UnHacked

Welcome everybody, to another episode of Unhacked. And, guys, I got caught with my pants down here. What episode number is this? Is it 10? Does that sound right?

10. Okay. Well, listen. I'm sitting here with, 2 of my best friends, Brian and Mario. Brian, tell us a little bit about Canada, and Mario, tell us a little bit about, I don't know.

Where are you from, Boston or Massachusetts or something? Right? Where are you at?

Me? I'm from New Jersey.

I mean, that's all the same thing. Brian, you go first, and and, hopefully, hopefully everybody will forget what I just said to Mario. Sure. Mario, go ahead and introduce yourself.

Yeah. Brian Lachpelt with B4 Networks, out of Ontario, Canada, you know, where it's, a little bit on the chilly side most days, providing computer support to local business and, trying to make everybody's, business a little bit better every day.

Mario? Alright. And I'm, Mario Zaki with Mastech. We are located in North Jersey right right outside of, Manhattan. A little further than Boston, but, you know, we can still drive out there.

And, we we we service, small businesses just like, Brian mentioned, try to keep them safe.

Alright. And I'm Justin Shelly with, Phoenix IT Advisors, formerly Master Computing. I've got clients in Texas and Nevada. Not gonna take the time to explain why I'm so, separated geographically, but that's what I am up to. Alright, guys.

We're gonna break down another breach. That's kind of what we're doing on this show. We we pick 1 breach per week, and we talk about it. We try to learn from it. I think we all share a similar frustration that this information is tightly contained.

It's embarrassing. We humiliate people over it. We shame them over it instead of sharing and getting better like the bad guys do. We all sit here and worried about get worried about, being embarrassed. So we're trying to crack through that the best we can, and come out with a little bit more information, come out a little bit smarter, a little bit more prepared to fight this battle that just seemingly is never going to end.

So, that said, we're gonna talk about HPE, Hewlett Packard Enterprise. Is that what the e stands for?

The enterprise.

Yeah. So they got hint. And I'll tell you, I'm gonna kind of maybe a spoiler alert. The thing that was the most interesting to me about this is usually when we talk about these breaches, the financial impact is devastating. At least right now, HP is saying it's not.

So that'll be a little bit different this time around. But let's just jump right in. We're gonna talk about we we start off with the impact, and then we're gonna talk about what happened and why, and we'll wrap up with what we can learn from it, how we can do better. So, Mario, you go first this time. What was, one of the key impacts that you know, how did it how did it impact HP, their employees, their clients?

What do you got?

So from the information that they provided, it seemed like, they were able to get into their 365, system, including SharePoint and extract data. And it seemed like, again, the information they're they're keeping it on tight reps that, they didn't tell us exactly what they extracted, but, it does seem like they targeted a specific group, within the organization. Okay.

Specific group. But the way I write I love the way they they write this in the articles that, the hackers targeted, quote, a small percentages oh, sorry. Small percentage of HPD mailboxes. Brian, what can you tell us about that?

Those small mailboxes were apparently used by their staff that is responsible for cybersecurity and their go to market business segment. But it's, it's low impact. Justin. Low impact.

Right. Right. Right. I mean, that's what we again, back to my first point. Right?

Like, we always wanna minimize this. Somehow, the victims of this type of crime, are the ones that are shamed and attacked. Like, you know, socially attacked. It's weird. It's weird.

So, yeah, they're minimizing it. I'm here to tell you if that my cybersecurity expert or or what he's the one that got targeted and the one that, data was exfiltrated from. I don't know that I'd be downplaying it. Maybe publicly, but certainly not internally. So this seems to me, is maybe a bigger deal than they're making it out to be.

But

Yeah. But at the same time, I'm really impressed with some of the information that came out. It looks like following the incident that they immediately brought in a 3rd party external cybersecurity team to come investigate, which is telling because, I mean, HP is themselves a huge computing company, and you'd you'd think that they'd have internal staff. But I I'm actually happy that they brought in external cybersecurity experts to, investigate because it means that they may actually get to the root cause and and and figure out how it happened and nobody's gonna shove it under a rug. And the other really, really impressive part was that they immediately activated their response process.

