23. CDK is Breached, Auto Industry Crippled, and What it Means for Your Company

Justin:

Welcome everybody to episode 20 3 of Unhacked. I'm Justin Shelley, CEO of Phoenix IT Advisors here in, well, the Dallas Fort Worth area in Northern Nevada and a few other places. And I am joined by Brian and Mario. Mario, you wanna tell us a little bit about yourself? And then, Brian, let us know who you are.

Mario:

Mario, it's Zacche, owner of Mastech Tech IT, located in New Jersey, right outside Manhattan. Been in business for 20 years now, and, we are saving the world one computer at a time.

Justin:

Love it. Yeah. I like that. Brian. Brian, what do you got?

Bryan:

Brian Lashko with B4 Networks in beautiful Niagara Region, Ontario, Canada. And, we also help, people, improve their operations 1% every day.

Justin:

Every time you introduce yourself, Oh, I mean, details. You you always mention how beautiful it is up there. Yeah. I'm gonna have to come up and see you or something because Yeah. I'm not I'm not sure.

Justin:

I think my I think, Northern Nevada is pretty beautiful. Texas is just a big block of concrete. I'm not sure about that or Dallas anyways. I'm a weird guy that likes the the look of mountains and sagebrush. That's Northern Nevada.

Justin:

It's just gray, but I love it. Love it. Mario, what, what's the scenery like over there in the northeast?

Mario:

We've been on, like, a serious heat, like, wave for, like, 2 weeks an hour. Like, it's, like, 95 degrees every day with, like, a shitload of humidity. It it's pretty bad out there.

Justin:

95 is hot for you?

Mario:

For us? Yeah.

Justin:

That's weird.

Mario:

For us. Yeah.

Justin:

Yeah.

Bryan:

Like, that's what it's like at night here.

Justin:

Well, that's what I was gonna say in Dallas, it is actually. The low temperature in Dallas is, you know, during the summer, 85, 90 degrees. That's not uncommon. So, Northern Nevada desert, I love that because the the mornings are 55 degrees. It's perfect.

Justin:

Good for a run. I love the running in the morning. Yeah. Yeah. Anyways, we're not here to discuss geography, or the climate or climate change or any of that fun stuff.

Justin:

So let's introduce episode 23. We're gonna talk about a relatively recent breach, and this is a big one. You know, we're recording July 18th. This one happened about a month ago. June 19th, Company called CDK was hacked by a ransomware group called Black Suit, a ransomware criminal organization called Black Suit.

Justin:

So real quick, and I don't know, do either of you guys know much about Black Suit?

Bryan:

I have never heard of them before. Okay.

Mario:

So that's where They're fairly new, actually.

Justin:

Yeah. They're a relatively recent spin off of another group. But what about, CDK? Mario, can you tell us about CDK, who they are, what they do?

Mario:

So CDK is a SaaS application software as a service application for 15,000 plus dealerships nationwide. And they help they're like an all in one type type type of platform for car dealerships that will help them with, you know, inventory, parts, service, accounting, insurance, pretty much the entire dealerships that are on

Justin:

CRM, so sales and marketing.

Mario:

Yeah. Everything, the entire platform for an a dealership is controlled through this software. So it does everything for them. It's got, you know, stuff for the salespeople, for the parts, for the owners, everything. Everything is in one box, essentially.

Justin:

Okay. And, Brian, you said that you had you had noticed actual impact up where you're at. Right?

Bryan:

Yeah. I mean, there is dealerships around here as well that are using them. They're they're, global, I guess. So, we've heard we heard about it all the way up here. Yeah.

Justin:

What, I mean, what what was the impact? Did you go into a dealership? Did you see any of this firsthand? What did you hear?

Bryan:

No. Just, I had at least 3 people reach out to us saying, hey. Maybe you can help, maybe you can help these guys because they're they're they've been briefed. Oh. Yeah.

Bryan:

No. I I I I don't think I can help, but thanks for the referral. So, you know, when when, either clients of ours and or, you know, people who know of us come to us and say, hey. You know, you you know, we were at this dealership, and they they were breached, and maybe you can give them a hand. And then you dig into it a little bit further and find out that it's actually a national or international breach, then, yeah, gives you an indication of how widespread this was.

