and they'll pass it off to the Secret Service because they've got financial transaction leads and stuff like that. But in a lot of cases, they've really not been productive, until just the last year or 2.
Speaker 1:And they've got the, the, RAT team with the FBI, the was it remote access team, I think they call it. What a weird acronym. Right? RAT.
Speaker 2:Yeah. No
Speaker 1:problem. But, they've actually a recovery, asset team, and they've actually had some really good success, and they've they've made some great relationships, you know, through all their their contacts and effort in the last few years. But, in this case in particular, the one benefit was, you know, so they paid out this $160,000 invoice, which ended up being fraudulent. So they they wire it to the new bank. The account was stood up yesterday, and all of a sudden, money is being transacted into that account.
Speaker 1:Fortunate for them, the financial institution that was transacted to, they had been hit with wire fraud in the recent months. So they're on high alert for any of those indicators for them, and they've got their own tags that they watch. And so they kind of delayed that money because they had instructions. Soon as that money hit the bank and that account, they were supposed to forward it to another institution, and that becomes another secondary flag. And it's like, alright.
Speaker 1:These are all kinda lining up now. And so they stall things, and now that worked to their benefit in this. Right. And so fast forward now, a, a few weeks later, the institution gets a real invoice again, and and they're contacted by the vendor saying, hey. You know, we're still waiting on that invoice.
Speaker 1:They go, I already paid that invoice.
Speaker 2:Oh, no.
Speaker 1:And then they're going, wait a minute. And so now now they're having they're all on the phone with each other. And but the weird thing is, on this case, and this was I've only worked one case where they they've had the phone call on this, and and I'm hearing this is more and more common. They on that change of invoice, they they put contact information, different phone number, and they spoofed the phone number and everything on there. And they used the same name as the point of contact at the vendor, and they did call them.
Speaker 1:And they had a conversation with who they thought was the Yeah. Vendor itself. Yeah. And so that that helped reassure them that this is legit. That's that's taking it to the next level, and I've gotta give them props for for that, on that piece.
Speaker 1:But the but what I've seen and I've heard is is that some of these other cases, when they reach back out and they say, you know, we got a policy in place. We need to check it out. They're calling the number that's provided on the invoice or the email, and they're calling, you know, spiffy in the bad guy's office Yeah. Who's answering the phone, you know, as the vendor. You need this is what I tell my back to your own contact list and you call your known Right.
Speaker 1:Vendor on their vote known business card, that number that you've already got.
Speaker 2:I make sure people if there's a even whether it's a change, like you're pointing out, which is a huge red flag, a change in billing information, or it's a first contact. Like, hey. Here's here's how to pay. I tell people to never call from the invoice that they give you. Reach out not and do it, like, if you got the information through email, then don't respond through email.
Speaker 2:Go through another media type or another communication type. Like, phone, text, whatever. If it came in through the whatever. Just use a different analytic verification
Speaker 1:Yeah.
Speaker 2:And find that contact information somewhere else.
Speaker 1:Yeah. So It's that verification piece of it. Yeah.
Speaker 2:Right. Right.
Speaker 1:That saves you a whole lot of heartache in that end. And and once you wrap your head around that, then it it makes it a lot easier. The other thing that they did, which was a little bit different, was they had, you know, determined a bunch of other companies around that area that the vendor was dealing with, and they found a a health care company close by that they saw communications between all three of them by looking through their email. So they they went to a domain registrar again. This is I think they they they were using Iceland the whole time, or overseas, the same one.
Speaker 1:And they stood up, a domain that was close to this health care vendor, made it look a lot like theirs. You know, you could easily change, an I to an l and, you know, do everything in caps, and it looks pretty close. We're a 1 and l, and people don't catch it all the time or 2 v's, that kind of thing for a w. Well, they sent an invoice from, you know, a spoofed invoice from the victim to the vendor and or vice versa for the the, The second vendor? Health care, yeah, over to to them for another $40,000 try and sending it to the same bank, trying to make it look like it was the health care people now sending them an invoice.
Speaker 1:And and so it started falling apart, at that point. And then, you know, when their IT guy reached out to me and says, hey. We've already done some some triaging ourself. We determined that our stuff isn't compromised. We reached out to the vendor, and, of course, the vendor's IT is, no.
Speaker 1:It's not ours. Ours is locked down straight, you know. And it's like, hey, D. A. My question is when I asked, you know, do you have 2 factor authentication right off the bat?
Speaker 1:And not everybody, you know, most do and not everybody. I said, well, that you're kinda pregnant. So, you know, you're to all of her gone are, is kind of thing. And and so people who know me, they know I use that weird back. It's, you know, you click it and you're pregnant.