So Yeah. A k a incident response, plan, which they had, which is also fantastic because most organizations don't. I mean, it's kind of expected with a publicly traded company like HP that they'll have an incident response plan, but the fact that they had it and we're able to implement it right away, and able to eradicate it very quickly says a lot about having a plan in the first place.

Yeah. It does. One of the things that I get a lot of times, I probably talked about this before, and I'll talk about it again. I get a lot of resistance because our target audience is smaller businesses. Right?

We are not working with the HPs of the world. And one of the pushback points that I get is, a, we don't have the budget of these big guys. And b, if these big guys are still getting hit, what hope do I have? But, I don't I will not I'm not speaking to HP right now. But I am telling you that I know of many cases where these large organizations, government organizations, fall way below industry standards, best practices.

They're not doing the things that they're supposed to do and or they don't have the internal staff to do this. Now HP might it it can just be a PR move to bring in somebody else, bring in a third party. Maybe not even a PR move. That's a smart move. You should always have another set of eyes.

They might have internal staff. They might not. I don't know. But look to your point, Brian, it is smart that they bring in another set of eyes. So I think we should all do that.

You guys, you know, we do that, for ourselves, for our clients. And I believe everybody should do that. So okay. Good point there, Mario. Did we miss anything?

No. I think I did see that, you know, I I don't wanna mention the name, but it seemed like it was a similar group that, targeted the 2020 breach to SolarWinds. Right. And which means that, you know, when they went after the the cybersecurity department of HP is that they were trying to make this a mass wide thing. They were trying to target their customers, and, you know, encrypt, you know, could have been could be 1,000 of other users or companies that could have, it could have been a bigger problem than just goes beyond HP.

It could have been their customers as well. But just like Brian, said, they they did pull the trigger, you know, in a very quick manner to isolate the incident. So kudos to them.

And and just for clarification, what you're talking about is called a supply chain attack. Right? Where, somebody downhill in the supply chain can be targeted, but indirectly. They go after, levels above them. SolarWind is that example.

Right? They they hit companies above the ones they were actually targeting. It's it's way harder for me to detect my vendors getting breached than it is for me to detect my own client, my own self getting breached. So, yeah, this is and and we're gonna kind of pivot. We'll go into what kind of an attack was it, how did it occur, at least as far as we can determine.

And these are the kinds that really scare me because, you know, it this was nation state sponsor. As far as we know, this is, you know, the Russian government backed this. That's what's terrifying. And that is why in our country, we go after the victims because we can't get to the criminals, to the perpetrators, their governments, you know, unless we're gonna set, we can't get to them. Yeah.

So go ahead.

Just to add to that, you know, when when when a lot of customers and I have a conversation with them, they they they're like, why would they be going after us? Like, we're we're just small fries or small potatoes. The reality is is is especially with with nation state sponsored, groups, they don't care who you are. They just wanna destabilize the entire western world Right. And make it difficult on on us.

And if they can do that by by taking down whatever businesses they can and causing chaos and and havoc, they're happy. Mission accomplished for them. Right?

Yeah. Yeah.

Yeah. If actually, if I could also add on to that, it the this isn't 1 or 2 groups, you know, in Russia. There's 100, if not thousands, of different groups, some large, some small. And the smaller ones sometimes are you know, they're gonna go after the smaller companies, you know, the ones that they can, you know, cause a problem or try to encrypt them or try to get into a 365. You know?

And they they move up the chain over there, you know, and, you know, the better you get, the more, you know, you're the you're able to go after the bigger groups, but it's the smaller ones that, that are targeted, you know, all the time. You just don't see them on the news, you know,

you can't just,

you know, but it's happening. It's happening on a daily basis that these little guys are are getting breached, but they're also not announcing it to people.

