77. The Hidden Cyber Threats Lurking in Your Business (That Your IT Guy Doesn't Even Know About)
Justin Shelley (00:00)
Welcome everybody to episode 77 of unhacked. I'm Justin Shelley, CEO of Phoenix IT advisors. And, uh, here at, uh, Phoenix IT, we help businesses use technology to make lots of money. And then, uh, we, we do all the work behind the scenes to make sure the bad guys don't come in and steal that money from you. And by bad guys, mean the hackers Russians and otherwise, listen, let's not be, uh, let's not be exclusive. Um,
But it doesn't stop there because we have to protect you from the government fines and penalties if you don't comply with all the regulations out there. And then of course, if you do something a little bit wrong, then the attorneys are going to come sniffing around and they're going to take whatever's left. So that's what we do is we apply frameworks. We make sure that you're protected and we keep you safe, keep you making money and keeping it Mario. That's what I got. Tell everybody who you are, what you do and who you do it for.
Mario Zaki (00:55)
Yeah, Mario Zacchi, CEO of Mastic IT located in New Jersey. And we specialize in everything that Justin just said, you know, but we also add peace of mind to it as well. I know he forgot that part. We help customers know that their company will be safe, secure and be there the next day so they can sleep better.
Justin Shelley (01:18)
Yeah, absolutely. Listen, ⁓ that sleep better at night thing. I'll be honest with you, Mario, it's overstated. A lot of people say it, but I can't tell you how much sleep I lose at night over this kind of stuff. This is not a comfortable industry that we're in. I'm just going to say that right now.
Mario Zaki (01:37)
No, no,
we, we, feel like we absorb the, the stress for, you know, our customers, you know, we, we know our neck is on the line. So we need to make sure that, ⁓ you know, every T's crossed every I is dotted and that we can, you know, show value, you know, for, for why they keep us around.
Justin Shelley (02:03)
Yeah, no, you're right. You're right. And that, that comes up a lot, right? We do a lot of stuff that's, that's invisible. ⁓ and I think, I think probably our hardest play is to show what's going on and what happens without it, right? Because on the surface, when you're just like, my computers work, why do I need you guys? You ever hear that one? Or
Mario Zaki (02:07)
Yeah.
yeah, all the time. Well,
we rarely call you guys.
Justin Shelley (02:26)
Yeah, yeah, that's my favorite one. Oh, we really don't call you very often. We don't need very much. You have no idea. You have no idea. So that is the point of this little kind of maybe we're going to call it a season. Maybe we're going to call it a mini series, but we have, think it's 10 to 12 episodes where we're talking about baseline security. And this is the stuff that has to happen behind the scenes. It's not fun. It's not glorious. Um, and you get almost no recognition for it, but I'll tell you what, if it's not in place, you're in big trouble. So
Mario Zaki (02:28)
You
Justin Shelley (02:55)
We're going to dive in. Mario, last week we talked about people, right? Locking down people, identity protection. And today we're going to talk about the technology that people use. And it really comes down to, in a nutshell, you can't secure what you can't see. If you don't know that it's, God, it used to be that we could just say if it's on your network, but now it's like, if it touches anything to do with your business and you don't know about it, you're potentially screwed.
Mario Zaki (03:17)
anyone
Justin Shelley (03:23)
Right. I'm in my off base there. Okay. All right. So, ⁓ let's see, where do we start? I've kind of already said it, but, I know I said it last week, the, real challenge that we face right now is that we used to have a network surrounded by a moat like in our castle, right. And that was called our firewall.
Mario Zaki (03:24)
100 % 100 % yeah
Justin Shelley (03:51)
and you could lower the drawbridge. could let people in, you could raise it back up. That was it. Security was pretty simple. Murray, give me a picture of like, what does a security landscape look like right now?
Mario Zaki (04:02)
Well, now you have your office, you have people working from home, you have people using company laptops, you have people using their own personal computers, you know, the same computers that their kids are downloading movies and, you know, whatever else they're downloading on right now on their home computer. You have their cell phones, you know, business cell phones, personal cell phones. You have your Microsoft tenant.
Justin Shelley (04:22)
Yeah.
Mario Zaki (04:30)
You know, and what connects to that Microsoft tenant or Google.
Justin Shelley (04:35)
Yeah. I mean, it's, we call it device sprawl. You know, it's just, it just keeps getting bigger and expanding. I, I haven't heard it recently, but back in the day, and I am an old man. ⁓ I would hear people say, we moved to the cloud. We're good. It's like, my God. Do you
Mario Zaki (04:52)
I still hear that. I heard that
this morning. I heard that this morning. yeah, ⁓ we no longer have a server here. We moved to the cloud. And then later, I'm like, which cloud? It's a fucking cloudy-ass day. There's so many clouds out there.
Justin Shelley (05:00)
Yeah.