Speaker 1:And it's real easy to get pregnant. It's real hard to get unpregnant.
Speaker 2:Yeah.
Speaker 1:And and these cases try to determine, you know, exactly who it was unless you can do forensic analysis. And so now you get lawyers involved and and, you know, kind of, freezing data. And you you get a a, you know, a letter issued where we they they can make sure that they're not overriding data and, you know, letter of preservation so that that we can, you know, pull forensics if we need to or at least go back to a certain point in time. But in this case here, it was, helpful that the bank had had that issue a few months prior. They were on high alert, and we got word about a month later that they received all but about $1500 back.
Speaker 2:I was gonna ask. Okay. So this is a good like, this is a positive outcome situation.
Speaker 1:It was. And it was I was really surprised because Yeah. Quite frankly, they were already making plans to you know, they had filed with their insurance carrier, and they were looking for compensation to be able to make payment on this. And they were out that 160 k. Wow.
Speaker 1:And, you
Speaker 2:know They got it.
Speaker 1:The stars lined up for him. This is a Yeah.
Speaker 2:Air Yeah. You know, not the way it usually happens. But I will I'll point out, though, even if you get the money back or in a ransomware case, even if you get your data back, you've still lost days, weeks, months of productivity, of billable time, of emotional duress. Like, you can't even function in your normal capacity when you're dealing with something like this. And, yeah,
Speaker 1:I'm getting you. When you're thinking about it as well, okay. Great. We got our money back. Did we determine exactly how they got in and who Right.
Speaker 1:Patient 0 was on the compromise? Was it vendor email? Was it your email that they just didn't draw a lot of attention to? You know, they maybe they compromised a vendor as a result of you. So you have to go through and do some deep cleaning and Yeah.
Speaker 1:And confirmation. That's why, you know, logs logging is so important being able to, attribute, you know, where the, you know, the compromise, originated. Because if you just hey. We'll just go ahead and patch and log it and turn up MFA. We that's probably gonna be okay.
Speaker 1:It may have been that you have a printer that's broadcasting open Wi Fi. I don't care how much MFA you've got in your network. If it's a trusted device, if somebody could sit in the parking lot and sniff your network, it's game over. Well, so here's a
Speaker 2:one of the most interesting points I learned about these cyberattacks is these guys, they're just businesses. And now we're gonna get into another one here shortly where it wasn't, and it was a lot of times we think that these hackers are, like, you know, some 30 year old dude in his mom's basement in his underwear, you know, eating a bag of potato chips. That's not the case. These guys are they're organized businesses. They they're punching a time clock.
Speaker 2:They've got paid vacation. Like, these are this is organized, and it's business. They they operate on about a 20% profit margin is the last I heard. So, I mean, it's legit in their minds, and they function like any other business does. And one of the key things in business is client acquisition cost is really high.
Speaker 2:So we like repeat customers. Yeah. And so if I can figure out how to get into your network, Tony, I'm coming back for round 234. We see
Speaker 1:it all the time with ransomware cases. They'll leave little artifacts. Not only will they leave a Bitcoin miner in there because they're gonna use your resources. Oh, crap. They've got a lot of horsepower out here.
Speaker 1:We're gonna go ahead and mine some coins in the background, and so you're watching for that outbound traffic as well. And it and if they found that these people aren't monitoring their network, they don't have a lot of the, the ERP stuff, and they don't have a lot of endpoint managed at all, then they're gonna leave a little value add. They're gonna leave a little time bomb in there that they can trigger at some point and come back 6 months down the road once you've you've kind of exhaled and relaxed, we're coming back at you. And that's why when you know, alright. Now that we got everything back up, we're good to go.
Speaker 1:He says, no. No. No. Now you need to carve off your critical data. You need to start popping drives and start rebuilding critical infrastructure.
Speaker 1:That's why there's so costly of a recovery piece of it because you you can't just patch your OS that they got into and and say that you're good because that backdoor may still lie, there. And and even if
Speaker 2:it doesn't, they've done all the intel. So you talked about in your pen test, the first thing you do in week 1 is you're just gathering information about people. Yeah. You're learning how to hit them and where to hit them and why and what their emotional trigger points are. Like, this is that's where a lot of the work is done.
Speaker 2:Yeah. Now they have that, so they're gonna come back and hit you even harder or at least it it's an easier target. Right?
Speaker 1:Yeah. There's Fred in accounting, and he's got 3 other social media accounts out there. He's mister social butterfly, And Right. Everywhere he signs up, he uses that same, you know, summer 2023 password, and he just changes the season and the year every year for the last 4 years. I can guarantee I know what his password's gonna be come fall.