Justin:

Well and even if, like, it was a local, more of a contained breach, coming in after the fact is pretty tricky. Not saying you can't help, but, I would argue that where I shine, you guys tell me if you're different, but it's it's in the prevention. I have been involved in restoring and and recovery, but, man, we do not wanna live there. So No. So, yeah, after the fact, if somebody comes to me and says, hey.

Justin:

I know you don't know anything about me, my business, and what we do, but, we've been breached. Fix it. I'm like, no.

Bryan:

Well I mean, if it's

Justin:

My client a lot of

Bryan:

Well legal involved in it. Right? So

Justin:

I'm I'm just saying without the, you know, yes. But re, remediation, restoring, recovering forensics, like, that's a very specialized service. And, yeah, you you better know a lot about how they do business, and you need to know what the insurance and legal implications are and stuff like that. So

Bryan:

Yeah. We've been called in after the fact for somebody who, has been breached in forensic rent in and already gathered what they need to get there. And then then once they've gathered what they need to gather, they give the green light for restoration, and that's where, you know, someone That's

Justin:

where we can come in.

Bryan:

Yeah. We can do after after they've they've done the analysis and the legal team has done their legal things and the insurance team has done their insurance things.

Justin:

Yeah. Okay. So CDK, very large company, major, like, complete outage. Right? I don't I and I don't know.

Justin:

Correct me if I'm wrong. I don't think anything survived this. Right? None of their because they do a lot of different things. But my understanding is the entire system was down, across all of their dealerships.

Justin:

Major disruption in operations. You know, we've all kinda done a little bit of research here. Tell me and and you guys can just kinda fight who goes first, but tell me a little bit about what they did. And I'm not talking about how they restored, but how did they survive the downtime? Any thoughts on that one?

Justin:

You got everything down. You're a dealership. You're trying to sell cars. You're trying to maintain cars. You're trying to order parts.

Justin:

You're trying to, you know, manage relationships, and it's gone. How did the dealerships get through that? They close their doors. You know what they do?

Mario:

I mean, from what bits and pieces that that has been released or from what I've gathered is there are some dealerships that couldn't even offer test drives because certain systems, they actually put all the keys, and they have if you ever have gone into a dealership that uses, like, these systems, the keys are connected to, like, a big magnet that they put into, like, a, like, almost like a small vault into a slot, and that key matches a slot, and it's all inventory. So that car is in, like, slot number 23. It tells you where the location is of the car. You need to sign it out. You need to scan the person who's going to test drive, like, their driver's license into the system so everything matches.

Mario:

So without them being able to even scan, you know, the person's license or release the key, they couldn't even go on a test. They couldn't even unlock the car. So, you know, you would have to go in there, speak to to a rep or sorry, salesperson, and all he can do is show you the car from outside, maybe explain some things about it. But I don't think they could even discuss prices or do paperwork or even finalize a deal.

Bryan:

My understanding was that it was that wasn't the the situation for all dealerships. There are some dealerships that had systems in place. They actually took the time to think about how their business would function if they went offline and put in place systems and processes to allow them to continue to operate, and some of them were were able to use manual processes to be able to do that. That's good. I don't I can't answer to which ones, but I do know reading about it and and looking at it, and and and they were saying some dealerships are completely down, and then they were talking about how other dealerships were able to continue to function in a limited capacity.

Bryan:

And so, yeah.

Justin:

So this would be This is a key point. I I wanna kinda pause the conversation and talk about this for a little while. A, because I'm actually getting ready to write a book, and this is one of the things I'm gonna dig into is, how you prepare for and how you handle an incident like this. And, you know, I've I've looked at dozens of canned incident response plans. I mean, how many times does an insurance company say, do you have an incident response plan?

Justin:

So you hit Google or a client, not us. You know, somebody hits Google. They download the first thing that comes up, and they hand it to their insurance company. They go, here we go. Incident response plan.

Justin:

And if you look at those, what does it talk about?

Bryan:

Thoughts, guys? Yeah. Well, I'll I'll I'll give you a little bit background there. I I Okay. I approached about 50 different managed service providers throughout North America for their version of what an incident response plan would be.

