UnHacked

Welcome, everybody, to another episode of unhacked. It's been a few minutes since we recorded our last session. And this week and moving forward, I've got a couple new cohosts. We've got Mario and Brian. Before we dig in too much, I'm gonna give both of you guys just a quick second to introduce yourself.

Mario, you

wanna take it first? Sure. My name is Mario Oczecchi, CEO of Mastech. We are a managed service provider in New Jersey, servicing New Jersey, New York area.

Alright. Brian, what do you got?

Yep. Brian Lachepelle from B4 Networks, president and founder. I represent a, B4 Networks out in Ontario, Canada.

Alright. You guys both, you do dabble a little bit with cybersecurity, I guess?

Yeah. Just a little bit.

I would tell you quickly. I love to tell this story because I got into IT, computer repair, back in 1997. I was still kind of a kid back then. I'm dating myself. Never in my life did I imagine that I would be fighting cybercrime rings in Russia.

That's not why I got in the business, but here we are. You guys have anything similar to that? Did you did you go into law enforcement and think, hey. Someday, I hope to be fighting crime?

No. I my my kids to this day, they they'll watch stuff on YouTube and about hackers and stuff like that. They're like, daddy, you actually fight these hackers every day? That's so cool. I'm like, yep.

That's me.

It's cool. It makes it so I can't sleep at night. It's great.

Yeah. I remember watching hackers when I was, really young thinking, well, that looks really cool, all the things that they're doing. You know? I'm gonna I am gonna I'm I'm gonna fight those guys one day. It's not the same at all.

No. No. It's not. I was gonna try it. Was it War Games?

The first movie I ever saw about hacking way back when. Do you guys remember that one? Yeah. Like launching missiles? Okay.

Back on track. So today, we're gonna break down the MGM breach that happened in Las Vegas. Now, I think you guys were heading down there at the same time I was. Right? Did both of you guys guys go to Vegas right after that breach happened?

Brian, were you there?

I was not there, but, somebody I know very closely was was on their way down there during that time.

K. I was supposed to be going the following week, so I didn't go when you went, but we ended up canceling with Tripp. You know, we heard it was a disaster down there.

Yeah. I I went down. They pretty much recovered. I didn't really even see any, lingering issues. I know behind the scenes, they were probably punty, but they'd done a pretty good job of getting back to business by the time I got there.

But, man, if that, trip had been just a few weeks earlier, we I don't know. I'm guessing we wouldn't would had to cancel it. So, let's let's get into it. Let's talk about what happened. And I think on our agenda, we actually have the damage done second and then how it happened first.

But let me switch that up. I'm a throw a curveball out there. Let's talk about what, from a from a user's perspective, a guest, or even an employee of MGM, what, what was the the damage? The, you know, what what kind of a hit did they take? Brian, you wanna you wanna start there?

Yeah. I mean, from the get go, the the the first signs of activity, for, customers seem to be in, like, slot machines not working, ATM's not working, or or dispensing cash. So just some some symptoms like that.

For small things. Right? You're going to Vegas. Yeah. Slot machine missing.

That's not a big deal.

Right. And then even all the way up to, you know, things like digital key cards not opening their hotel room doors. Like, could you imagine not being able to open your door to your own room and, that's happening across the whole whole hotel or the multiple hotels they had?

Yeah. I mean, I like, seriously, as a guest, I you know, it's it's I don't wanna say fun, but it's interesting to break these down as a, you know, an outsider, a a armchair quarterback, or whatever you wanna call it. Right? But but to put yourself in the position of a guest going to Vegas, like, you've you've planned for this trip. You've made, you know, paid a fair amount of money, taking time off.

Maybe maybe it's a family trip. Maybe it's with your friends. I don't know. But it's usually a big deal. Right?

This isn't somewhere you go because you're just, hey. What if we would do this weekend? People go to Vegas because this is a big deal. When they get there, they can't get in the room. Slot machines are down.

I mean, what else was broken?

Well, from from what I saw, like, on videos and on the news, it just check-in was taking hours.

Yeah.

You know? Because the the the front, desk machines or computers, they couldn't check people in. So they were waiting online for hours.