Speaker 1:You know, that that kind of thing. And so you just lie dormant waiting for him again, in in those cases, and he becomes that that avenue in. And if if you don't have that multifactor, I mean, that's not the end all be all to anything. No. But the huge stop.
Speaker 1:Those are those things that, you know, help you not end up in the in the breaking news. That's that's my mantra where you're talking to your clients about being unhacked and that type of thing, you know, and you your focus is protecting. That's what we do. That's the same kind of thing. It's it's all about how you know, the focus is, you know, you don't wanna wake up and be on the breaking news.
Speaker 1:Yeah.
Speaker 2:On the news. Right. Yeah. Yeah. Yeah.
Speaker 2:Yeah. Okay. So let's, let's shift gears a little bit, and let's go over this. The next one you have on there has to do with the school. And sadly, schools are big targets.
Speaker 2:They're I mean, we just see them getting hit over and over. Right?
Speaker 1:Yeah. And it is sad because I I deal with a lot of school districts, and they, you know, they vary all over the map from, you know, small school districts still have a lot of students because a district level has has, you know, couple elementary schools, couple middle schools, maybe a high school, and maybe maybe 5 high schools over a a spread region. And so there may be 10, 15,000 students, you know, as a ballpark average in a lot of these districts that we're dealing with. And, there's a lot of kids who are pretty tech savvy these days. They've been growing up with, you know, something digital in their hand, and there's kids that are, you know, 3 years, 4 years old, you know, in the shopping cart playing games on there already to keep them busy while you're shopping, and they become very intuitive.
Speaker 1:They they learn a lot more than their their computer technology teacher or who's usually a math teacher. They kind of gave them an additional duty as you're the you're the tech teacher. You know?
Speaker 2:Yep.
Speaker 1:And these kids are sitting back in the back. They're they're hacking. They they they're building code. And now with ChatGPT, they doesn't have to take much talent to be able to write code now. You just have to prompt well.
Speaker 1:And and, so these kids have a lot of capability. But in a lot of cases, the kids just have ill intent. They may not have ability, and that's the case of what I was talking to you about was these kids had a lot of intent, but they didn't have ability. So they didn't know how to surf around on the internet. They know how to get on the dark web.
Speaker 1:And they knew how to go to some of these dark markets, that are on the dark web. And it's just like Amazon. If you want to go buy, new backpack, you start talking about the features of your backpack, and you can find it on Amazon or any of those other light services. You can do that on dark markets, for pretty much anything. What kind of drug are you after?
Speaker 1:What kind of credit card do you need? Do you know? Do you need Ballad? Do you need overseas? Or here, do you need hacking services?
Speaker 1:And you can hire a hacker, hackers as a service to perform ransomware attack or, you know, a a wide variety of attacks. Do you need to hack my girlfriend's social media account, you know, so I can get and that's a big question, you know, all the time. Can you hack my girlfriend's Facebook or boyfriend's face
Speaker 2:Wow.
Speaker 1:Yeah. They they get blanked out really quick when that's the first question. Hang on here. I got a tech question for you. Like, yeah.
Speaker 1:You did. But but the it it all seriously, so this was this was, Northeastern United States up there, and and it was during COVID. And, everybody was working remote, kinda draw you back to it. Everybody was working remote. Schools were all remote.
Speaker 1:They're homeschooling and the whole 9 yards for that period, but they were all doing everything online.
Speaker 2:Well, unfortunately, when everybody rushed to the remote movement, we took security seriously. Right? No.
Speaker 1:Yeah. That was an afterthought at best. Right? They said, wait a minute. If you think about it, a lot of people went home on Friday.
Speaker 1:Yeah. Look at the dates, and they were told they can't come back into the office on Monday. Everybody's gonna have to be remote. We're not allowed to come in. They're like, oh, my computer's there.
Speaker 1:Go run to Walmart. Go run to to to, Best Buy or wherever, and go buy a laptop and or use your own. Use the one
Speaker 2:that your kids are using.
Speaker 1:Use your own home system. Yeah. And we'll open up RDP and let everybody Yeah. And, you know, we'll we'll figure it out. Well, they didn't do a good job of figuring
Speaker 2:it out. My business blew up. I bet it You know?
Speaker 1:I was on a plane. Me and this one guy were on the plane every fry or every Monday out, every Friday back out of Knoxville Airport. We're the only 2 on these planes, and it was kinda crazy because if you ever gone through Dallas, Fort Worth Airport landing at 10 in the morning and it's a ghost town, nobody was in there and, you you know, I've never been in Dallas without it being a Oh, yeah. Oh, no. It's crazy here.