Bryan:

Out of those 50, 10 were able to respond with their incident response plan. The others didn't have 1 or didn't want to share it, 1 or the other. Out of the ones that I've seen, none of them talked about how they would protect. They just talked about how they would handle an incident after the fact. And so there was no planning and preparation on how they're going to protect the systems, nor was there anything on how they're going to survive and That continue to operate their business during an event.

Bryan:

They just talked about what what to look for and what actions they were gonna take after.

Justin:

Who to notify, which attorney to call, which PR person to call. Yeah. Who's the insurance company? Yeah. But what do you do while you've got a client sitting in front of you Right.

Justin:

And you can't conduct business? And that, I think, is the biggest problem with

Bryan:

How do you pay people? How are you gonna communicate internally? How are you gonna communicate with your clients? You know? You know, how will you continue to perform the daily important functions of your business, which is sales, operation, service delivery?

Bryan:

Right? How are you going to continue to be able to provide for the clients that are paying you?

Justin:

Right. That that needs to be, like, I would argue the main focus of an incident response plan. How do you keep making money?

Bryan:

Yeah.

Justin:

Right? Well, I mean,

Bryan:

we all have an example of that. Right? We went to we all Yeah. Went to a hotel back a couple, a quarters ago and they were breached and while we were there, they were recovering from that breach and they had all manual systems and processes in place and from my perspective beyond that, I beyond that, I didn't notice.

Justin:

And that was only a few days few days after the incident. Right?

Bryan:

Right?

Mario:

I mean, they had a I get it. They they did a great job.

Justin:

Phenomenal job. Considering.

Bryan:

Yeah. You know?

Justin:

Yep. In contrast, you know, and if we go into timelines for CDK, And and I've I've gotta start by saying, there's nothing I have found nothing in the media about CDK responding with any official statement, and I went to their website and looked for anything about this at all. There's no mention of it. Go to their press room, you know, their their whatever they call it. No mention whatsoever of this breach.

Justin:

So, all of this is speculation at best.

Bryan:

All of it's from news articles. Right? And one of the things I read was that, when the pre breach first occurred that they rushed to try to get back online. And that that was one of the biggest mistakes because immediately, they were able to come they cyber criminals were able to rebreach them a second time because they were still in. Right?

Bryan:

So they tried to rush rush their fix, and that actually backfired on them even more than had they just taken a few moments to isolate and and, you know, lock things down and then remediate once they've confirmed that everything's out. I think the the the best, the best example would be it would be like a doctor sewing you back up and there's still debris in in in in the wound. Right? Like, they have to clean it out. You gotta clean it all out and then you can

Justin:

That's a terrible example. But yeah. Yes. It's it's it's pretty accurate, but damn. Yeah.

Justin:

Yeah. Yeah. So I mean, one of the frustrations that I have in in working in this industry is the information we get that we would love to be able to learn from is very, very limited. It's always kept under, you know, cards are played close to the chest. There's there's very little official information.

Justin:

So there's speculation. There's what we can gather from news articles, and even a lot of that is speculation. But but that said, we have a kind of a basic timeline. Yeah. They they get hit.

Justin:

They tried to recover, which we don't really know exactly what that entailed. They're rebreached. 2 days later, they pay out $25,000,000 to, to the ransom. Right? So let's let's talk about that for a minute.

Justin:

And this is this can be a you know, we've debated this before. We've heard it debated before. But do you or do you not pay the ransom? And if you do and if you don't, what are the ramifications? So, let let's just take let's start with, what are the cases where you absolutely have to pay the ransom?

Justin:

Because, I mean, if you pay it, you've looked at everything else. Right? Probably.

Bryan:

Well, you pay it when you have no way of recovering. So if you have no backups and you have no way of getting back access and or that it was double I think they call it double exfiltration where, basically, they've not only breached you and encrypted your documents, but also downloaded a copy of them and are threatening to share in the greater, with the greater population. Mind you, they might do that anyway and keep extorting you down the road. So do you pay? Don't you pay?

Bryan:

I guess that's the question. Right?

Mario:

Yeah. It's if you really have to. I guess, you know, if there's no other choice. Because $25,000,000 is a good amount of money.