Right. Cash payments in some cases, they're doing transactions on paper. I mean, it was a mess. Yeah. Go.

You accept big vacation. Yeah.

Couldn't accept credit card. You know, you go there and who brings cash with them anymore. Right? So

And ATMs are down. You know? Like, we're not talking about a small inconvenience here. This is a major thing for a lot of people. What else do we do we miss anything on on Oh, tons.

Yeah. I mean, they couldn't watch TV in their rooms. So when they were in their rooms, the phone lines were down. You know, the the sports booking pages weren't working. They couldn't take bets.

So it was just there's so much more.

Yeah. And that's from a guest perspective. Now let's flip it a little bit. Let's imagine that you're the IT consultant or an internal IT guy when this is going on. Are any of us smiling?

No. I'm just, like, calling it quits and running home. No kidding.

I mean, almost. Right? Like, I'm that might be one to throw into town. I don't know.

Yeah.

I cannot imagine being, the the director, the the CIO, or, you know, anybody of significance when this was going on. Holy hell. Like, put yourself in their shoes just for a minute.

Talking about losing sleep.

Oh my god. Yeah.

The reality is, I mean, this could happen to literally any of us. It doesn't matter how many bars you put on the windows and, you know, locks you put on the doors. You know, if somebody kicks open the back door and, and holds it open, you know, there's there's not a whole lot anybody can do. So, you know, awareness is so important.

And, you know, the the thing is too, like, this happened at a very high level, you know, a multi $1,000,000,000,000 company. But just like how ransomware first started, it started at a big level, and then these little guys started learning from it and and kind of doing it, themselves. So, eventually, it's gonna start trickling down to the smaller companies, and the hackers are not as, you know, part of the the same organization. So they're gonna start trying to focus on, like, the low hanging fruit, and they're gonna start trying to focus on the smaller guys because, you know, there's a blueprint now of how how something like this can be done.

Yeah. I mean, maybe we should transition into how this was done. And but to play off what you're saying, Mario, you know, when when I'm out talking to clients or prospects about security, sometimes I get pushed back, in one of 2 mindsets. And one is, we're too small. We're not a target.

They're not gonna come after us. Right? That's one

We get that one all the time.

Yeah. Then the other one is, it's almost desperation or or despair. Right? Like, if if the MGM Grand with all their money, all their resources can't avoid a hack like, what what chance do we have? So why try?

Right? So you've got you've got those 2 mindsets that that keep people out of it. And and, really, my point with this whole podcast is, most breaches are preventable. And if we're doing basic things, it's not like we have to throw a lot of money at it. And we're gonna get into details of MGM.

But in most cases, you can go back and look at how somebody was breached, and small things, inexpensive things would have prevented that from happening. So in this case, it's kind of a yes and no to that. Right? We've we've got because this is such a high profile, super targeted attack, they did do, you know, if you're a big enough company, a big enough target, and somebody wants in bad enough, they will get in. 97%.

That's my number. That's that's the number of things that we can protect. These guys were probably gonna go down one way or another. Right? I I'm not gonna sit here and say that MGM screwed up.

I'm not. But we are gonna look at what could they have done maybe, you know, looking back on it, what can we learn from it, stuff like that. So, Mario, as we are getting ready for this, you had some interesting information about, some of the the legwork that the hackers did to get in. Do you wanna talk about that for a second?

Yeah. So, I mean, this was social engineering. So, you know, a hacker or the team, they pretty much went online and public information. They went on LinkedIn. They found an employee that works there that realized, you know, he has his title there.

So this guy should definitely have, some sort of, you know, higher level permissions. So they they targeted. They they contacted the MGM help desk, and they said that, they are so and so. I I don't I don't know if they ever released the person's name, and that he needs his password reset. So they contact you know, when he contact the the help desk, the guy that took the call, you know, wanted to cooperate because he knew that this was probably like a c level executive.

So he reset the password, and the hacker was able to gain access to the network.

Yeah. You you threw a term out there, and I always like to define these because our our audience doesn't always know terms, definitions, acronyms, and all that. Social engineering and, Brian, I'm gonna punt this one over to you. Do you wanna tell our listeners what social engineering means? Yeah.