Speaker 1:Why? It's good every week. And and and I was like, this is kinda creepy. But you got used to it because it was like, man, I didn't have any delays. I don't think I had a delayed flight that whole time.
Speaker 2:And 1st grade up 1st class upgrades were easy to come by too.
Speaker 1:Yeah. Yeah. They were they were always guaranteed then. But all kidding aside, so everybody was working remote. These kids went on to, a a site.
Speaker 1:I mean, I I learned this site at the time. It's called Undermarket 2 on the on the dark websites out there. And you can get lots of different things out there, and hacking services is one of them. And they they, reached out to one of the the groups, and Hack and Crack was the group. These sites are like social media sites, and it's like Yelp.
Speaker 1:You know, they've got Yelp ratings. They've got the they've got the good review ratings. And so they've got the the, ratings from people who bought their services. So you're they've got a 9.2 rating. I'll I pulled it up this morning.
Speaker 1:And and so they've got a 9.2 rating right now. And so, you know, you're looking for happy services. That's pretty good. Right? You're you're
Speaker 2:Oh, wow.
Speaker 1:And and and so, their menu, when you pull it up, was that you could hire them to do a distributed denial of service attack, a DDoS attack against public facing, servers or a school, you know, website or or that, you know, a specific machine or an address or whatever that might be. And for those not familiar, distribute denial of service, in fact, there's lots of machines that have been compromised over the world and throughout the world, and they are just sitting there waiting for a command and control. I have a, brain cramp here, but they're waiting for the command to do the signal. Right?
Speaker 2:Yeah. Yeah. An address. Yeah. Apple Cry.
Speaker 2:Let's go.
Speaker 1:It might be it might be printer. It might be your router. It might be an an HVAC. Anything that's Internet connected, cameras, any of that stuff, TVs, and they just shoot traffic towards a specific address. And if you imagine, you you see it all the time, like, with with concert, servers when they're you know, somebody opens up the window for concert tickets and all of a sudden they crash because they just got overwhelmed.
Speaker 1:Everybody's trying to get on it once. That's what that is. It just denies anybody else that service. And so what these kids did was they for $99, they pulled their money together. And for $99, they bought a distributed denial service attack for 3 days on their school's servers, their on on their, VPN router for, the period that they were gonna do, finals.
Speaker 1:And they were all doing their finals on a certain day, starting that certain day. And they said, well, I'll tell you what, here's a great idea. We'll go ahead and crash our own school server. That way, we can't take our finals. I don't know what their mindset was.
Speaker 1:I mean, that, okay, we'll never have to take finals. Right.
Speaker 2:Well, these are you're talking about teenagers. I mean
Speaker 1:I know. And and and they're their own worst enemy because Yeah. That's how they were outed, but, well, I'll tell that in a minute. But, anyway, so it worked out as planned the morning of the of the finals. Everybody was all ready to take the test and get online and DDoS attack.
Speaker 1:Everything went down. And then phone calls were being made. Other people were on different you know, they were jumping on their own chat channels that that they communicate in their own social media. It was like, servers are down, and they all got notified that they were having an issue with technical difficulties. Please stand by.
Speaker 1:And so for 3 days, they they didn't come back up. And then they rescheduled it, a few days Right.
Speaker 2:Down the road next week. Nobody thought that through.
Speaker 1:Meanwhile, you know, as teens do, they start coming up with grandiose ideas of, hey. We're you know, well, what do you what do you think happened? Oh, I heard it was a hack, and, oh, I didn't hear that. And then, you know, all of a sudden, it was, oh, you know who I think it was, and that became who it was, and it was the wrong person. And people were giving credit to the wrong person in the school, and these kids were on one of their their, channels that they they communicate with in one of their clicks and said, no.
Speaker 1:It wasn't him. I and then he told on himself, him and his 3 buddies.
Speaker 2:And Jeez.
Speaker 1:Yeah. You're your own worst enemy. It's ego. I mean yeah. Yeah.
Speaker 1:And and so that that was really how it it played out.
Speaker 2:Yeah.
Speaker 1:And and you got evidence of those logs in the chat channels. And when they, you know, they pulled them in to to question them, they they crumbled and and kinda told on themselves, with that. But, you know, those are significant crimes. Now the the penalties that associated with those types of crimes in a lot of cases, you know, depends on your record, depends on your history, and and those types of things. And so that all plays a factor in there, and and a lot of people will argue that the crimes don't the punishment doesn't fit the crime.
Speaker 1:And in cyber world, it it seldom does.
Speaker 2:Right. Right. Well, I mean, usually, it's hard to find these guys. And because so if if these kids hadn't outed themselves, do you think they would have been caught?