Bryan:

And you have to also be careful because if you pay what at least not, I don't know what the rules are here in Canada, but I've heard from from colleagues in the US that if if you pay and that organization is on a terror list or whatever the case may be, that you may actually be committing some sort of criminal act by paying Right. The the the the ransom. So you have to also take that into consideration. Is is paying the ransom going to get you in legal trouble? So I

Justin:

mean, yeah. It just all around, this is a shitty situation. There's there's no good outcome to this, which is why I love to live in the world of prevention. But, yeah, so if you pay it, number 1, it could be illegal to pay it. Number 2, you may or may not, now I'm gonna pause again and say they actually do pride themselves in customer support, these bad

Bryan:

guys. Yeah.

Justin:

Listen. They're running a business. And if people if if word gets out that ransoms are paid and people don't get their information back, then then there's no chance people are gonna pay. Right? They have to have the the good track record.

Justin:

They need that 5 star Google review that, you know, I paid my ransom and, goddamn, I got my stuff back immediately. 5 stars definitely recommend, the black suit ransom group. Right? So they want their reviews positive. They are going to give it back to you if they can, but they might leave a backdoor.

Justin:

Okay?

Bryan:

And then come back. And and it puts a bigger target on you because now that group you paid, and another group might say, hey.

Justin:

Yeah. This group

Bryan:

pays. Right? And now they're gonna go their way to try to breach you because they know you're willing to pay.

Mario:

Right. And I don't think I I don't think they ever when you get breached and and you actually pay them, I don't think they ever tell you, oh, by the way, this is how we got in. You know what I mean?

Justin:

Tell you. Hopefully, you can find some information through the forensics on that one. Yeah. Yeah. Interesting thing

Mario:

If I'm paying $25,000,000,000, I wanna know how you got in, when you got in. I want you to fix it.

Justin:

Oh, you think the bad guy is gonna tell you that? Good luck. Good luck.

Bryan:

Something that's really, really,

Mario:

I don't

Bryan:

know, it's, like, interesting or funny because it's not funny and it's it's but it it there's still some interest to it. I once had a client, who not only because we we didn't pay the ransom, but we, they were they were they were a client where we were only doing backup. So just for the record, we were not doing cybersecurity solutions for them. So we had no way of knowing whether or not their systems are compromised to begin with, but they were compromised. They had their files encrypted, and by the time they reached out to us to let us know that they were encrypted and monitored or help in recovering it, again, only doing backup.

Bryan:

We went back to a week a week ago, still encrypted. 2 weeks ago, still encrypted. We went all the way back to, you know, different times, and and it was wait a minute. This is a different encryption. It was they were encrypted, and then another another organization breached them, and they were encrypted again.

Bryan:

And another organization breached them, and they were encrypted a third time. So as we're going back into the history of of of this particular client, they were breached 3 times in succession on top of each other. And it turns out one of the, the owners' kids was using, the server as a a Bitcoin miner. So

Justin:

Oh, god. Yeah. Okay. Brilliant. Did you I

Mario:

like, at that point, I tell I would tell him. I'm like, I sorry. We can't help you.

Bryan:

I I mean, we were able to recover him back to aid, like, you know, I think it was, like, 3 3 months in the past, but it is what it is. We weren't doing cybersecurity from at the time. Now we don't we don't give people the option. They wanna work with us. We have to do cybersecurity for this very reason.

Bryan:

It's it's still a stain on our name if they get breached in one way or the other. So

Mario:

Now I'll we, we had a prospect. Somebody you know how, like, we we all our offer at the end of our, podcast, we offer network a security network system. So we did this for a company, and this was about 3 years ago, maybe a little less. We ended up going out there doing a security. We gave him an audit.

Mario:

We're like, you need to fix this, this, and this. You don't have, like, a proper backup. You don't have this. The guy's like, okay. Thank you.

Mario:

Didn't hear from him, you know, for months. Then one day, he called us. It was like a I think it was, like, 7 o'clock at night on, like, a Friday.

Bryan:

Oh, no.

Mario:

And he's like, hey. We just got encrypted. Our entire all our data is is, is encrypted, and he's panicking. He's like, I need your help. We need to you know, we'll pay whatever.