Right?
Yeah, like define cloud. What does that mean anymore? ⁓ Crazy.
Mario Zaki (05:11)
Yeah. People think
just because it's not in their building, no matter of somewhere else, it's a cloud.
Justin Shelley (05:19)
Yeah. Yeah. So let's, let's kind of give an example. There is, you familiar with the, ⁓ what are the CESA advisory government puts out a list of all the vulnerabilities that they've identified. ⁓ now I didn't ideally there's, you've got somebody on your team who watches these and, ⁓ provides the fixes for stuff that we know about this. This is the stuff we know about.
Mario Zaki (05:21)
I guess they're right.
Yep.
Yes.
Justin Shelley (05:49)
or we can know about it's documented. We aren't even going to talk about the stuff that's not documented or that's new. We call those zero day exploits. Those are, those are another issue. ⁓ But we've got this never ending, ever expanding list of vulnerabilities that have been identified. One of them, ⁓ Citrix. What do know about Citrix, Mario?
Mario Zaki (06:11)
I know it's a pain in the ass, to be honest.
Justin Shelley (06:12)
Yeah.
Aren't they? And I'm, I'm way off topic and I'm going to, I'm going to display my ignorance here. Aren't they having like major company problems, like going out of business or something? One of the virtual providers is like not doing great. I don't know. Anyways.
Mario Zaki (06:24)
Yeah, So
for people that don't know what Citrix is, it's just a tool that you could remote desktop, use to remote desktop into a server either in your office or on one of those clouds. ⁓
Justin Shelley (06:45)
So there's a known vulnerability on them. And this is just to illustrate the problem. If you've got that on your system and you happen to know that there's an advisory out there that you need to patch the vulnerability, that's your best case scenario. ⁓ But we've got two potential problems here. A, you don't know about this advisory. So get on that. ⁓ But B, more importantly and more within our control really is that we have to know that we have this product.
living on our network or living in our ecosystem somewhere. And that really is the problem we're talking about. We talk about a lot shadow IT, right? This is probably our biggest blind spot. Mario, tell everybody, since you're good with the layman terms, what is shadow IT? I know we've defined it before, but let's do it again.
Mario Zaki (07:34)
I mean, there's, it's, I don't know what the exact definition is. It's a software that you have on there that you just don't know you you have. Is that right?
Justin Shelley (07:44)
I mean, basically, yeah, let's see what Wikipedia has to say. Shadow IT refers to information technology systems deployed by departments other than the central IT department to bypass limitations and restrictions that have been imposed by central information systems. So they're defining it as like an intentional ⁓ trying to get around security measures. I use it more generally than that. And I would just say it's anything that's being used by you or your people that ⁓
Mario Zaki (07:46)
Yeah.
Justin Shelley (08:13)
IT slash security doesn't know about, right? Because all we have to do to take it from shadow IT to normal, like, you know, to, okay, to protected is we just have to document it. We just have to know about it. Right. And put protections around it. So shadow IT is really just a break in process. Is that fair? Yeah. Okay. one of the, do you remember a few episodes ago, we've talked about, ⁓ I believe it was a manufacturing plant.
Mario Zaki (08:17)
Exactly.
Exactly. Yeah.
Justin Shelley (08:43)
that somebody had a vendor had left a remote access tool wide open that caused a huge breach. You know, and this is something we hear about a lot, but now let's talk about how do we fix it? Okay, we've identified this problem a few times, but well, so I want to take it on both a technical, but from a technical front and also as what should a CEO.
Mario Zaki (09:04)
No, go ahead, sorry. Sorry.
Justin Shelley (09:12)
know and how should they be involved. So I want to hit it both ways and let's start from the CEO's perspective. All right. I'm just Justin know nothing about it. ⁓ but I own a business and I don't want to get robbed blind by either the Russian hackers or the government. Well, or also the, the attorneys. So what do I need to know Mario about my technology?
Mario Zaki (09:37)
You need to know that you're in bed or in partnership with a company that is looking, that has your best interests in front of everything else. So you need to know that your MSP, A, keeps an eye on this stuff, and B, as soon as it comes up, they will either bring it up to you or...
Justin Shelley (09:50)
Yeah.
Mario Zaki (10:04)
We like to just stop it in its tracks and then take names later. So I'll give you an example. ⁓ A few months ago, we've discovered there was a vulnerability with a, ⁓ I forgot which remote access tool is used in this. And this tool, ⁓ it's used a lot for third party vendors like your
Justin Shelley (10:23)
Right.
Mario Zaki (10:33)
your ERP company that you're using that's web-based, if you're having a problem, they need to remote it to your computer, but they don't want to keep a remote management tool on your computer at times, but sometimes they do. Sometimes they will set it up, okay, well, I'll follow up with you tomorrow, I'll leave my software on your computer. So we found out that there was a vulnerability with the system. So when we were alerted that day, we went on,
And we were able to pull up our asset management, our inventory management for all our customers, all at one point. we said, show us any computer that has this software installed on it. And once we have identified it, we sent out just a quick script uninstall off any computer. granted, wasn't much that there was out there, but there was some random ones and we killed it.