Sure. So give you a time.

Yeah. Absolutely. So social engineering is when you use just, nontechnical means to get information and access. So, I once watched a video of someone trying to gain access to somebody else's telephone, account with their their telephone provider. And so, what they did is they put on a recording of a baby crying in the background, and, they sounded really desperate, like, you know, very confused.

Like, you know, my husband asked me to call you. You know, he need he needed access to their end. Just a moment just a minute. Quiet down. Quiet down.

Right? And, you know, the person at the other end of the phone is very sympathetic and trying to help, and so obviously didn't follow process, didn't follow procedure. And because this person on the phone is very convincing, gave them access to some complete stranger's phone account cell phone account. Right? So social engineering is where, you know, you're basically using human tools like our own voices, our own our own, you know, call calling in, showing up at the door, and and tricking people into providing you access that you ought not have.

Yeah. There's really 2 components to cybersecurity. And most of the time when we say, hey. Let's talk about it, we're just talking about technology. And and the human element is really what gets left out of most conversations of most cybersecurity plans.

You know, I don't know if you guys wanna publicly admit this or not, but if you took a poll of all of your clients, all of the end users that you support, how many of them as a percentage would you guess is actually going through the provided training on cybersecurity? Because I'll tell you, it's not it's not impressive. Right? We can probably agree on that. Executives, you know, when we're telling them, you've gotta train your people, even if they agree with you, getting the follow through is damn near impossible.

Like, that's a tough one. Yeah. Right? So, do you guys agree with that? Absolutely.

Yeah. I do. One of the ways that we've seen a lot more, uptake on on cybersecurity awareness training is gamifying it and Yeah. Letting them know that, hey. We're gonna be trying actively to trick you on an ongoing basis.

And if you find our, you know, attempts when you when you when you find 1, and you report it, we'll enter your name into a draw or, you know, gamify in some way to reward them and say, like, hey. You know, you found it. And that seems to work really well because now people are actively engaged in trying to, you know, find these things. And if they're looking for mine, guess who else's they're looking for. Right?

They're looking for other people's attempts.

So I think you used social engineering to get people to learn about social engineering.

I did. Absolutely.

That's what I heard. Listen. I mean, you're you're making the point, though. Right? It works.

It works.

So here's the fun fact about us humans. We're stupid. We think that we operate on intelligence, but we don't. We operate on emotions. And in A 100% of what we do is emotional based.

We form an emotional opinion or belief system, and then our brains are wired to go out and find evidence to back up what we already believe. We generally don't go out and look for evidence to counter our beliefs. Right? So what 2 of the problems with human wiring is, and I talk about this a fair amount, One is we're we're wired to avoid conflict, and 2 is we are wired to help people. Right.

So we're we're talking about this MGM thing, and, you know, they could look him up on LinkedIn and whatever, and they they find this poor unsuspecting person that they're gonna impersonate. But really what they're doing, they're going into a help desk, and they're impersonating a higher up or whatever. Right? And and they're like, I'm your boss, and I need my password changed. And you know what?

Fine. Don't don't change it, and and you're gonna be fired. You may be looking for a job tomorrow. Is that what you want? Now get my damn password changed.

Right? So this we're we're employing not only maybe they start nice and say, hey, man. I need your help. I really need your help. I'm in the I'm in the crunch.

I've got whatever going on, like that video you're talking about, Brent, where she's got a screaming baby. Right? And and I just I just need you can you help me out for a wire to say, yes. Of course, I'll help you out. But if you can train that out of people, then we go into this conflict that we're, like, just inherently, we don't wanna do it.

So, like, I'm gonna I'm coming at you. You better help me. I'm coming at you. Like, okay. Okay.

I got it. You know? Like, so this is this is human, social engineering. As we play on these emotions, we play on the way the human brain is wired, and we manipulate it and control it. It's kinda scary, actually.

It there's a lot of psychology that goes into this. So this is kind of the the main message that I think is most important to get across to people is we've got technology, and we have to secure that. But no matter how well we do that, if we don't get control of the human side of it, we're kinda screwed. And that's that's what happened at MGM. Right?