Speaker 1:Probably not because it was coming from overseas, all the the attacks, and they've been pretty successful in some of their attacks. And it's really difficult. Like, when we're monitoring, like, Bitcoin transactions or when we're we're actually negotiating the the discussion with, the ransomware gangs for payment, we're trying to negotiate them down. We're recording everything, and we're doing full packet capture. It just in case their VPN drops for a millisecond and their IP changes, and then it goes back up.
Speaker 1:If we can catch that millisecond in a lot of cases, if they're only on a, you know, a single stage VPN, then maybe we'll have a little bit of luck. And it's, you know, the kid next door kinda thing as opposed to somebody overseas. But as as much as, you know, I love the my brothers and sisters in the law enforcement community, you know, when you see the DOJ issue, you know, standing warrants for 4, you know, known hackers in North Korea, you know, they they have a big pomp and circumstance or, you know, and show of it, you're going, that's all for show because do you think those 4 are ever gonna, you know, come to Disney or anything like that? Right. And, go on vacation for you to arrest them?
Speaker 1:Nobody's gonna extradite him.
Speaker 2:So this is what's terrifying about it, really. Like, you've got, I think earlier in the in the earlier days of hacking, you you had to have a pretty intense skill set. Right? Yeah. You had to have resources.
Speaker 2:You had to have money. You had to have knowledge. And today, like, what's terrifying about this particular example is we've got children who can go on the dark web. They can buy a service for a whopping $99 that can effectively take down a network. Now in this case, okay.
Speaker 2:Fine. It just pushed the exam back a week. It wasn't there there wasn't a a super malicious intent, neither was there a super negative outcome, but it could have been. It could have been much worse, and we've got monkeys with loaded guns out there that no need no skill set. They need no, like, a $100.
Speaker 2:That's it. Yeah. And in
Speaker 1:in a lot of cases, it's absolutely free. You can go out there on the dark web. Right. You can You could download some of those tools. Sure.
Speaker 1:And they'll literally crash and destroy corrupt a server. And, you know, now you're paying 1,000 of dollars in repairs, and you're down for weeks at a time. And, you know, I just came off of a VPN, you know, out of Uganda, and you'll never Right. Back to me, you know, the time So it's untraceable. Right?
Speaker 1:Even if traceable it is.
Speaker 2:Yeah. And even if it's traceable, most of the time it's unenforceable because, like you said, it's not like we're gonna go over to Korea or to Russia and grab these guys. Yeah. A lot of them are paying off their own government. So one of the things I learned about the the business model of hacking is that one of their line items on the p and l is protection from their government to do
Speaker 1:these things. Right? And and they work very well together. They're better entrepreneurs than we are in the above ground business community. You know, everybody's so worried about being a competitor in the business community and making sure that they get their own.
Speaker 1:In the underground and and the criminal circles, if they don't have an exploit, but they're up against a certain yeah. Hey. There's an updated server that I don't have the exploit. I've got the 1 dot o, but I need the 2 dot o. Oh, I've got that.
Speaker 1:Hey. Let me let me get that, and I'll give you know, I'll trade you this. Right. And they work together very well. Hey.
Speaker 1:I'll give you a 10% of my my key. No problem. Then they keep you know, they share their purse and and work very well together because Yeah. You know, depending on where you are in that food chain, you know, the ones who are directing traffic, kind of the shot callers, they've got the folks who are down that food chain, and all their job is to do is to to create that that connection and and, you know, get somebody to bite on that email or whatever that is. And they get paid for everyone.
Speaker 1:They're not getting paid for the overall job. And then, you know, it kinda takes a step up and depends on where they are on that ladder. In a lot of cases, I mean, they work so well together. It's it's scary.
Speaker 2:I mean, the odds are not in our favor in this case. Slate.
Speaker 1:And that's tough because we we follow the the rules and laws, and they don't have that. And if they're state sponsored, like you said, if they've got the the backing of, you know, they're born law enforcement or state, they're
Speaker 2:You're you're you're not getting them. Reigned. Yeah. Yeah. So I my my goal, like I said, with this is with this podcast is to educate.
Speaker 2:I people aren't gonna be able to fully recover from something if it happens. But what I find in you know, we we have to scare people to get them to take action, but I never wanna scare people to the point where they just think all is lost. There's nothing we can do. Why try? And that's the balance that I try to find here.
Speaker 2:And, you know, we've got a couple of cases here. Luckily, that fire department got their money back, but like you pointed out, that's rare. I've personally been involved in 2 BEC attacks with my clients where the money was not recoverable. 1 was $50,000, and it was a business. The other one was $10,000, and it was personal.