TeamViewer is a very big one. I actually had a meeting with a customer, not a customer on Prospect yesterday. And while we were sitting in the conference room, the TV is right on there. We were talking, they had a question. like, ⁓ let me find out. And I took the mouse and I clicked on it and TeamViewer was right there. I opened it up. I opened it up for, and it was, there was nothing logged in. There wasn't any hidden passwords or anything. It was just out of the box.
Justin Shelley (11:52)
wow.
Mario Zaki (12:02)
You saw the username and you saw the password. I'm like, anybody can just log into this computer by just knowing this number, which by the way, never changes. And this password that for some reasons always all lowercase than only one or two numbers. ⁓ You don't have to authenticate to a website to use TeamViewer. You can just download from their downloads page. Once you have that number, you enter the password, you're in. You're literally in their network.
Justin Shelley (12:12)
Yeah.
Mario Zaki (12:31)
right then and there. You even have an option to black out the screen so that the person in the conference room doesn't know doesn't see that somebody's locked in. That is a long-winded answer to what you're asking.
Justin Shelley (12:47)
And it's a perfect example. And here's, here's the challenge that I see. And I'm, I'm, I've got both hats on, right? I'm, I've got my CEO hat on, and I also have my ⁓ CIO hat, my chief information officer hat, and I'm looking at technology, you know, and again, breaking it into two pieces as a CEO, how in the hell am I supposed to keep track of what is installed on every device?
throughout my entire organization. I don't have an answer to that for you, Mario, other than I would just say, like, you better have a good relationship with your IT company or your, your internal, whoever it is, and you better find a way to hold them accountable and make sure that they're doing it. Now let's switch to that poor guy whose job it is to keep track of this. And I'm going to tell you, even with all the tools that we have, this is still a challenging job. Is that fair to say?
Mario Zaki (13:42)
Yes.
Justin Shelley (13:43)
There's nothing easy about this. If I pulled the asset or the software inventory on any one computer in my system that I manage, it's hundreds, right? I mean, the things that are installed that show up and I should, I should do this in real time. Let me just go in here. Software. Will it give me a number one through 150. And then I think there's, there's more pages, you know? So it's like that. That's what we're looking at.
Mario Zaki (14:09)
Yeah.
Justin Shelley (14:12)
And I've got a tool that's very ⁓ proficient at this. CEOs don't have that. And maybe they're internal IT people do if they have internal IT and the reality of, and let's just look behind the scenes. The reality of this is IT, anything internal or MSP or whatever, we're busy. We're doing all kinds of stuff. We're watching all kinds of things and it is tough to keep track of.
Mario Zaki (14:24)
Rare. Rare doesn't internal IT have that.
Justin Shelley (14:42)
Hey, is there a team viewer just happened broadcast, you know, that, that somebody forgot to uninstall? ⁓ I will tell you that as AI becomes more of a tool in our space, it helps a lot because now we can actually take that inventory and we can either automate it or we can manually do it on occasion and we can dump that into AI, you know, and we can just say, Hey, filter through this and find everything that's suspicious, you know, and it'll actually do a decent job. It's not perfect, but it'll do a decent job of saying, Hey, found this.
⁓ these are the cases where it would be useful and these are the cases where you probably should get rid of it. You know, I
Mario Zaki (15:17)
Well, the one thing too I want to add on to that, Justin, is ⁓ if it's a vulnerability with a certain version. So for example, ⁓ Mozilla Firefox is a very notorious one for releasing several different versions, almost on a daily basis. So when there is a vulnerability, they release a new update. So it can be version
Justin Shelley (15:29)
Yeah.
Mario Zaki (15:46)
you know, 11.5.16.1, you know, then the next day it will be 0.2, 0.3, whatever. But 0.1 could have had a vulnerability. And sometimes in a lot of cases, when you update, adds an additional software to your computer, not remove the old one. So that vulnerability can still be in there. You know, so you can go into a computer and see
Yes, I have Mozilla Firefox, but you also have like five versions of it. You know, so that's that that's where those 150 per page that you see is a lot of it will be, you know, ⁓ things that kind of need to be cleaned up or different versions or every like Apple. you're if you're managing an Apple device, every Apple built in software will be listed in there. You'll see like Apple FaceTime, Apple Messages, Apple this.
Apple out with the version, know, Windows, you'll see Microsoft Office this, you know, they'll have it in Spanish, they'll have it in English and, you know, so there's different versions, you know, that you will not know that it's really there unless you have a remote management software installed.
