UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:10)
Welcome everybody to episode 85 of Unhacked. Guys, pop quiz. Did you notice the screw up in our new intro? It was pointed out to me by my editor and life partner and whatever, Ms. Leanna Liu. Apparently I spelled sentence wrong, so I'm just ratting on myself and I got to go rebuild that stupid thing. Anyways, here we are next installment of Unhacked.

Bryan Lachapelle (00:19)
No, doesn't.

Mario Zaki (00:30)
you

Justin Shelley (00:37)
We're here to help business owners protect their organizations from game ending cyber attacks. And, ⁓ like this thing isn't going away. It's getting worse every day. I just want to go crawl in a hole with my clients and just say, it. But we can't do that. So we're going to break it down. ⁓ and we're going to show you guys how to keep your businesses safe, even though, ⁓ the world's just getting scarier and scarier. I am Justin Shelley, CEO of Phoenix IT advisors. And here at Phoenix IT, we help businesses.

Use technology to make more money, streamline operations, build that bank account, and then protect it from the Russian hackers, the government fines and penalties, and them greedy attorneys who come and try to suck up everything that's left. If you should get breached, we want to prevent all of that. That's who I am. Brian, thank you for joining us and tell everybody who you are, what you do, and who you do it for.

Bryan Lachapelle (01:26)
Excellent. Yeah, my name is Brian Lasko with B4 Netflix. I'm based out of beautiful Niagara, Ontario, and we support both Niagara and Barrie. We help business owners remove the headaches and frustrations that come with dealing with technology.

Justin Shelley (01:39)
All right, Mario, it's your turn, you're up.

Mario Zaki (01:42)
Yeah, Mario Zaki, CEO of Mastek IT, located in North Jersey. ⁓ We work with small to medium sized businesses, giving them peace of mind knowing that they're protected and that their businesses will be there the next morning.

Justin Shelley (01:58)
what we all hope for. ⁓ Guys, I'm going to set the stage and we're going to do this a little bit different today. All right. So raise your hand if you have kids. We all got kids, right? Okay. We want to keep our kids safe. Just picture this. You'll wake up one morning. It's early and you come out of your bedroom. You're going to get your coffee or whatever. And you see the ladder to your attic ⁓ is dropped down. You're like,

Bryan Lachapelle (01:59)
Hehehehehe

Mario Zaki (02:10)
Yeah, yeah, yeah.

Justin Shelley (02:27)
Hmm. my life partner slash significant other slash whatever, maybe they came home early. They worked nights. Maybe they came home early and they, and they dropped that ladder, but that's weird behavior. So you climb up this ladder and you see some crazy ass dude up there in your attic and you say something and they reach behind their back. Like they're pulling out a gun. This is a true story. I've changed some of the details to protect the guilty and the innocent. ⁓

This was actually, this happened to a mother and she ran back down the ladder. She threw the thing back up and held it there while she screamed at her daughter to get out of the house. And then they both made an exit called the cops. The cops had to come and drag this dude out of their attic because he wouldn't leave. Have you ever heard stories like this? This is true by the way, I'm not making this up. You could Google it. ⁓ This happened. ⁓

Bryan Lachapelle (03:10)
Yikes.

That's terrifying.

Justin Shelley (03:26)
And if you look at it, this is actually there's it's, it happens enough that there's a term for it, but of course I'm live. So I'm going to forget what that term is. frogging or something stupid like that. don't know. Well, squatting is when, you, break into a home that's unoccupied and take up residence. This is people who break into a home that is currently occupied and take up residence.

Mario Zaki (03:38)
squatting.

Bryan Lachapelle (03:39)
How were they in there?

Mario Zaki (03:46)
Mm.