Are you cybersecurity experts? If you were to go audit, yourselves or any one of your clients, what is the likelihood that you are in the middle right now of some sort of a targeted attack? Pull logs, pull firewall logs, pull server logs, pull, you know, whatever you've got. What is the likelihood that there is some sort of an attempt to crack into your security right now?

247365. I mean, if you if you were to take an ex you know, an an unprotected, you know, computer system and put it directly on the Internet, it it would be breached within minutes. You know, there's there's constantly, scams that are happening on every single, and I won't get too technical, every single address out on the Internet constantly. And there's thousands of people doing it, hundreds of thousands of people. And so, you know, within a matter of minutes of a new device being put online, it's already having attempted breaches, of all sorts of known loopholes and known bugs.

It just happens to be that most of us, already have these protections in place, and our firewalls are blocking them. But if you don't

Yeah. So two points on that. 1, anybody that says I'm too small, I don't have anything that they're after, well, I can show you any given minute of any given day that you are currently under attack. And then, number 2, you do have something they want. If you have a bank account, if you have a dollar to your name, you've got something they want.

So quit thinking that your data, your client list, all this other stuff, or you move to the cloud or whatever and that's protecting you, they're after your money. And, yes, if they're stabilized and whatever. But

Even if they're not after your money, Justin, they they they'll be more than happy just to use you as a springboard to get to other people. And once they infiltrate your computer system, now the traffic is coming from North America instead of coming from another country. And so, you know, they're they're going they're just bouncing off of you to get to other people. So

Yeah.

Well, also, not to mention that a a big large of the amount of like, a large amount of the attacks are coming in right now through email and, you know, phishing emails and stuff like that. They're you're they're essentially one click away from being able to get in and do what they want. You know? If they click you know, if the a user clicks on one thing, they will give them, you know, the ability to get into their network or to their Microsoft 365 accounts, and then and then they're able to do a 1,000,000 different things now. So to answer your question, I mean, it's beyond you know, as every time you get an email that, you know, check your junk mail folder, check your spam folder.

The half of those that are in there are attacks. You know? And it's only takes 1, you know, email to actually get through and somebody to click on it.

Yeah. Alright. Well, I derailed this a little bit. Let's go back to, HP. Let's talk about what happened to them, how it happened.

And I think I went to Brian last time. So, Mario, tell me, just a little bit about what what type of attack was and how they get in.

So it did seem that they were able to get in because they found an well, they they did get compromised twice. And the the first breach, seemed to have been related, you know, or sorry. The second breach was related to the first breach. But from what the information that they released, it seemed like there was an account that didn't have 2 factor authentication enabled. Okay.

And, again, that's something we don't know absolutely, but it is theorized.

Well, it's it's theorized, but very good very good insight went into it or or or discovery went into it. The hackers used essentially what is a password spray attack to compromise a system. And so the only way to do that and be successful at it is if, in my books anyways, is if 2FA wasn't enabled on the account. And maybe they had inside, inside sources. Maybe they were able to get around it another way.

But it does look very, very highly likely that it was a when we say password or spray attack, we mean they they're just trying random passwords over and over and over again on an account, and they and they happen to guess the right password.

So we Okay. So I'm gonna stop you there. That's a brute force. Right?

Okay.

So a spray attack, I had to Google this, I will confess, is where they take the same password and hit it on many accounts before. So this comes back to the the old advice of don't use your same password on multiple sites.

Gotcha. Yeah. Yeah.

Don't share passwords on my users, which, goddamn it, all of my clients do it. Yeah. They're the same user account for everybody. You can't do that anyways.

Yeah. If you're a dentist and your password's teeth, you're not you're not being clever.

Or password 123 or whatever. Qwerty, q w e r t y. These are still some of the most common passwords out there.

Password 1. Welcome 1.

Yeah. Yeah. Good stuff. Good stuff.