Justin Shelley (17:01)
Right. Yeah. This is as much as I would like to say, Hey, here's how to keep an eye on this yourself. I will tell you that with all the tools we have, I've already said this, I'm going say it again. It is a massive challenge, even with all the tools and the automation that we have. This is definitely not something that as a normal CEO, a non-technical CEO, you're going to be able to handle. I will say that it still falls on your plate and you still better have an internal process around making sure that your IT guy has a process around it. Right. Like
There are questions that you can ask them to make sure that this is being taken care of. ⁓ But that's right now we're just talking about software, right? This is just the software installed on the machines, the machines that we know about. And so now that introduces another problem. If we can barely keep track of what's going on with the machines we know about, now we introduce machines we don't know about. Has that ever been a problem on your side?
Mario Zaki (17:54)
Absolutely. Excuse me. Yeah. Yeah, yeah. It's been crazy. ⁓ Yeah, it's what you know about. And we tell people all the time, you know, these are the computers that we know about. Is there any more that you do not know about? You know, ⁓ sometimes you have to also use like common logic too. If they have a...
Justin Shelley (17:57)
You got the allergies going on like I do, huh?
Mario Zaki (18:21)
under Microsoft 365 if they have like 20 email addresses but you're only managing like 17 computers. Like, okay, know, seems like there may be three missing. Are you aware of three missing? You know, oh yeah, you know, Amy works from home. You know, she got a new computer like two months ago. We must have forgotten to tell you guys. You know, how many times do you hear about that?
Justin Shelley (18:48)
Well, the one I find a lot when we're, you know, ⁓ looking into a new relationship with a new client, and I will ask them upfront, you know, because our pricing is based by on device to some extent. So I'm like, Hey, how many computers do you have? And, you know, sometimes I'll get an answer like about 15. All right, cool. ⁓ You know, next step is for us come in and do our inventory and I will go through physically and, know, identify every machine in the in the
of the building and I'll come back with something like 35. You know, it's not even just a few more. It's more than double. So it just becomes super important as a business owner to know what it is that you have to protect. That does fall unfortunately on the business itself because if the business doesn't know about it, it's damn near impossible for IT to know about it. Especially if it's a remote service provider. If it's in-house IT,
Mario Zaki (19:22)
No.
Justin Shelley (19:47)
Maybe you can put that more on their shoulders. ⁓ but you really do have to lock down this part of the relationship really before we can go anywhere with security at all, because Mario, let's talk about the danger of, know, and, Microsoft did, ⁓ some research on this. I'm not going to get into the details of it, but basically this is a big problem, especially in the world of ransomware is unidentified and unprotected endpoints workstations. So you've got a computer sitting there that it's turned on.
Mario Zaki (19:56)
Yeah. Yeah.
Justin Shelley (20:16)
and but nobody's using it. So we're not going to put it on contract and but maybe it's broadcasting its team viewer presence to the world. And now somebody gets in and Mario, if I get into one of your unmonitored workstations in your network, and I'm smart enough, what can I do? What kind of damage can I do?
Mario Zaki (20:34)
A lot. A lot. You'll have the full keys, you know, key to the castle. ⁓ You'll be, you know, we sit there and we talk about layers, you know, protecting with a firewall and protecting with an antivirus and protecting with patching and stuff like that. ⁓ But if you have somebody that's literally being able to come through the back door, then you don't care. You know, no matter what locks you put on the windows or what lock you put on the front door,
Justin Shelley (20:35)
Yeah.
Mario Zaki (21:02)
and the alarm and stuff like that, if you have affordability, you're only as strong as that weakest link. And I tell that to people all the time. you know, we don't, we, we don't sit there and have too many rules, but one rule we have is every computer needs to be protected. You know, even, even if that computer is used once a week or when an intern comes in every once in a while to do whatever that computer needs to be.
you know, secured, managed and protected.
Justin Shelley (21:36)
Yeah. Just kind of popping into my brain. One of the challenges that I've dealt with recently here is even if I know about a computer and I know it needs to be protected and I've, I've got a client that for whatever reason either can't or won't update to a modern operating system. God, now we're, we're, we're faced with a case where at least we know the situation, we know the vulnerability or the risk. ⁓ but it's an exposure that's not closed.
Mario Zaki (22:05)
Yeah.
Justin Shelley (22:06)
Windows 10
right now is a very common one and it was a problem already. And now we've got like, you know, I just read the other day that hard drives for the entire year of 26 are sold out. I don't know how true it is. I haven't looked into this, but this has been an ongoing theme that hard drives and memory are becoming very difficult to get and very expensive if you do get them. And so we're dealing with already some resistance to upgrade to a new operating system. And now we've got possibly it's we can't do it.
Mario Zaki (22:23)
Yeah.