Yep. Absolutely. So so there was some technology stuff too. But, really, the the biggest thing was, at least where it started, was the social engineering part of it, the the human element part. So, what did we miss as far as technology?

We we talked about, you know, they found them on LinkedIn. They impersonated. Brian, before you were talking about RMMs, and probably we better talk about what an RMM is first. And then can you talk a little bit about what they did?

Absolutely. So, in in the any IT world, we need ways to access our clients' computer systems. And so we install remote monitoring and management systems to be able to access, our clients' computers from from pretty much anywhere. And internal IT departments do similar things. They'll install install piece of software that allow their administrators to come in remotely and and help out.

And what happened in this particular case is once the criminals and the and the hackers got in, they installed multiple versions of their own kind of remote monitoring and management system all over the place in as many places as they could. And so if they one was found, they had backup. So, you know, they're actually following our rules, which is always have a backup. Right? Always make sure you have a backup.

They they installed backup ways to get back into the network should the IT administrators of MGM discover what they were doing, it was very difficult to get them out because they would stop 1. They would plug that hole. They'd come in from another way. They'd reopen it back up, and it was like a cat and mouse game.

It reminds me of the one and only, knock on wood or whatever, time that one of my clients was breached. That's really where I pivoted. I talk about I got into this world wanting to fix computers. That's that was my love, and now I'm fighting crime. But this was that pivotal moment where a client got hit with a ransomware attack, encrypted all our files.

I wasn't even worried. Like, it doesn't matter. We've got a good backup in place. I went in. We wiped the server.

We restored from backup. Before I even got before I could even make the drive from their office back to mine, they they were on the phone and say, hey. We're encrypted again. And and long story short, what I was doing is restoring their access. They had made multiple administrative password or accounts on the server, and they had multiple ways in.

And every time I would restore, I was just restoring their access back to the server. That was a huge wake up call for me.

And, yeah, and they know that. They know if you try to, you know, try to restore that they'll be able to go back in. And and usually, a lot of times when that happens, when they when you restore because you think you're gonna be able to get them out, that's when the ransomware doubles. You know, they're asking for 50,000. Now they're asking for a 100,000.

Yeah. Yeah.

These guys are clever too. Right? We we we think that these are people in hoodies in a basement somewhere, but these are are very sophisticated organizations like like your company, my company, and their job and their like, they sit around in a room talking to each other, like, how could we improve our business? Right? How could we how could we get better at our craft?

How can we improve? And and they do that. They they iterate. They and they get better and better and better at being a criminal. And just like you get better yeah.

And they consolidate. And and, I mean, they even rent software from other providers as a service. Right? Like

Yeah.

So they don't know how to do it. They they they con confer with other people who do and and rent their their

version of software, and they've got help desk support.

Yep. Yeah.

You can call in and say, hey. I bought your software,

and I

can't, for the life of me, hack my school and change my grades. Help me out. Right? Yeah. Yeah.

And they've even got to

the point now where they have a code of ethics. Like, you you won't settle for more than, like, 30% of the original ask, or you have to ask for at least a million or, like, oh, it's just crazy where they're going. Yeah.

Well, the the the the guys automatically programming the the software that they're selling, it automatically is programmed to give them a cut of the money that, that is brought in. So it's it's built in.

Know that. Doesn't surprise me

know that either, but yeah.

It's it's brilliant. It's terrifying. You know, it it's all of those things. So, on on NGMs, on on this particular case, and I don't think we've talked about it yet, and forgive me if we have because we talked for a while before we started recording. But the the financial loss as far as we know, or as far as publicly reported to MGM is what?

I believe it's somewhere between a 100,000,000 and and a half a $1,000,000,000.

Yeah. Yeah. That may be

hard cost and soft cost all built in. Right? Because there's so much involved. There's the immediate repair there. Did they pay the ransom?

You know, then there's the after effects that, you know, the information get get breached, like lost, and and now they have to pay for a bunch of people to, have identity protection on their on their, you know, credit files, things like that. And the loss of sales and revenue.

Right. Right. Now Consultation. Did they ever pay at the ransom? I don't I don't know.

I don't have that information. I haven't even done that. I know initially they refused, but I can't remember now or I I couldn't find whether they actually paid any of the I

don't think it was ever released.