Well, I I see it I see it, you know, all the time, and I I made sure, like, my my guys don't do this. But sometimes when you're onboarding a new employee and you wanna kinda just get them in, you'll set up a simple password, and you're supposed to check off the box that says, you know, have the user change it after the 1st login. But if they missed that or, you know, they did you know, they didn't do it once, that password stays in. And I wanna say 99% of users do not like, new employees will not go in there and change the password. So those are just

how it's a new system. They're learning everything. That's the last thing on their mind is how to go on and change the password. Yeah. No.

I like randomized passwords. And then you can force them to change or not. It doesn't matter at that point. Now they will, because you give them such a stupid ass password. They don't wanna use it.

Right? That's Yeah. True.

But this does prove that they probably HP probably did not enforce the option where users have to change their passwords every, like, say, 90 days. You know?

So Maybe maybe not. I don't like that you just said it proves because we don't know anything. I'm just gonna put my legal disclaimer out there again. We're reading news articles. We're using our experience with what we see.

And, yeah, we can we can pick up on patterns where that's probably the case or potentially the case, just based on our own experience. So we do not know anything about HP. HP, please don't come to us. Alright. What else we got?

I think it's Brian. Are you up?

Well, one of the nice the the interesting thing is is that, there was actually a cybersecurity vendor, ThreatLocker. A lot of us are are are using ThreatLocker in our businesses. Great company to work with. They also, indicated that, multifactor authentication is was likely the, factor in this case. And and They

go see them, not us.

Yeah. And then they also recommend that, you know, that be one of the main things that that people do is just enable that, multifactor authentication. It just demonstrates that, you know, even today, there's some organizations out there that are still not enforcing that. But more importantly, just than enforcing it is reporting on it. Right?

If we can find and and my customers have, you know, us to to watch over this, but a lot of a lot of MSPs are not monitoring 365, you know, monitoring for things like 2FA being disabled on an individual account. That would flag something on our end, and we would be able to turn around and ping the client and be like, hey. You know, you have a customer here or an employee here who who doesn't have 2FA. So more important than just saying you have to have monitoring it and enforcing it are are are additional steps that you could take.

K. So it sounds like we're pivoting into, how can we prevent it? What we learned from this. And, yeah, that's that's key one, right, is monitoring Office 365. Excuse me.

Let's let's talk about more of the things that we've learned from this particular account or this attack and, or maybe just stuff it reminds us of from our our daily lives. But, Mario, what else can we do to prevent something like this?

Well, there's there are certain tools out there that, well, obviously, there there's the basics. Right? You know, have a d you know, good password, have the password change, set up your multifactor authentication, the 2 FA. But all that is still not 100%. You know?

Like, you can still crack 2 2 FA and, you know, passwords and stuff like that. But, you need to also have in place, you have to have just like you monitoring your firewall and your computers and stuff like that, you need to monitor your your 365. And there's companies out there that just strictly, you know, monitor your 365. There's programs, you know, like something we use. We we put in certain factors in place.

If we see, like, a login for a user come from 2 different areas of the world, like, you know, New Jersey and then, you know, California within a few minutes, that we automatically geo fence it and that it it disconnects them. Obviously, block out, you know, anything outside of the United States or Canada, for for all your users. There's certain things that you have to put in place. And, unfortunately, Microsoft does not enable a lot of this stuff out of the box. You know, it's, stuff that your IT professional needs to go in there and enable, you know, per per customer.

Yep.

I mean, really, there needs to be a checklist that needs to be you know, we call it internal standards, call it whatever you want, but there needs to be a process, a checklist, procedure, insert whatever word you want here. But, it needs to be reviewed on a regular basis, and it's gotta be somebody's primary job and somebody has to be accountable for it. And that really is where a lot of times, our clients or prospects fall short. And help a lot of times we see it in our industry, right, where, some IT companies that get so overwhelmed with their day to day, that this stuff falls through the cracks. So, you know, we'll we'll come back to it.

I'm gonna put the plug in right now. Always get another set of eyes on it. Right? If get a set of if you think everything's locked down and solid, that's probably the worst scenario. Right?