Justin Shelley (22:34)
You know, we're faced with a situation where it isn't even an option anymore. If, if action wasn't taken fast enough, not good, not good. ⁓ let's, let's talk about, know, you, think you mentioned this where, know, you've got maybe somebody working on a personal computer and they're accessing corporate resources. Maybe it's their cloud software, you know, that shouldn't be a problem. ⁓ why, why is that a problem? Tell me about that.
Mario Zaki (23:03)
Well, because again, you can't control anything that's not in front of you, right? We can't, you know, we don't know what that person is using, what information is running on their computer. ⁓ Maybe if they're logging into a website, you're like, okay, they're somewhat safe. ⁓ But what about those people that want to set up a VPN connection, you know, because they work from home three days a week.
and they want to set up a VPN connection to get into their office computer. Well, when they set up a VPN connection, that is exactly like having a computer in your office. ⁓ If that computer is not protected, not managed, no antivirus, or there's some crap on it, the second they click connect on that VPN,
They've now exposed that issue to every computer in your office. And they're, like I said earlier, they're already in, they're already bypassed layer one, two, three, and four, you know?
Justin Shelley (24:11)
Right.
Yeah. Using an unprotected, unsecured home computer that we don't want to pay the extra money to, know, to protect, to support. Understandably, by the way, and I'm not trying to be an ass about this. We all have to watch the pennies. ⁓ And so because of that, it introduces this problem of, it's great. I can work from home. I've got a computer. My company doesn't have to buy it for me. That's kind of how I sold the idea of working from home.
Now I do have to get back into the company, either through a VPN, like you said, which opens up all kinds of exposure, or I'm just logging straight into, you know, it's software as a service, SaaS or whatever we call it, cloud, ⁓ online, whatever. It's all the same thing. And here, let me throw this one at you, Mario. I'm working from home on my personal computer. It's unprotected, but it's fine because I'm just logging into, I don't know, Salesforce or QuickBooks online or whatever.
And they have their systems protected. So it doesn't really matter how I get to it, true or false.
Okay.
Mario Zaki (25:12)
I
mean, it's not a hundred percent false, you know, like there are some some things ⁓ That is better, right? Yes
Justin Shelley (25:19)
Right. There is a reasonable expectation that they are protecting our data to
an extent. And here's what I always tell people. If you can get to your data, so can the bad guy. So you're working on an unprotected computer and you're on QuickBooks, you're on Salesforce, whatever your CRM is, you're doing all this stuff, you're passing corporate secrets back and forth. And the bad guy is just sitting there watching you because your computer is not protected. And then maybe he just, you step away for a second and you leave it logged in. He goes in and he pulls all your data out.
You know, now it's that that's how ransomware is being done. If you can't encrypt the data itself, you just pull it out and threaten to sell it. Right.
Mario Zaki (25:56)
Yes, exactly.
And the thing is, it can be something as simple as like a key logger. So a computer that is not protected, not managed, if there's a key logger installed on the home computer, ⁓ the bad guys can now see when you will go into a website, what website you're going to, what email address you're putting in, what password.
Justin Shelley (26:02)
Correct.
Mario Zaki (26:25)
And if you put in the 2FA more than one time, they've now figured out the algorithm. So they will know what that next number is before it even appears on your cell phone. So now you have a stranger into, say, your QuickBooks. Do with that information as you please. Would you want a stranger in your QuickBooks?
Justin Shelley (26:50)
No, because inside of QuickBooks, you can pay bills, you can transfer money, you can, you know, you can set up a new vendor and pay them. And that vendor is the guy, ⁓ our little Russian hacker that we love to talk about. Yeah.
Mario Zaki (26:55)
Yes. Yes.
Yeah, yeah,
you could easily, a lot of people will do, they can easily change banking information for an existing vendor right in there and it's done or change an address for a vendor where email checks out to.
Justin Shelley (27:15)
Right. You know, I've, I've mentioned the online assessment that we have. ⁓ and I'm actually developing a new version of it. That'll be a little bit better, but I asked the question of, know, like, like, let's, for example, say, Hey, do you have a ⁓ current inventory system of all of your hardware and software that you, know, for sure is up to date, right? The question of the answers are yes, no, or I don't know. And yes is great. No is bad. I don't know is the absolute worst answer you can give.
Mario Zaki (27:45)
Yes.
Justin Shelley (27:45)
Right?
If you don't know where this stuff is, you can't protect it. You know, I'm just going to keep coming back to that. And yeah, I mean, if we're being really realistic, how many business owners really know and understand every piece of equipment that they are responsible for? I would argue that it's not very many.
Mario Zaki (28:04)
I can argue the only person that may know is if he's the only employee. If the business owner is the only employee. And one computer, exactly. Because we haven't even talked about the mess that will come along with Microsoft. Every time you need to ⁓ have something associated with your Microsoft, Zoom, ⁓ HubSpot, all these different platforms that want to integrate
Justin Shelley (28:11)
Right. Solopreneurs as they're called. Yeah. Yeah.