Yeah. So I'm Caesar's they

did It was released.

Caesar's did. And they they negotiated for, like, 50% of the ask. Right? And I think that was about 15,000,000. And and this is all in perspective.

And this is where we can kind of lose our client base by talking about these huge numbers. Because, you know, I can look at my clients and say, hey, you could get hit for $500,000,000 and they'll just laugh. Like, I don't have you know? But the whatever. But but the it it's a percentage.

And when they go after you, especially in a targeted attack, they know what you can afford before they ask it most of the time.

Right. They've done their research, and, I think Mario mentioned it. You know, we're listen. The federal government can't protect their systems, and they got unlimited amounts of your tax dollars to do so. Right?

So, you know, a lot of our our prospects are like, well, you know, we can't afford this. But the reality is is you don't have to do what they're doing. You just have to be, good enough that you're not the low hanging fruit. Put in place all the security protections that are basic and and and, you know, obvious. And but if they really, really wanna come after you, if they're targeting you specifically, they'll always find a way.

Well and here's another thing that I'll I'll tell clients who are like, you know, the big guys are gonna get hit. I've got no chance. The problem with these bigger organizations is not only do they have more resources, but they have a lot more red tape in politics. So I, as a lowly IT guy at a big company can go in and say, hey, boss, we're gonna get hacked. And here's how it's gonna happen.

And the boss can say, hey, sit down and shut up. That's not your job. Right? Or the boss then could go to his boss and say, hey, we need x number of dollars because we might get hacked this way. And the boss is like, well, that's not in the budget.

Plan for it next year. Right? So this is a bigger problem than us little guys realize in these bigger organizations. So So we look at them and like they're unlimited. No, they're not.

They actually have more limits than we do in a lot of ways. So there was an example that I talk about a lot on my webinars. The city of Fort Worth got hit, they lost about $500,000, half a1000000. And excuse me, bad timing for a scratch in my throat. The IT guy who brought that to the attention of his higher ups was told exactly that, sit down and shut up.

Let me turn around and make a lawsuit. The guy got fired. He countered, like, tried to sue him or whatever. But, but that IT guy, his assessment of it was that the city was 90% out of compliance with best practices. Again, we're not talking about high level stuff.

We're talking about best practices, just the basic recommendations. 90% out of compliance, a government institution with so called unlimited resources. Right? So it's not as hopeless as we think when we look at these headlines, when we really look at what's going on behind the scenes. It's actually not that hard to fight this stuff.

Right? I mean, it's not easy, but it's not that hard.

It's not hopeless.

Yeah. Yeah. Yeah.

I remember, and I think it's probably maybe a year, about a year now, but there was a water treatment plant down in, Florida that got compromised. And then when they investigated, they found out that the, I there was a TeamViewer was installed on all the computers, and it wasn't properly, configured that you actually have to log in and and do it like you would with, like, other remote management systems. But TeamViewer were just set up on all the computers. All you needed was the ID and the small little password that's the the default. And there were the hackers were able to get into it, and they caught them right before they started, messing with the the treatment of the water, which would have then turned into being poisonous.

So it's something simple just like not having TeamViewer on the computers.

Well, so to clarify, is a remote access software. It's remote control. And it usually broadcasts. That's how you can get, you know, into it from a remote site. So they have scanners.

The hackers have scanners that can go out and just find any computer with an active TeamViewer listening port. Right? So, yeah, that's that's a huge no no, which kind of plays into shadow IT, right, where we should be looking at, and we're gonna get into lessons learned here, I guess. You know, we can we can run scans on the software that exists for our clients, and we can pick up on stuff like that. And that's that's something that we should always be doing is looking for this rogue software or this shadow IT as it's called, looking for remote access stuff, looking for open ports, looking for, you know, anything that the hackers are looking for.

If we're also looking for it, a lot of times we can find it and close it before they get to it. So For

for clarity, shadow IT is where your own employees are installing software. They they don't have authorization to install, to make their lives easier. So, you know, hey. I want this file synchronization tool, so I'm just gonna download my own and install it and and pay for it. And, that would be considered Shadow IT.