Anytime you think you've got it figured out, goddamn it, you don't. Get someone else to look at it. Do not get complacent. So, along with our Office 365, I don't see well, this this is kind of a frustration of mine. Clients frequently want to have the keys to the kingdom.

And as IT providers, it's hard for us to say no, you can't have that. But so many times, the CEOs, the executives of, you know, of our clients want to have administrative rights to Office 365. So how do you guys handle that?

Well, I can I can dive in here because I I'm a big believer in in this as well? I I we practice it within our own organization. And my message to all business owners is that, we practice, the least the principle of least, oh my gosh. Why has it gone blank now? Least access.

Essentially, you're not special. You shouldn't have administrative privilege on your day to day account. You can have a second account that has administrative access. That's what we do. Like, I have dom or a global administrative access to 365, but not on the account that I use on my phone, not on the account I use on my desktop.

Right? If I need to go do something within my my admin like, you know, within our system, I log out and log in as as the global administrator on a secure system that maybe is clean and and not that my system isn't clean, but it's my day to day system, so you never know. You know, we we log into a clean clean system, verify that, do or sorry, do the activities we want to do, log out and and it has also 2 factor authentication and it is limited to, you know, either my office or a few very limited areas that we can log in from. Right? It's not a an an account that you can log in from just anywhere in the world.

In fact, I tried to access it from the US, while I was on a conference, a couple of months ago. I couldn't do it. But right? Case in point

for you, but how do you handle when your clients come to you and say, Brian, I I mean, I own this place. I want the administrative password, the credentials for Office 365.

Yeah. I say the same thing. I say, listen. We we refuse to do it outright. Like, we will not give a client administrative access.

We've learned our lesson. A number of years ago, we had a client who had administrative access before our time. They came in as a client and for whatever reason, we didn't recognize or realize that they had global administrative access. They got breached, and every single one of their employees were breached. But we were able to fix the breach on the primary account holder, not realizing that they had then gotten into all the other accounts and and and were able to worm their way in through there.

So, now we just blanket just we verified, at some point in the past. You know, all accounts don't have adminished global administrative access. We went through and removed everybody's, even people who didn't respond to us, and we just said we're gonna remove it even if they they don't want us to remove it. I'll take I'll yeah. I took the heat on that, and then I just sat with the customers and said, you know, we'll give you access, just not on your day to day account.

We can just we just can't have that as a risk factor because, listen, if a customer gets breached, just like people will blame the victim, they'll blame the customer, the media will then look at, well, who is the one who's responsible, air quotes, right, responsible for that system? Oh, well, b 4 Networks was the one handling the security there. And so, you know, they're at fault even though it wasn't us. Right? Even though, you know, we were maybe they're not even on a contract.

Maybe they were just like, we fixed our computer one time, but, like, we're the ones who took it. So now, we refuse to do any business with anybody who won't let us take care of security. And that's not because we don't like them. It's just we we refuse to have that amount of risk, for our business. And and the clients that we work with understand that and appreciate that about us.

Well, this this is one of those cases where you gotta have one throat to choke grape. If if a client gets breached, I mean, I don't want them coming back on me, but that's better than having to sit there and figure out who's fault it was.

Mhmm.

I got

to be responsible. Right.

Yeah. So I'm I'm the same. If they insist on having that account, it comes with a letter, you know, taking responsibility. A lot of times, I don't think I've actually done it. Maybe I have.

But I will I will at least threaten to take the password and put it in a sealed envelope with, you know, my, like, LLC stamp on there and say, here it is. But if you get breached, you better be able to show me this sealed envelope that you didn't, you know, use this account. And And then if you want it quite durable, but at that point, once you've opened it, it's on you. You know, just just to make that point to drive that point home because they want it until they have to take responsibility along with it. Then all of a sudden, we're having a different conversation.