Mario Zaki (28:33)
into your Microsoft when you click on it and then you sign in and then you scroll down and says do you want to allow this click continue you know now that has a direct association with your Microsoft you know there's less people that know about you know what they have associated with their Microsoft than you know than what they have on their computer
Justin Shelley (28:40)
Yeah.
It's getting messy.
Mm-hmm.
No, you're right.
You're right. And you know, there's a little overlap here because it, it brings us back to last week's episode where we talked more about Microsoft and identity in general. ⁓ These two overlap and I mean, it could almost be one process or one system, but it is just so critical to know and understand what you have, how it's being protected. And then what you just said, how do they all interoperate? ⁓
It's a lot Mario. So let's, let's kind of push to how, you know, and we're going to take the technicalities out of it. And how do we help a CEO kind of reign this in a little bit? And, know, I think it really comes down to them asking whoever they have hired to put in charge of this, asking them some really hard questions and making them demonstrated. Do you have any examples, Mario of how I could keep my
Mario Zaki (29:26)
Yeah.
Justin Shelley (29:53)
security person accountable, the one that I'm writing a big check to every month and I have full trust in. like, I don't need to worry about it. My guy's got it covered. How do I know he's got it covered? Mine is just that I'm writing him a paycheck.
Mario Zaki (30:06)
Well, the thing is, if it's an outsource, like a managed service provider, doing your quarterly strategic business reviews or annual, whatever way you're doing it, ⁓ they need to be walking in with a list. Here's all your computers. Here's the people logged into those computers. ⁓ Here's a list of your Microsoft 365 user accounts. Here is a list of all the associated programs with your Microsoft account.
Here is your, you know, it is going to be a long list of stuff, but you you're not reviewing it every day. But you know, here's the, you know, the software installed on all your, you know, your computers. Now, they should be cleaning it up a little bit. You know, they don't need to, they may want to highlight certain things that.
they were not aware of that may be installed on there that you they may need to check with you on or you know, you may want to kind of just look at it and you know, it may not be done right then and there like it may be a list that they sent to you you review it they go in and go back and forth a couple times but it has to be in the plan, you know, and like I said, it does it's not a daily thing. ⁓ Maybe they they do what you just said put it in AI and tell us tell them like which one of these programs
You know, do I not need?
Justin Shelley (31:33)
One of these things is not like the other. I mean, you made it, you made a really good point. And I was, I mean, you almost took the words out of my mouth because it's not in my notes, but I had the thought it's like, how do we know, how do we hold our, our people, our team accountable? And that's it right there. They should be coming to us. They should be leading this conversation because if they're not, I would argue there's probably something that they have to hide or that it's just a big blind spot on their part. But if they're not leading the conversation, I mean, that's
huge red flag. ⁓ Even if they are, I would suggest you ask hard questions. I would suggest you ask something like, ⁓ how do you track asset ownership and changes? You know, when, when the device moves from one to another, how do you track that? ⁓ How do you alert against unauthorized software being installed? You know, do you, do you have a system in place for that? And what does it look like? And how do you monitor it? But when you start having this conversation with the person that you're writing that check to,
At least you can answer, you know, yes, no, instead of I don't know. Right. That, that I think is kind of the, the main point is the, don't know is where the danger really is.
Mario Zaki (32:46)
Yeah, yeah, you can say no, you know, the answer can be no, we do not have, you know, x, you know, download it or whatever. But if the answer is I don't know, then that is going to be a problem because that is more that is dangerous because then you you really have no clue what's going on on there. You know, at least no is a you know, I've confirmed that this the answer to this is no, or I've confirmed the answer to this is yes.
When you don't know, you really don't know, you know, and that can be very dangerous.
Justin Shelley (33:22)
At least knowing you can put a plan in place. Now I, you know, it doesn't really help if you don't know and then continue to, or I'm sorry, if you, know, there's a problem and then you choose not to do anything about it. That doesn't help. ⁓ but at least once you have that problem identified, when you, can just say, Hey, I don't have inventory at all of my equipment. That's quarter two. That's my plan for quarter two. We're going to knock that one down and we're going to get it figured out and make it never have never be a problem again for us. So.
Mario Zaki (33:33)
Yes.
Yeah.
Justin Shelley (33:51)
That's the, that's the importance of knowing a vulnerability or knowing that, you know, you have a weak spot instead of just, you know, going along happy and dumb and just like, Hey, everything's great. My IT guys got us covered. I'm writing a check. So no problem.
Mario Zaki (34:06)
Yeah. And what we're currently working like right now we have what's called like an executive summary that we mail out to or email to all our customers every month. Now, ⁓ we're always changing it and adding stuff, removing stuff, know, tweaking it. I'm waiting for you, Justin, to kind of design something for me. I know you mentioned that like you, programmed your own stuff, but you know, that is that that's what your IT
Justin Shelley (34:26)
Okay.