Mario:

We ended up going and checking out everything. Like, obviously, they weren't even a client, you know, at that point. They were just like, they became a client after they got breached. And it was a breach. They actually work with a lot of government facilities, so they actually have to contact the FBI.

Justin:

Oh, god.

Mario:

And the FBI told them, are you do you have a NAS device made made by QNAP, which is a very popular NAS company on your network. He's like, yeah. That's what we have. He's like, alright. They've been hitting everybody.

Mario:

He's like, he's like he's like, honestly, he's the FBI told him. He's like, honestly, check the encryption message that the they're asking for, you know, for whatever, and you're probably better off paying it because they're not asking for that much. They only asked for about $450.

Justin:

Oh, really?

Mario:

Yeah. And old days. Yeah. No. No.

Mario:

This was, like, two and a half, three years ago.

Bryan:

Yeah. The good old days.

Mario:

It was it turned out it turned out I think the hacker was, like, somebody that knew, like, a backdoor and wasn't trying like, he was, you know, an honest hacker, and I think he was just kinda like you know? And then when we, you know, we ended up buying some, you know, like, $450 worth of Bitcoin, and we ended up paying it off for them. Obviously, we built it back, but it wasn't that bad. That was the only time where we're like, yeah, it's cheaper for you to just pay the ransom.

Justin:

Okay. So let's talk about the money. Right? So $450 versus what we're talking about today, 25,000,000. This is not random.

Justin:

So how do they set the price? When they're when the bad guys are asking for a ransom, how are they setting that price, Brian?

Bryan:

Well, I just learned this today from you, Justin. Apparently,

Justin:

Don't press us out on our behind the scenes conversations. Goddamn it.

Bryan:

Apparently, these very clever criminals, who who have not only found a way into your network, and gained access to your network, will actually look through your data, on your your server and your files to figure out if you have an insurance policy. They will download said insurance policy. They will look through it and see how much you're covered for, and that's how they come up with the number that they want to, ransom you for. Because they know if you've got cyber insurance and you're covered for a million, then you're probably gonna be okay with paying up to a1000000. Right.

Bryan:

And I have heard before won't get it.

Justin:

Probably. They'll get half. I have heard before that they look at your bank balances. If they, you know, they get into your system, they're gonna watch you get on the get online and look at how much money you got in the bank. So, yeah, they and and the these are very targeted.

Justin:

Usually, these attacks are very targeted. They're you know, it used to be, I think, a lot of this stuff was more broad, more of a shotgun approach. But these high dollar ones, they spend a lot of time and effort getting in and knowing you, knowing your organization, and knowing exactly what it is they can get from you, before they make those demands. So that kinda sucks. Okay.

Justin:

So on 19th, they get hit. Right? And then 2 days later, whatever they tried to do didn't work, and they go ahead and decide to pay the ransom. Now customer service being what it is, pay the ransom, flip a switch back up and running immediately. Yes?

Mario:

No. Actually, they,

Bryan:

That'd be nice.

Mario:

What actually, from what I read is that they were it still took them 2 weeks to completely bring everybody buddy back online, and they were turning on, like, 50 dealerships per hour. They weren't putting them all. It wasn't just all all right away.

Justin:

Yeah. And and when you look at okay. So the $25 or $25,000,000 ransom, that sounds huge. But the total, the you know and and these are analysts looking at it and taking guesses. Like I said, this is all conjecture at best.

Justin:

But the estimated total impact, the total financial impact of this breach across all the dealerships and everything else, is over $1,000,000,000. So the ransom is really the smaller part of this. When you when you look at the downtime, when you look at the disruption to service, when you look at the cost of restoring because it's not just a switch that you flip. Fine. Get the encryption key, then what?

Bryan:

Right.

Justin:

I mean, how much stuff was encrypted? How much of that you have to go around manually and, I mean, god. It's it it's a disaster. It's a pain in the ass. So Impact was huge.

Justin:

Financial, emotional. Do we do we really think much about that? Do you guys wanna be on the IT team that has to restore all this? No. Because I don't.

Justin:

Not at all. No. Do you know how many do you know how many people are screaming at you?