Speaker 2:It was a an employee of a client who was trans transacting with a contractor. The contractor got breached, sent the same thing like you said. They sent an invoice with, hey. By the way, remember how we were gonna pick up a check? Could you use these wire instructions instead?
Speaker 2:And and sure. No problem. Here it is. Because it came for it wasn't like a spoofed email. It was the email of the contractor because
Speaker 1:they got in. We had that conversation, so they're going, yeah. That were the conversation. Right.
Speaker 2:Sure. Right.
Speaker 1:Yeah.
Speaker 2:And that was gone. Money gone. We got involved. We tried to help, but there was nothing we could do at that point. And this was during COVID.
Speaker 2:And, like, I know this 24 slash 48 hour rule. We didn't hear about it until we were past that, but we told them, like, call your bank immediately. It's probably not gonna help. And the bank said, we are if I remember right, I think they said that they were 6 weeks out from even being able to investigate because there was so much fraud going on. At 6 weeks, I mean, you're it's game over, and it was.
Speaker 2:So you've got this poor family, young family, trying to do work on their home, and now they're out $10. Families don't have $10 to give away. Right? So I wanna I wanna make people aware that these are real issues. They are real problems.
Speaker 2:You cannot fully recover from them. There's always some sort of damage that you're gonna take with you, but there is hope. And and so, Tony, one of the things that I preach, I want you to check my math on this, is that we don't need maybe maybe we already I can't remember if we talked about it before we started recording or after, so maybe this is repeat, but that's fine. But we don't have to have huge budgets. We don't have to do a like, there are basic things that are gonna prevent most of these attacks.
Speaker 2:Would you agree with that? Absolutely. Yeah. It's that, you know, that it's a short list. So go over that.
Speaker 2:I heard you talk about multifactor authentication multiple times. I heard you maybe allude to training being a key piece, you know, processes, procedures, SOPs, whatever you wanna call it. But when something happens, we know how to respond to that. Those are the 2 that I picked up on. What is this short list of things people can do to to get at least not be low hanging fruit.
Speaker 2:Right?
Speaker 1:Yeah. And and every time I give a talk or I'm talking to to clients or or or groups of lawyers around that, they're always that, you know, what's that little that short list of things that everybody needs to be thinking about and doing that that helps them sleep at night? And for my shortlist, it's it's build that resilient backup strategy and recovery strategy. You know, you you're making your backups, your 3 tiered backups, and you practice the recovery. That's where you give a lot of anxiety to your IT team.
Speaker 1:So, yeah, sure. We're doing backup. Up. We we invested in a backup strategy, pick the name of it, and they've never pulled it back and and and run the recovery on it. And so there's a lot of anxiety when you have to go to work that day Yeah.
Speaker 1:And and you've been compromised. So build a resilient backup strategy and and practice your recovery. The MFA, enable MFA on everything that you can that has got the ability to enable it, enable it. And, that's where you get a lot of pushback because, you know, you know, NFA is hard, and I don't wanna put, an app on my phone, because that's my personal phone. You gotta give me a business phone and and, you know, well, how bad do you wanna work?
Speaker 1:Here's my mind.
Speaker 2:So you're right.
Speaker 1:But at the same time, you know, you know what else is hard? You know, recovering from ransomware. So if you wanna be the the reason why we got hit with ransomware Yeah. And, and you can't do it, you know, for all departments but one, it's everybody or, you know, you're you're vulnerable. And then lock down those appliances.
Speaker 1:You know, that's the third one is is when you deploy something in the environment, take out the default passwords. They all, you know, they all ship from the factory with default passwords in there. We all know what they are. The bad guys all know what they are. It's easy to find them.
Speaker 2:And Google knows what they are.
Speaker 1:Yeah. Exactly. And Really easy. Yeah. First thing anybody looks for, and then it creates that, you know, wide open back door.
Speaker 1:And then, update and patch. You gotta make sure that you've got a regular cycle of updating and patching. And when you update from, you know, Windows 10 to a Windows 11 or from Windows 7 to 10, take off the 7 versions because now those vulnerabilities are still persisting on that machine. And I can use a Windows 7 exploit on a 10 box to compromise that machine because it's still there. People are afraid to remove those old packages in a lot of cases.
Speaker 1:So that's, a easy end. And then, like you mentioned, the incident response plans and the policies and procedures and have those things in place and perform those self assessments yourself and third party. So have somebody come in and, like you said, look over your shoulder. We call it, you know, another set of eyes. Right.
Speaker 1:And, you know, you become complacent with the sounds that your car makes every day. Somebody else sits in your car to go, man, it's like you got your your timing is off, you know, or something like that. You know? I I hear it every day. Same thing with your network.