One of the neat things we can do too is if if if a client wanted to have an administrative login, you can actually have any administrative logins, global admins that have logged in, email a couple different people within your organization. So at least then you know that that account was accessed. You know that that somebody has now gotten into the account or has logged into the account that and you can't right? If if you send it to an external address, there's nobody who's gonna be able to go in and change the settings fast enough for that email not to go out.

So I agree with all that. I still like, like, some sort of a physical transfer of

Yeah.

Responsibility. You know? Like, you take this from me and you understand what it means, but reach your hand out and grab it. You know?

Yeah. And the thing is too, you have to find out what why they want it. You know? And a lot of times, like, we we had a we had a customer, a few weeks ago that wanted, administrative privileges. And we told her, I said the same thing.

Like Brian said, well, I will not give it to you on your own account, you know, that's licensed. We'll use a separate one, but why do you need it? And it turned out they just wanted to change some settings in Teams. And you can actually give them you don't have to give them a global. You can actually just give them access to Teams.

Mhmm.

You know? So you you know, it's not you know? Because they a lot of times, these, you know, owners and stuff like that, they don't know what they're really asking for. They they just want the overall information, but they're only using it for one little piece of the puzzle.

They use the word admin because they wanna administer something, but they don't understand really what they're asking for. And, Brian, the the term they're looking for is least privilege access. Right? That's that's that's what we do. Right?

If sure. You want to have one function, here it is. You can have this one function. But what you cannot do is go in and reset people's passwords. You can't create new mailboxes.

You can't upgrade privileges. You know, that kind of stuff.

So

because if you get breached at the end of the day, the criminal will have access to literally everything you have access to. And so that should be as least amount of information as possible to contain and and Right. And and keep that breach small. It's essentially what an incident response plan is. Right?

You an incident response plan is doesn't only come into effect upon an incident occurring. It's preventative. Look look at all the things we can do. Where how could we get breached? How are we gonna block those breaches, and how are we gonna detect those breaches when they occur, and then what are we gonna do about it after it occurs to contain it?

And then how could we learn from those breaches, and then it starts back at the beginning. Right? So it's a an incident response plan is a constantly evolving document and and and process. And some of them require to have clients involved, like some aspect of it, and some of them we can do internally ourselves. But, not having it is is a is a dangerous thing.

Yeah. The incident response plan is is crucial. Unfortunately, I think if well, I would argue that most people don't have one. Most organizations smaller like our client base, they don't have it. If they do, it's because I gave it to them and it was a template, you know, that that went on a shelf and is collecting dust.

I was on a a training session this morning with, one of our vendors, and they were talking about not just having the incident response plan. But and you kind of alluded to it, Brian. He calls it the tabletop. And I guess, I I hadn't heard that. I always call it a fire bill or whatever.

It's similar. You know? But where you actually run your response plan, you you you simulate an incident, and then you go and and do the the containment and, like, just try to learn and and change and, you know, modify, improve. But in a lot of cases, one of the points he made is that if you haven't done this, if you, you know, you file an insurance claim for cybersecurity, they're gonna come back and ask you. First of all, you may not even get the policy without this.

But let's say you have a policy and you get breached and you try to get it, you know, get the money for it. They can come back and say, well, let me look at your incident response plan and look at it whether it's adequate or not. And then they can do do a follow-up question of how do you know it works? However they whatever they wanna call it. You know, call it whatever.

Call it tabletop. Call it fire drill. Call it, you know, simulation. Whatever. But they'll just say, hey.

How do you know this plan works? How do you know it's adequate? And and a lot of times, you know, go check your policies, guys. But if you can't verify, if you don't have documented that you have a plan and that you know it works and you tested it, they can deny claims.

Yeah. And and listen, a plan a plan an incident response plan like, we as IT providers, MSPs, and and I I I'm not trying to speak for the 2 of you, but, you know, we we do internal incident response planning for what we control. Right? We control the desktop. We control the servers.