Possibly because they went to their boss and said, hey. I need this for my job, and they said no. Right? Like, alright. Then I'll pay for it myself.

You know, they think it's a money issue. It's not always a money issue. It's a security issue.

Well, the problem is with t like, a program like TeamViewer, it's free. You know, like, they have paid versions, but they have also the free ones. So, like, you'll see people like, oh, let me I wanna I wanna go home early today. So I'll finish from from home, and I'll just install this so I could log in and finish the work. So they'll install something and, you know, they'll nobody will ever uninstall it when they're done.

That's the problem.

File share programs, like, you know, it used to be Dropbox was a primary one. A lot of people still use that, which kind of surprises me. You know, now it's OneDrive or, you know, whatever. But the easier we make it for us to access files, the easier we make it for bad guys to access files. So super important to keep a handle on where our data lives, how it's being protected, and how we would restore from it.

Right? That's that's part of any good backup plan. So, okay, let let's formally transition now to lessons learned. You know, and we are intentionally all over the place because we're we're looking at the MGM, but in general, we're just looking at security and and what lessons we can learn. So, Brent, I'll have you go first.

And then, Mario, if you would just kind of, in your mind, what have you personally looked at? What have you learned? What have you done differently, since evaluating MG's situation?

Yeah. So, specifically, when, with this particular situation, we, we sat down with our our team and just talked about some of the areas that, what can we do differently to make sure that we don't fall for the same for the same type of traps. And so we usually have a very select few amount of our clients, approvers. So we have a list of approvers that are clients that are authorized to, make certain changes. And if somebody's calling in for a password reset or anything like that, in most cases, because we don't necessarily trust, sending a text message or anything like that to confirm who they are because text messages could be intercepted.

In most cases, we'll just call because we're we we deal with some clients that are a little on the smaller side. We just call the primary contact or secondary contact, and we can recognize their voice, and we know who they are at their primary office. And we'll ask them to confirm, if we can, reset that person's password, and, or, in some cases, we can email, the person, manager or the approver to get that authentication from a second person, like a different person than the person who's requesting the, the password, to be reset. So that's just like some of the things that we've done, and and there's some more. Not all of them will I get into because I don't want somebody to utilize those to, you know, social engineering us, if you know exactly

how we do it. So

Alright. Mario? So we we put a couple, things in place, and, one of them is, if somebody calls in that we're not familiar with, that we don't know he's not a person that we call you know, that calls in every day, like the owner or something. We'll have them say, okay. You know, to confirm your identity, we're just gonna hang up.

We're gonna call your main office and reach you on your extension. If you know, just go ahead and pick up, and then we can resume with the password reset. We also, during onboarding of new clients, we'll ask the owner or the office manager to provide us a list of their of the employees, their email addresses, and their cell phone. We will send them, like, a unique, text message, and have them confirm the text message that we got. Now these things are not all 100% proof, but we've tried to narrowing down.

You know, we're trying to get to that 97% that you mentioned, before. And then, you know, another thing is that we'll just you know, if we'll have them reach out to the office manager and say, hey, Have the office manager reach out to us and and call us, you know, and give us authorization to do this. You know?

Let me let me maybe put you on the spot a little bit, Mario. You said that, you have and I think you said it's an onboarding process where you bring on a new client, then you get a list of all employees, cell phones, and whatever else. Do you have a process in place to keep that up to date? Well And I will just tell on myself, that's something I struggle with, because I've for example, I've got a client that onboards and offboards probably a dozen employees a week. I mean, it's just insane to keep up with that.

So what talk to me a little bit about how you handle that.

Yeah. So we you know, and, again, it's very hard to kind of force people to do this, but we we tell them, like, we we created an offboarding form. And the onboarding form, they go on our website, they fill it out. But more importantly is the is the offboarding. So if, you know, part of the social engineering, if if a manager or somebody that we're already actually familiar with calls in and say, hey, for some reason, you know, and they speak to somebody, you know, that may have not been the person to disable the account.

For some reason, my account is disabled. Can you go ahead and re enable for me? And, you know, if the person knows who it is, because he was a, you know, an employee that we never got an off boarding information for, calls in and we reset it, then they're back in. So we usually are talking to the managers or the owners on a regular basis. Like, Hey, if there's any offboarding, please let us know.