Bryan:

Yep. I I did one of those IR games, a couple of weeks back, and, it was one of those, like, the biggest disaster of your your life kind of thing where not you know, where the situation was, like, as an MSP, we're pretending we were the ones breached, and and my heart was racing the entire time.

Justin:

Yeah. No kidding. Did did your Apple Watch start alerting you that you need to call a doctor? Your heart rate's too high.

Bryan:

Tell me about it. That happen? Okay. Tangent. No.

Bryan:

For another day. Well,

Mario:

I mean, I'll tell you this. You know, back in college, I actually used to work for a car dealership. I was a salesperson. I only did it for a couple months because it was just too aggravating. But my salary back then was, what was this?

Mario:

Like, $200 a pay period plus commission.

Bryan:

Right.

Mario:

So so $200, like, you know, you can't do shit with $200. So you're mostly salary based. So these these employees of the dealerships were screwed themselves because they can't work. They can't sell any cars. So imagine half your month, you know, you're not able to and the thing is, it happened towards the end of June and the beginning of July.

Mario:

That's where, you know, you have to hit quotas, and that's where you start getting, you know, the better deals and, you know, they're trying incentives and stuff like that.

Justin:

Sales coming up. July 4 sales. You know, that's gonna be a big thing. Yeah. And I I would guess I don't know, but I would guess that that $1,000,000,000, 1,000,000,000 plus, does take that stuff into account.

Justin:

But I don't know that we always think about that when we're looking at incident response plans. Right? Right. How does the company affected? But, yeah, how are the employees impacted?

Bryan:

Well, and the customers, some of them are pressing charges and lawsuits. Right? So now Yes.

Justin:

So let's talk about lawsuits. I mean, we did an episode. It's it's been a minute. I I wanna go find the title because I I kinda I was kinda proud of my title, but it's, oh, sorry. You were hacked.

Justin:

Here's a $480,000,000 lice lawsuit to brighten your day. We're we're only talking about the current situation with these guys, And the lawsuits haven't really hit yet. So who knows what that's gonna end up being. But Right.

Bryan:

Well and when they're busy taking care of their lawsuits, now your attention is, like, elsewhere. Right. No longer on on providing service to your clients, no longer on growing your organization or growing your business. Now the leadership team is solely focused on this lawsuit and what's happening with this lawsuit is a huge distraction, not only from the point of view that you're not going to be able to work on the business, but, also, you may have to pay out all sorts of, like, lawyer fees and, investigation fees and and fines and whatever settlement you eventually end up settling at.

Mario:

Yeah. And then don't forget, they're probably gonna lose a good amount of those customers or their customers.

Bryan:

You

Justin:

know? Somebody's gonna decide to go somewhere else.

Mario:

Yeah.

Justin:

Right? And this this is what I do not like about consolidation in industry. So this this company had a significant percentage of the market share.

Mario:

Yeah.

Justin:

In our industry, names, redacted, there is there is a giant company who is buying up everything in the MSP space. Right? And this drives me crazy because now that you've got one massive target for the the criminals to breach. That's terrifying to me. I hate that.

Bryan:

And it's happening.

Justin:

They were already briefed. I know. The one that's that's buying everybody up, they've already been breached.

Bryan:

They've

Justin:

already been breached. Jesus Christ. Yeah. Let's let's rein it back in before my watch starts telling me to go to the doctor. So, again, you know, I've I've said it before.

Justin:

I'll say it again. My my biggest frustration working in the world of cybersecurity is that we don't have the real solid inside detail of what has happened in a case like this unless we're directly involved with it or unless we can talk to somebody who is directly involved with it. That said, we do

Bryan:

learn from it.

Justin:

We can. It's it's difficult to learn from it, but we have a little bit of information here that, based on one of these lawsuits, we can, we we can assume or we can guess that one of the shortcomings that they are alleging is in security awareness training. Brian, do you wanna talk a little bit about that?

Bryan:

Yeah. So one of the lawsuits that that are being brought forward, accuses that or or at least talks about how part of the responsibility or or part of the reason for the breach was a lack of cybersecurity training for the employees. And that because of that, we can infer, I guess, that it's likely that the breach began because of either a phishing attempt, a social engineering attack, or, something directed towards an employee specifically that they were able to, use those people's credentials. But then it went one step further. Apparently, once they were in, they were able to move across the network laterally and essentially gain access to other systems that had proper security been put in place, you know, least privilege, then that person's access would have been restricted, and so they wouldn't have been able to get into other systems that maybe that person, you know, had no business being in in the first place.