We control 36 5, and we can create incident response plans there. But if the client doesn't wanna bother and involve themselves in the process because I have situations where people just don't want to be like, you're right now, you're you're supposed to take care of that. Right. But if I don't know you're using some particular third party cloud application, that is now a vulnerability point. That is now a area where your company has risk, and we can't mitigate that risk because we don't know it exists.

Right? And so it's it's not just our responsibility. It's a joint responsibility, to create an incident response plan. And every time you add a new product, a new service, a new tool to your to your business, that plan has to be revised. Okay.

Now we've got this new CRM system. How are we vulnerable here? Is there anything we can do to mitigate it? Is there anything we can do to catch criminals who have gotten in once they're in, so on and so forth?

Yeah. If if I could add some too. So, when I sit down with a lot of business owners and I explain to them that we need to put this in place, I tell them it's and this re you know, it is more for, like, male, you know, owners and stuff like that because this happened to me. Essentially, this is, you know, imagine losing your wallet. Okay.

You know, I know that feeling that source we feeling in the world when you reach back there and you can't find your wallet, essentially, you're you're panicking. You don't know what to do. So if something happens, you you're, you're in a panic. So to me, what I I tell them, it's like going in there before you lose your wallet, you write down every credit card number information that you have, everything that's in your wallet. So when something happens, you know who to contact, what to contact, what the number is, and how you can, you know, cancel it and and fix the situation.

And in my order.

Which one? And in what order. Exactly. So, you know, it's it's harder to do it after it happens. You wanna prepare before it happens.

And it's just like, you know, if you were to lose your wallet.

So Yeah. Don't practice a fire drill while the building's burning down. Exactly. Exactly.

That's path 4. Essentially, that's going back to what you said earlier, Justin. You know, you wanna put systems in place before as much as possible, because you don't wanna be that low hanging fruit on that tree. That's my saying. Like, I love that saying.

You don't wanna be the low hanging fruit. It doesn't mean that somebody can't pick your fruit. They might break in. They might get to you. You know, there you'll there there's not a whole lot people can do when they're targeting you specifically.

They they'll find a way in, but we don't wanna be the low hanging fruit. We don't wanna make it easy on them either, because most breaches most breaches are breaches of opportunity versus, people coming specifically after you. Right.

Exactly.

Alright. Well, there's a load of conversations. Probably time to start winding this down. This was, like I said, a little bit interesting, a little bit different because usually we're talking about massive financial loss, financial devastation. I think I think these guys got away with, they got away easy.

This could have been when somebody here's the thing, when somebody gets control of your email, it can be bad, because they basically own you. You know, that's where a lot of the 2 factor authentication that we constantly tell people to put into place. A lot of that happens through email, or you can reset it through email, you know, so it's, this is a big deal. This is where, I mean, arguably, most most attacks happen through some version of email fraud or email, you know, what they call it business email compromise, BDC attack. Phishing simulation, probably a really good thing to have in place if your people are constantly used to watching, you know, it's simulated, but they see these emails coming in and they're watching for them.

They get that habit of is this real? Is it not real? If you can create that culture with your your team, your staff, you're way ahead of the game. But if you just do an annual training, which is the minimum requirement, and then you expect with all the other things that, that your people are doing nonstop all day, every day, that they're also looking for phishing attacks? Probably not.

So, you know, this ongoing training is really super important. And then we're gonna wrap up with the way we always do, the actual audits or, you know, you can call it whatever you want, but it is a simulated attack, where we go in and we we run some some, you know, very noninvasive applications that look for what a criminal would find if they did get through your security. You know, and from there, we can prepare a roadmap and, at least point you in the right direction. You know, that's, like I've said, you you just have to have another set of eyes. We all do.

Right? And you guys wanna add about the those simulated what do you call it? Mario, you've got a name for it that I like, and I always forget what it is. Main pen test or

something. Security network assessment.

Mine's a vony vulnerability assessment.

Or mini pen test. Yes.

Mini pen test. I think you've used that before. But Yeah.