And usually, a lot of times too, during an onboarding process, we'll ask them, like, hey, is this replacing an existing person? Oh, yeah. You know, it's replacing John Doe that left last week. Oh, well, we didn't get an off boarding for John Doe. You know, here's the link.

Please, you know, fill out all the information. So we usually you know, and especially, like, with licenses, like 365 licenses, we wanna, to disable 1, enable another one. So it's, for the people listening, definitely one thing that you can definitely make sure right now with your existing IT is make sure if there's somebody in the employee that no longer is with you, make sure that you tell your IT guys, like, hey. This guy's gone. Disable everything.

Right. Brian, did you have something to add to that?

Yeah. One of the ways that we've found that's very successful in keeping, an up to date list of who works at all of our employees is or all of our customers, I would say a large majority of our clients are using Office 365. And so we're using, a synchronization between their Office 365 and our systems to, keep an up to date list of active users, from, their systems. And every time we onboard a user, we do the same. We we ask if if there's, a user this person's replacing, but more importantly, approximately once a month or once a quarter depending on the client, we will actually go through a list of their, user accounts with them and confirm that these are still active and still up to date.

And, anybody who leaves, even if they're they're you know, all we need access to their account, we still disable the account that synchronized back to us to say it's disabled, and then, just provide access to whatever files that that person needs to know the, the new person needs to have access to. We don't give them access to the old account. So that way, they're disabled, disabled. And that's how we keep an active list of people who are currently working at our clients to make sure that we're always up to date even if it's the next day.

Okay. So just kind of listen to you guys talk and listen to myself. What I'm what I'm kind of observing throughout this whole thing is we haven't talked a lot about technology today. No. There was some amount of technology used in this breach, but so much of this is it comes down to the human weaknesses that we have.

It comes down to policies and procedures. It's the stuff nobody wants to talk about. This is not fun. It's not sexy. But almost I I don't know.

I don't have a percentage. I'm not gonna make one up. But a significant amount of time, this is the the reason people get breached, is a flaw in in policies and procedures. It's some human weakness. It's it's something to that effect.

So, you know, if I was gonna have a key takeaway from MGM, it's number 1, we are all vulnerable. Right? But number 2, we have to stay on top of not just the technology, because that is key. We've got to stay on top of our our human weaknesses, our human behaviors. We have to constantly be training, you know, simulated attacks.

We've talked a little bit about that. That might have been before we started recording, but, you know, like, test test your own whoever's doing your security for you. Try to try to impersonate somebody or, you know, see how good their their, their processes are. And you know what? Honestly, hire somebody to do that for you, even better.

Now I personally, and I think you guys are the same. Right? I don't trust myself. I know I have blind spots. I know I have weaknesses.

This is what I do all day, every day. But I still know that somebody's out there smarter than me, better than me, faster than me, and they're gonna find a way through. And so, I I have an outside firm that tests my stuff and that that audits me and, you know, make sure that I'm doing what I'm supposed to do. And, you guys both do the same. Right?

Yeah. Absolutely.

Yeah. I I'm a I was just gonna say the, the best athletes in the world have coaches that might train them and teach them and and guide them and and point out because sometimes you can't notice what you're doing that's wrong because you're ex you're you're in it and you're internal, and somebody externally can see it. And so the best best sports people have coaches, why shouldn't we? Right? And so like what Justin was saying, I'll I'll have somebody watching my back because I don't know everything about IT security.

To anybody who says they do, They're lying and or incompetent. They they there's always more to learn or more to know. And so partner with somebody who has that knowledge. And that's what we've done.

Plus, we get stuck in a rut. We get overwhelmed. Like, there's there's just no way even if we think we're brilliant. Right? Mario, what do you I cut you off there.

No. I was just saying it's it's you're auditing, you know, the network. And, you know, by definition, it's a third party, you know, for audit, a third party company, auditing, you know, checking the work. Like, even IRS, like, you know, the IRS is the 3rd call. You can't have your accountant, or your, your network and call it an audit.