Speaker 1:Well, I
Speaker 2:mean, it's terrifying. We I live in this world, and I don't know what like, how much where are my blind spots? Because like I said in the beginning, we have them. I you've gotta have so many times, we'll we'll meet with a prospect, and they're just like, well, we've got a good IT company. They have us protected.
Speaker 2:I'm like, really? What are they doing? Well, I don't know. You know, like Yeah. What and and then then they go to the IT company who's protecting them and say, hey.
Speaker 2:Well, what are you doing to protect yourself and them?
Speaker 1:And I have somebody not take a look at me. I I have somebody Right. My network too. They I mean, up here, we kinda look at each other Sure. Because it's another set of eyes.
Speaker 1:I can do a pen test on myself, but I also will discount some things. Oh, I know why that's there, you know, I'll write it off as I know why that's there.
Speaker 2:Yeah.
Speaker 1:But somebody else will give me a fairer shape, then I would.
Speaker 2:Yeah. Yeah. So we're gonna we're gonna kinda wind this thing down. I had a thought, and I just lost it. So maybe it comes back, maybe not.
Speaker 2:That's fine. But I I wanted to kind of end on I love stories. And one of the things that really kinda caught my attention in your bio, you've done some cool stuff. But you mentioned specifically your involvement during the 9 11 attacks. Would you will you share that story real quick?
Speaker 1:Sure. I I was blessed, I guess, in in throughout my career as an agent and and found myself during the last portion of my federal career, serving at the White House. I was the counterintelligence operations officer at the White House from 1998 to 2004 when I retired. So last half of Clinton administration, first half of Bush 43. And, I traveled all over the world.
Speaker 1:I went to 94 countries while I was there. I've been to 97 over my course of my lifetime, but we traveled 71 trips to 94 countries over there. Wherever the president was gonna travel, we would travel advance and and things like that. And on 9/11, we were planning the the, summit in, Shanghai, China, during that period, which was gonna take place. And and I was working with one of the the technical teams there on sweeping the hotel and everything.
Speaker 1:So we're on a phone call, and and all of a sudden, you know, that that took place, the the first plane hit. And Brad and I are kind of looking and saying, oh, dang. Somebody must have really, you know, steered wrong and they're not following their instruments or anything. And then when that second plane hit, you know, life went sideways. And, anyway, the long story short, because I I give a 9:11 talk every year, you know, for the day.
Speaker 1:So it's a lengthy drawn out process. But, we started evacuating the White House and and evacuating the offices and the extended staff offices and the old executive office building and and kind of pushing the onion out. And I grabbed 10 sat phones, satellite phones at the time because I knew phones were probably gonna go down and, you know, whatever it was. And and we're hollering in the hallways that we're a target, and there's other planes that are up there. So, you know, everybody knows the kind of the history of them bringing all air flights, air you know, all flights were being grounded with the exception of a few.
Speaker 1:And so we're pushing the onion out. And I checked in with the emergency operations center, down the basement of the White House in the shelter, let them know where I was and where our team was, and they recalled me back in. They said, we need to marry you up with missus Bush. She was meeting with senator Kennedy, at the capitol that morning. And so when she was scheduled to meet with him, have a have a discussion.
Speaker 1:So I jumped in a car with, Secret Service, and they jammed up Pennsylvania Avenue at about a 150 miles an hour, which is kinda cool because you don't ever drive that fast in DC even even on a motorcade. But, anyway, I was white knuckling it up and and, they dropped me off at the backside, went up there, and I married up with her. And we extracted her out. We took her to a safe house and, you know, made sure that she was taken care of. And and one of the things that she told me right away was, you know, I need to make sure that all my team I'm gonna need 6 helicopters for my team or my staff to evacuate out.
Speaker 1:And she wanted 6 Blackhawk helicopters. Oh, wow. We already got word that that the vice president was gonna motorcade to his evacuation site if we needed to move him for the White House. He was down in the shelter in in the White House. And and, of course, president was down in Sarasota, for for the the meeting with the children.
Speaker 1:And and I said, may I the senior service lead, Nick Trotta told me, he says, hey. You go in there and tell her she's not getting helicopters.
Speaker 2:Like, you gotta break the news to her. Yeah.
Speaker 1:So I went here and told her that, and and she was like, well, how are we gonna get us? The vice president's not even, you know, flying. Everybody's grounded right now. And so, anyway, that that piece of it was was unnerving just because he was like, oh, crap. Here I go.
Speaker 1:Let me get fired, guys. See y'all here. Not getting helicopters. And then a little while later, she was worried about, Spotty and Barney, her her dogs Oh. And, and, Socks.