Penetration test. Vulnerability assessment because at the end of the day, it's what a criminal would have access to if they breached if if they if you clicked on a link, what will they have access to once they got into your computer and it scans out from there? Right? And so Right. I like vulnerability because it it's exactly that.

You're vulnerable. It's not for me, it's not a pen test because a pen test is somebody actively trying to use tools actively to try to breach your security versus From the outside in. For the outside in. This is inside out. Yeah.

Yeah. And and all all of these attacks are happening all the time. So this is, it's not a like, this is not an all encompassing, cybersecurity assessment or or audit. Right? Those are tens of 1,000 of dollars, at least 1,000, like, you know, there's there's so many different ways of going about it.

But this will at least give us a place to start. Right? Because we all you you, Brian, you've used it. I use it all the time, the low hanging fruit. That's what we're looking for.

That's where we start. We start somewhere. We start simple. Let's get a a few of these, holes plugged, and then we can continue to improve over time, which really is the key is constantly refining, reviewing, modifying, upgrading. Right?

It's it's it's a set and forget it kind of thing. So

We sent one to somebody yesterday, and we gave them the report, and they were able to we were able to tell them, like, listen. You see the you're using these passwords on 18 different websites, and and look how many of and we actually found some of these passwords on the dark web. You know? So it's educating the user. Like, listen, we can't do anything about the dark web.

It's there. The only thing you can do now is change these passwords. Right? Sometimes you just need to show somebody, like, this is what they can do when they if you with one click of the mouse, this is what they can get for you. Yeah.

And, you know, it's scary.

That that brings me to, a really, a really good quote from the former CEO of Intel, Andrew Grove. He said, you know, success breeds complacency. Complacency breeds failure. Only the paranoid survive. In this case, success, right, that breeds your complacency is that you've never been hacked yet.

Right?

I don't get it. Yeah.

Right? That I really love that saying because it really speaks volumes to this. Like, oh, I've never been hacked. Well, I've never gotten in a car crash, but I still wear my darn belt every day. Right?

If you're not trying to protect against you know, you're protecting against the possibility of a car crash. And the same thing with cybersecurity, you're protecting against the possibility, or the highly likelihood in this case of of a cyber breach. So don't be complacent, folks.

Right. So, again, guys, we all, the 3 of us do have these assessments or whatever we're gonna call it available for free. It is kind of a, you know, an an an introductory assessment. We all have higher end paid assessments as well. But let's get started somewhere.

You know, let's get some basic procedures, some documentation in place, an incident response plan, acceptable use policies. These are some of the foundational things that you need. We'll help you put some of the basic tools in place, 2 factor authentication, that sort of thing. And then, you know, if it looks like it's worth engaging from there, we we can always talk about that as well. So, let's wrap up with our website addresses.

Mario, you wanna head first and then Brian?

Yeah. So, once again, it's, mastech, maztech.com.

Alright.

For me, it's Brian. Sorry. B4networks, that's, letter b, number 4, networks, with an s.ca.

That's a long address you have to explain every time. I know. You know, I got so mad. Quick story. My old address was master dashcomputing.com, dash hyphen minus whatever.

And I would tell people that, and they would type in masterdashcomputing.com. Like, Jesus.

Yikes. So I'm not gonna stop ringing.

Change that address, and then, now we've rebranded, and it is phoenixitadvisors.com. You can reach out to me. We'll any of us can give you that assessment. Again, the regions that we cover, I've got the I've got Texas and Nevada. Mario has, Kentucky.

What was it again? I'm just kidding. New Jersey, New York. Brian's up north in Canada. Ontario.

Toronto. Right? Ontario? Ontario area. Yep.

Okay. And if and if you guys are outside of that area, get a hold of any of us, and we can put you in contact with somebody who does something similar. So Absolutely. Alright. Unless I've been in the last thoughts, guys, we're gonna go ahead and wrap up here.

Good to go.

Thanks, guys. Take care. See you next week. Bye.