They're just reviewing their work. Right. So you, it's always good to have another set of eyes kind of just look in and and make sure, because you can be staring at the same thing day in and day out, and you'll it'll never click to you. Like, if another set of eyes looks and say, hey, you noticed that you you forgot this section, or, you know, this is wrong, or you should be doing this a little differently. But if you're staring at the same thing every day, you're you're gonna get the same results every day.

Right.

Yeah. So that's kind of where I wanna we'll go ahead and wind this down here. But, the the takeaway for the listening audience is, I mean, even as an IT expert, you probably don't know what you don't know. But most of the people listening to this are not IT slash cybersecurity experts, they're CEOs or employees of companies where you have, you know, you're wearing 500 hats and you've got a 1,000,000 tasks on your list. It's growing and growing in your email.

Your inbox is out of control. And, good luck, fighting cybercrime while you're doing all that. So, no matter how secure you think you are, no matter how comfortable you are, just put a second set of eyes on it. Now here's the here's here's what the big reveal, what everybody's waiting for. Right?

How much does this cost? Because a true and I'll be honest, a true cybersecurity audit, that has teeth is expensive. You know, we're talking about 1,000 of dollars. But today, we're not really talking about a 100%. We're saying, hey.

Let's let's do something. Like, let's get out of that low hanging fruit category that I think Mario mentioned. And so all 3 of us offer Mario, you called it a mini penetration test. I kinda like that.

Mini pen test. Yeah.

Mini pen test. I call it a security assessment, a network evaluation, whatever we wanna call it. And and you guys correct me if you have a different process, but what I do is I run a third party, automated assessment. Right? That's the technology side of it.

And then I have my own internal checklist that I go through, because a a technology assessment isn't gonna reveal this. But I will ask key questions, and then I'll fill out a little thing and it's nice pretty report that says, hey, here's where you got a a green light, a yellow light, and a red light. And here you go, mister prospect or client. Take this and do what you will with it. Hire me if you want to.

If you don't, take it to your IT company. Take it to your internal employees and say, hey. Somebody else said this is our weak spot. You know, what what should we do about it? Whatever.

Start the conversation. That's what I'm saying. It's a free assessment. There's no strings attached. Get the dialogue started.

Brian and Mario, do you guys have anything to add to that?

You summed it up pretty good.

So, Yeah. Essentially, the submitting pen test pretty much acts like a like a what would happen if a hacker if one of your employees clicks on the wrong link and gate gives a hacker an access to your network, what information they can find. So it pretty much manipulates that without actually extracting any of your sensitive data.

Right. Okay. So to schedule one of these, if you are lucky enough to live in one of the areas that we support, I'm in Texas and Nevada. Brian, you guys wanna tell again where you're located?

Yep. Niagara Region, Ontario, Canada.

Mario, you're, northeast, I believe.

Yeah. Nor northeast, we're in New Jersey, North Jersey, and we're servicing the North Jersey and, the New York City area, and all all the boroughs in that area as well.

And and, honestly, guys, if you're outside of this, our areas, we have a lot of connections, and we can probably hook you up with something very similar. So, reach out. You can you can get our contact information on unhacked.live. That's the the website for the podcast. And then quickly, Brian and Mario, if you guys wanna give your own personal websites as well or your business websites, you can.

Sure. Yeah. Brian. Mine is, b4networks. Ca.

And if you go to there, it's the letter b, the number 4, networks with an s. Ca. There's there's a request for our assessment right on the main page.

K. Mario?

And, our our website is mastec.com. That's mazte ck.com. And, right there, you can schedule an appointment with us.

Right. And then mastercomputing.com. And, again, jump on those schedule. You know, we usually start with, like, a a 10 minute call and a verbal assessment, and we we move into a more of a deep dive from there. But again, no strings attached.

Just get a second set of eyes on this, and and you're gonna come away with some sort of a road map of of what your next steps should be. So, guys, thank you again for being here. We're gonna go ahead and wrap up. Any final thoughts, Brian?

I don't. No. Thank you very much, Justin, for having me on, on the podcast today.

Alright. Mario, any final thoughts? Just just same here. I I had a lot of fun, and I'm looking forward to, doing this next week.

Alright. We'll see you guys next week. Take care.