Bryan:

But yeah.

Justin:

So, Brian, dumb that down for us a little bit and talk to, I don't like that I just had dumbed down, and now I'm gonna say talk to business owners because Sorry. But but they're not in our world, and I know exactly what you're talking about. But, yeah, I let's just say I own a business. I have no fucking idea what you just said.

Bryan:

Okay. So let's assume that you I I like using this analogy because this analogy is really easy to to work with. You know, imagine you're the CEO of a bank. Right? Not just one bank, but many branches of your bank.

Bryan:

And imagine, you know, you have, well, I'm the CEO, so I should have access to everything. Right? Including every single vault and the codes for every single vault. And I'm gonna put those codes, and I'm gonna have access to everything. So if somebody breaches me, they have access to all these vaults.

Bryan:

Does that seem logical, or should the CEO of the big huge giant bank not have access to every single vault because he doesn't need to go into those vaults in the 1st place. Right? So it's kind of the same thing when you're talking about a network. Just because I'm the boss, just because I'm the CEO doesn't mean I need global administrative rights to absolutely everything or or even access to everything in the entire organization. Right?

Bryan:

I don't need keys to every single door. I only need keys to the doors I personally need to get into and the people who work for me will have keys to the things that they need access to And it's kind of the same philosophy. You only give yourself access to the tools, the systems, the data, and the email admin portal Right.

Justin:

I don't have access to anything. Now, I

Bryan:

do not have,

Justin:

if I log in to my email admin portal

Mario:

Right.

Justin:

I don't have access to anything. Now I can go get those credentials, and I can log in as an administrator, and I can I can do what I need to do, but I have to go through great lengths to get there? Right? So that's that's kinda what we're talking about here.

Bryan:

So Yeah.

Justin:

Okay. So we've got that. This is this is potentially, allegedly, a failing on the security team on on whoever set that up didn't may may or may not have set it up properly. Right? Again, this is all conjecture.

Justin:

We don't know this for sure. And then the other one but but it is a key takeaway. Like, this is something that we can learn from. And then the other side of this is training your people. And then according to the lawsuit, I guess, not only well, if I am in this position and I wanna fight a lawsuit, I have to have not only trained people, provided them the opportunity for training.

Justin:

But what? Record you

Bryan:

have to have records of having done that.

Justin:

Gotta have it documented. And coincidentally, I was

Bryan:

It's not enough to just say, hey. Here's some training. Take it if you want. It's Right. Here's your training.

Bryan:

Oh, you didn't take the training. You need to take the training. Oh, you haven't taken the training yet. Now I'm gonna put you on the path. Right?

Bryan:

Or on on some sort of disciplinary path because no different than if somebody were putting an employee at risk from a safety perspective. Right? Like, they're breaching safety precautions in an environment. They're not taking safety training. They're not following safety procedures.

Bryan:

If you have somebody who's abusing cybersecurity and they are not willing to participate in cybersecurity, they are putting your entire business, not just one person physically at risk, but everybody that works for you at risk, both physically and financially.

Mario:

Yes. It's not optional. It should not be optional. It is it should be part of their their daily, weekly, monthly tasks, whatever you set up. It's just like, you know, like technicians.

Mario:

You have a ticket board. Here's the, you know, ticket 1. Here's ticket 2, ticket 3. You can't just keep avoiding ticket 2. You need this as a task.

Mario:

It has to be completed. If it's if just like other owners of IT, if your technician is not doing their task, guess what? They're gone. And gone. So training should be just the same, if not more.

Mario:

Across all

Bryan:

employees, even people who don't necessarily deal with technology on a day to day basis. Right?

Justin:

Yeah. Yeah. Coincidentally, I was actually on with because I'm moving vendors. Security awareness training is something that has historically been very difficult for me to enforce, to to roll out, to enforce, to report on. The system isn't terrible, but it's not easy for either me to administer or my clients to use.