Mm-hmm.
Mario Zaki (34:35)
companies should be doing for yourself, for them, for you. know, at the very minimum, they should be able to produce it to you when you ask, you know, at the very minimum.
Justin Shelley (34:45)
That's yeah. Yeah. I,
I, I think that's kind of a, know, we're going to, we're going to move to key takeaways. And that's like that. That's kind of it, right? Get a list, figure out what your blind spot is. and let's, let's just shift to that Mario. think we've kind of beat this dead horse enough. ⁓ let's, let's just boil it down to, you know, one action item that we would give to a CEO that needs to be done by the end of this week. What would you tell them?
Mario Zaki (35:04)
Yeah.
⁓ I would have a conversation with your, you know, in-house or your outsourced IT person and say, we need to make sure that we have a vision of, you know, everything that we, you know, that is our, not only physically on our network, but virtually or electronically on our network. ⁓ is this something that you have available? If not.
How long will it take you for you to put this together?
Justin Shelley (35:52)
Absolutely. I think you kind of said it. I'm going to restate, have that meeting. If you're not having meetings with your IT provider, in-house, outsourced, whatever, you got to get that process started. And don't wait. Your IT guy probably should be reaching out to you. I'm going to say again, we're busy. This is a busy world that we live in. you know,
We've got some automation around this process. do some manual stuff, but it's tricky getting our paying clients to sit down and talk to us because they're, they got a lot of stuff going on too. So, you know, this, this is what I'm going to put on CEOs is block some time off, reach out, get that meeting scheduled so that you can have this conversation. Let's get this blind spot put behind us. Let's figure out where our stuff lives, what we have and what we need to protect. Step one is knowing what it is. And then we're going to, Mario, we're going to spend the 10 like next
10 weeks talking about how to do it. First, we've got to know what it is we're protecting. So get that meeting locked down with whoever it is and just start getting this documented.
Mario Zaki (37:00)
It's for the IT person as well too. It's not just for the business owner. Like I know for us, you know, we want to know what we should be looking out for. Do we, are you using X software? If not, we don't want to have anything to do with it. Let's get it off the network. know, why, why have something on there that that's an extra thing that we have to keep an eye on extra thing that we.
Justin Shelley (37:05)
Mm-hmm.
Right. Yep.
Mario Zaki (37:30)
need to know in the back of our head if we see this vulnerability come, you know, public that, hey, you know, we have some people that are using this program, you know, we need to know that it's there and we want to be able to, because as very little as we already are, we still want to try to be able to sleep knowing that we are managing everything that we are aware of.
Justin Shelley (37:55)
Right. Yeah. I mean, you're, you're, bringing up something for me. You know, one of the things that has, I've been digging into this through my client base. One of the things I've found that hasn't really been on my radar, it doesn't come up in conversation as one of the risks we need to worry about, but it's just outdated backup software. We're finding some old imaging software that's used to, backup data. It's not in use. It's not probably doing any damage. But why leave it there?
You know, it didn't get removed when it was switched to the new product or service, whatever it is now for data backup, the old system stayed there. ⁓ so we've been cleaning that up, you know, and, if nothing else, it frees up resources on the machine, but more importantly, it clears, ⁓ an attack surface that could potentially, ⁓ you know, introduce some, some security problems. So we, do, we want to get everything off of the network that doesn't belong there. ⁓
And I'm going to say again, is this, takes effort. This takes, it takes some energy.
Mario Zaki (38:57)
Yeah, I saw, we went into ⁓ a prospect and we were doing, they took us on to do the free security network assessment and we hopped on a server and we saw two different types of backup systems on there. And they were both cloud systems, different cloud systems. We also saw two different MSP
Software is installed on there So I asked them I'm like I thought you mentioned to me that your existing IT company was you know XY, you know, whatever their name was Who's this other company? They're like, well, that was the company before them that we haven't used them in like eight years I'm like, I'm like, well, you know, they still have access to the server, right? and like what you know and
Justin Shelley (39:29)
Mm-hmm.
And there's stuff still under.
god.
Mario Zaki (39:56)
They're looking and it was it wasn't just like it was live and you can open up tickets and you can they can remote in ⁓ You know, you'll be surprised how many things that IT companies will also miss not me or you I know that or Brian, you know, even though he's not here to defend himself ⁓ You'll be surprised how many people like overlook something, you know, like
Justin Shelley (40:15)
Or Brian, even though he ditched us, yeah.
Yeah.
Mario Zaki (40:24)
So sometimes
you may want to be able to look at the list and like, well, why is this company still on here? You know?
Justin Shelley (40:30)
Yeah.