Speaker 1:They are not it wasn't Socks. Their their cat too. And so she wanted the dogs. We only got the dogs, so I sent somebody up there to take the dog. The only people running the White House above ground at the time were 2 dogs and a cat living being.
Speaker 1:And then so they crowd them up, put them in crates, and brought them back. And so as he brought them back and gave them to her, she was in a little conference room. And there was this there was this very nice Persian rug out in the hallway there, and she says, well, I'm I'm she starts hooking them up with a leash. And I said, where are you going? She said, I'm gonna take them out back.
Speaker 1:They they need to go potty, I'm sure. I'll handle it. Don't don't worry about the you you can't be outside. Yeah. Right.
Speaker 1:Nobody sees you. All of a sudden, they know where you're at. And so I grab them. I walk them around the corner, and there's this uniform, secret service inside around that hallway in the corner. This rug that probably cost more than my house, at the time, they they peed on that rug.
Speaker 1:And I said, somebody needs to clean that up. And I gotta walk back in there. And I just, you know, people say, what'd you do on 911? I said, I was the official dog walker that morning. And, so it was just that that that piece of chubby.
Speaker 1:You find a little bit of humor in those Yeah. Anxious times. Right. And you're but there's a there's a whole long, you know, series of events that took place that day. Long story short, when president made his way back to the White House later that evening, we married her back up and brought her back and down the shelter.
Speaker 1:You know, they got back together and went down that night. Only had to come up a few times when there was a few alerts that popped up and there was, unidentified aircraft in the in the space and thought the White House was under attack and brought them out and brought them down, downstairs, and and, you know, it turned out to be one of ours. You know? Oh. Gap around the White House.
Speaker 1:It was an f 15 or or 14 or something. But Wow. Anyway, so that was my day.
Speaker 2:Yeah. Yeah. That's, that's a hell of a day for a a a cybersecurity guy.
Speaker 1:Yeah. But, you know, I was a counterintelligence agent first, and then I Right. Right. I tracked into Yeah. Cybersecurity crimes early in my career where a lot of people committed espionage were using computers to convey the the crime.
Speaker 1:And so that was how a lot of us got involved in it because we didn't have a forensics process way back then in the mid eighties. Yeah. And, you know, that's kinda when, you know, all of a sudden, you became more of a technical investigator, and there's a handful of us who gravitated towards that. And, you know, it created a nice window of opportunity when you retire.
Speaker 2:Yeah. Yeah. For sure. Right. Yeah.
Speaker 1:So I'm blessed, and I just you know, either the right place, wrong time, wrong place, right time. I don't know. But it you know, we're fortunate to been there. Yeah. It helped.
Speaker 2:Well, you man, I I like I said in beginning, you've been around the block, and and your resume has words in it. I don't even know. So,
Speaker 1:A dog walker. Yeah. Exactly.
Speaker 2:I've never done that before. So, I I really appreciate you being here. Love breaking down these real events so that we can hopefully learn from them. You know, it it is a scary world out there. 9:11 is a great example of just how vile people can be.
Speaker 2:Yeah. And and they'll they're they're after us for whatever reason. Usually, it's money. Sometimes, it's just maliciousness.
Speaker 1:But,
Speaker 2:you know, so this is again, I just keep hammering this home. Bad things are going to happen. We have to at least be aware. I don't like scaring people, but sometimes we need that fear to take action. But I always wanna counter that with there are basic things we can do.
Speaker 2:There are so many and and these things that you listed off, they're basic. These are not expensive. However, I can tell you I can go out and audit a prospective client on those things right there, and I bet they're missing 90% of them.
Speaker 1:Yeah. And when they get ready to renew their cyber liability insurance, if they if they don't already have it or if they have to go through and renew it, they're being compelled to MFA and do these very basic things now because before they weren't. And then, you know, some of the top shells of that pyramid for the, you know, the reinsurers across the country are mandating it because of Right. All these attacks and their and just the escalation over the last handful of years, and they're having to pay out.
Speaker 2:Or or they don't pay out because you don't have these things in place. Right? Isn't that another thing that's happening? Snap down.
Speaker 1:Yeah. Yeah. It's all because you're more risk. You're not getting as as much. You know?
Speaker 1:You're gonna eat the those additional costs and that type of thing. So yeah.
Speaker 2:Alright. Well, listen. We're gonna wrap up on that note. Again, thank you for being here. Thank you for breaking this down with me.
Speaker 2:It's it's super important critical stuff. It's basic solutions most of the time. And when things really, really get nasty, we call in people like you. So thank you for what you do there as well. Thank you.
Speaker 2:Appreciate you having me on. Alright. Alright. Well, we're gonna wrap with that. Take care, everybody.
Speaker 2:We'll see you next time.