Justin:

And so the the demo I was on earlier today that you can rolling it out as a click of a button to an entire organization. You don't have to configure anything, and then the reporting is amazing. You just run the report that I can go take to my client and say, here are your problem employees right here. It's all documented, and then it's on them, of course, to to do remedial training or or to terminate or, you know, whatever they're gonna do. But, yeah, you've gotta have the system in place.

Justin:

You have to be able to document the process that you took, and then you have to be able to document any weaknesses. And I'm by that, I mean, people who who aren't doing it right. So with the limited information we have about this breach, that's what I would call, my primary takeaway is just the importance of this security awareness training, which I've preached forever, but I haven't necessarily preached the importance of the documentation of it, having that procedure in place. So, guys, I think, I've said just about everything I have to say and maybe a little bit more. So, we're gonna roll that that was my key takeaway, and you guys can throw anything else out there you've got.

Justin:

And And and then we're gonna sign off, and we'll be back next week with some more. So, Mario, why don't you go ahead and start wrap this up, and then Brian.

Mario:

I mean, for me, a key takeaway is, you know, like we've mentioned earlier, an instant response. You know, if shit hits the fan, how what are you gonna do? Test it to you know, have a a drill. Blow up you know, not literally blow up, but, like, unplug your stuff and see how could you recover. Is it a whole new server?

Mario:

Is it how long is it gonna take? What's the impact? Actually, inconvenience yourself. And now under a controlled environment versus an uncontrolled environment. You know, it is a pain in the ass, but do it.

Mario:

Yeah.

Bryan:

Brian? I think my key takeaway is probably one of the same ones I would I would say over and over again, and that is, treat cybersecurity as a journey. You won't be able to get it all done day 1. But if you go into it with the intent that I am responsible for cybersecurity, everybody is at an organization, especially the leadership team, you are responsible. You cannot abdicate responsibility.

Bryan:

So take it as a a journey and just try to improve it bit by bit. And as you know, my 1%, so improve 1% every single day. Just do one thing a week to improve cybersecurity, whether that is doing some training, whether that's at implementing something new, but always be looking to what comes next. What do we do now to improve? That's it.

Justin:

Okay. Yeah. I almost thought for a minute you were gonna miss that 1% part, and I was gonna I I wouldn't wanna let you get away with it. But, alright, guys. We are going to wrap up for today.

Justin:

As always, go to unhacked.live. I said that kind of weird. Unhacked, not in hacked. Unhacked.live. We've got social media links there.

Justin:

You can see all of our previous episodes. There's full transcript of every episode. And if you find value in this, please share it with your colleagues. Help us spread the word because we are trying to, yes. We're all trying to run businesses, grow our audience, and and make money.

Justin:

But that said, there's good information here that can help all of us fight this stupid, ridiculous, atrocious war on Russian hackers. They're not all Russian, but I like to say it that way. So, that's all I've got. Mario, Brian, thank you for being here. Guys, we'll see you next week.

Justin:

Take care.

Mario:

Thank you. Bye, guys. Bye.

Creators and Guests

Bryan Lachapelle
Host
Bryan Lachapelle
Hi, I’m Bryan, and I’m the President of B4 Networks. I started working with technology since early childhood, and routinely took apart computers as early as age 13. I received my education in Computer Engineering Technology from Niagara College. Starting B4 Networks was always a dream for me, and this dream became true in 2004. I originally started B4 Networks to service the residential market but found that my true passion was in the commercial and industrial sectors where I could truly utilize my experience as a Network Administrator for a large Toronto based Marine Shipping company. My passion today is to ensure that each and every client receives top of the line services. My first love is for my wonderful family. I also enjoy the outdoors, camping, and helping others. I’m an active Canadian Forces Officer working with the 613 Fonthill Army Cadets as a member of their training staff.
Mario Zaki
Host
Mario Zaki
During my career, I have advised clients on effective – and cost-effective – approaches to developing infrastructure that fosters productivity and profitability. My work has provided me with a broad-based knowledge of business from the inside, with an expertise in areas that go beyond IT alone, ranging from strategic planning to cloud computing to workflow automation solutions.
23. CDK is Breached, Auto Industry Crippled, and What it Means for Your Company
Broadcast by