I mean, it, is, I don't know. I almost feel like it's a little bit of a shortcut. ⁓ cause I don't trust AI fully, but I will say that this is one of the areas where I can use AI as a tool that catches things that I and, ⁓ my technical staff may likely miss, which is because there's so much software installed on a network. And I've just, I just mentioned one machine, how much was on one machine that we have to look through. If you've got a hundred machines, I mean,
Mario Zaki (40:50)
Yes.
Justin Shelley (40:59)
Holy hell, that's a lot of stuff to dig through. And so I do when I onboard a client, take, export all their running applications, services, you know, anything I can pull through automation and I dump it into an AI engine, you know, a secure one. You've to be careful. ⁓ That's not going to use that data for training and export and all this. Even though we talked about last year or last week that it can be now used in court, whatever I digress. ⁓ But I do have it flag stuff.
Mario Zaki (41:14)
Mm.
You
Justin Shelley (41:28)
that I might miss so that I've got a second set of, you know, computer eyes on, on this, because it's just, this is difficult. This is a trick. ⁓ but don't let that be a reason to not do it, which I think as humans, kind of do, if it's overwhelming, if it's hard, ⁓ we're just going to punt that down the line. We're going to do it later. Can't do that.
Mario Zaki (41:48)
Yeah. it's
one thing too, I want to add is that this is not a do it once and forget about it. You know, yes, exactly. Because we've seen people just randomly install something, know, ⁓ you know, thinking that, ⁓ let me just install team viewer so I can work from, know, over the weekend and get this report done. You know, we, we, you know, we obviously have like security things in place that
Justin Shelley (41:55)
No, you have to have a process around this.
Mario Zaki (42:17)
deny these people from installing anything. But what happens if we're not managing it? What happens if it's overlooked? Now you have this software that I guarantee you 100 % that person is not uninstalling it on Monday when they come in and they're done doing whatever they need to do. 100 % they're not installing.
Justin Shelley (42:23)
Yeah.
I've one of my automations I'm working on right now. It's not done yet, but I am working on it. That it pull, looks for any remote access software on installation. It opens a ticket and that ticket can't be closed until it's either secured or removed. And that ticket will just live in the system until it's done. You know, so that's, that's one example of what we can do with, with some of these tools that we have. But you know, you have to build a process around all of this stuff and it's, it's a lot.
Mario Zaki (43:06)
Yeah, we actually, we did it a little differently, you know, and because I'm an asshole, I told my technician, if you see any these softwares pop up on any computer, have our system automatically uninstall it. Like, we're like, fuck you, we're uninstalling this, you know?
Justin Shelley (43:20)
Just remove it.
Yeah, that's not a terrible idea either. Maybe I'll adopt yours later. I'm gonna go with this for now and we'll see how it works out. I'll report back in. Mario, any other final thoughts? We're gonna go ahead and wrap this up for the week, but let me know if you have any final thoughts on identifying your assets.
Mario Zaki (43:29)
You
No, I think we've pretty much beat it to a pulp.
Justin Shelley (43:51)
We beat this dead horse and drug it through
the mud. anyway, all right. All right, guys, that's it for this week's episode of Unhacked. Next week, once I had get done choking and coughing, and I apologize for the little delay because I have to go look. I forgot what next week was. Endpoint security and device hardening. All right. So that's what we're going to talk about next week, which is why this one was so important to go first. We have to know what our endpoints are.
And then next week we're going come back and talk about what do we do with them and how do we, how do we really lock them down? We've kind of touched on it this week. We're going to give it a deep dive next week. If you want more, go to unhackmybusiness.com and we'll see show notes, recordings of links. You'll see Mario's picture probably on there somewhere. ⁓ I've got mine hidden and we are, we're working on it. It's almost there. Our self-assessment tool that I really think will be wildly useful.
Because, you know, we talk about this stuff every week, but we've got to take action. And so we're building a tool that will help you do just that. All right. That's it for today's episode, Mario. Go ahead and give us your sign off and we'll wrap up.
Mario Zaki (45:02)
Guys, well, like we mentioned before, our office still stands. Have one of us come in and help you, give you a security assessment ⁓ in person before, or along with Justin's self-assessment as well. ⁓ But we're here to help you. We're here to help the business owners sleep better at night knowing that their company will be there.
Justin Shelley (45:27)
Yeah, absolutely. I'll echo that. ⁓ Bring in some additional forces. I don't care if you think you've got a handle or not, just get another set of eyes on it. And that's what we're here to do. We're to help you do that yourself. And then you can always call us in regardless. know, we do work by territory, but we can also do a lot of this stuff remote. So wherever you are, give us a holler and we'll help you out. All right, guys, I am Justin. Remember, listen in, take action and keep your businesses.
Unhacked. We will see you next week. Take care, guys.
Mario Zaki (45:56)
on that.
Bye, guys.
Creators and Guests