Justin Shelley (03:53)
Now, in this case, it didn't say how long that guy had been up in the attic. There's another case where a guy was, think up in the attic again, he was somewhere and they were able to determine that this dude was sneaking down into their 14 year old daughter's home or her bedroom every night. ⁓ there's another case where a guy broke into the crawl space of somebody's house. He had a living room set up and a bed. had furniture. He had a TV. He had a PlayStation. He had.

phone chargers he tapped into their electricity this dude was legit living there in style found him

Mario Zaki (04:29)
⁓ I actually

had something similar. I ⁓ owned a property, a three-family property, not too far from my house. I owned it for, I think it was like 12 years, but I didn't live there. It was just a rental property. And I went to go do an inspection for, because a new tenant was coming in and somebody, know, one of the other tenants in there was trying to like,

mess with me and tells the inspector he's like this did he tell you he's got a homeless person living in the basement I'm like I'm like what the hell you talking about I don't have anybody living in the basement so the inspector and I went downstairs we we looked around all said we found a homeless person that's been living there for I don't know like a couple months and we had to call the cops the cops came and arrested him I mean the guy no no he was he was you could

Justin Shelley (05:24)
Now Mario, was he truly homeless? No, because he was

in your home. I mean, he had a home. I'm just saying.

Bryan Lachapelle (05:29)
Yeah.

Mario Zaki (05:29)
Yeah, well

not during that period but yeah but ⁓ and the thing is When they asked them like how did you get in here? They're like, the lady upstairs, you know, let me in and Like she's a friend of mine or whatever. So I'm like, okay Let me go upstairs and ask the tenant like did you allow him in there now later? I found out if she would have actually said yes, I allowed him to come in

Bryan Lachapelle (05:30)
You're home.

Justin Shelley (05:33)
⁓ god.

Mario Zaki (05:58)
I wouldn't have been able to kick him out because technically she allowed him in there and he's, you know, under her lead and now I would have to actually get him evicted. But the fact that she said no, then he was trespassing and then he was, you know, arrested.

Justin Shelley (06:04)
He's now a guest, yeah.

Yeah. Now, Brian, I take it then you have not yet found anybody ⁓ living in your home undetected.

Bryan Lachapelle (06:16)
Yikes. Scary either way.

⁓ no, that's never happened.

Justin Shelley (06:26)
Are you gonna go check all the nooks and

crannies and closets when you get home today?

Bryan Lachapelle (06:30)
I mean, maybe, possibly, yes. It would be pretty hard though. I've got security cameras all the way around.

Justin Shelley (06:36)
Aha.

Now you're getting ahead of us. So guys, that's what we're talking about today. The reality of breaches is that it's rare that you catch them when they come breaking down the front door of your business, right? They find a way in generally undetected and they will hang out there for a period of weeks, months, sometimes years. The one breach that happened to a client of mine years and years ago, I talk about this one all the time, went completely undetected.

Bryan Lachapelle (06:39)
Uh-huh.

Mm-hmm.

Justin Shelley (07:05)
I will rat on myself. Now this was back long time ago where, know, our security standards were slightly different back then. ⁓ but they, know, when we started restoring from backup, what we found is that the malicious software that was allowing them to come in was, as far back as we did, ⁓ we had backups, they had been there for a long time. And when we would restore, we would actually restore.

admin credentials that they had created on the server. They'd gone in and made new accounts, given themselves admin, you know, permissions and with, with random names, not obvious ones like admin for bad guy, you know, it was like Sam stuff like that. So, what we're talking about today then is detection. We've got logging monitoring with the ultimate goal of detecting it when things go sideways. ⁓

Bryan Lachapelle (07:36)
Mm-hmm.

Mario Zaki (07:44)
Yeah

Justin Shelley (08:00)
This is, you know, where we are now the 11th episode of our little mini series of the cybersecurity basics. And I've kind of removed that order, just make fun of it now. ⁓ This is definitely not a basic security measure because it's, it's rarely put into place where we have true effective logging, monitoring, and detection. Is that fair to say? Okay.

Bryan Lachapelle (08:25)
is very fair to say a lot

Mario Zaki (08:25)
Fair to say.

Bryan Lachapelle (08:27)
of us MSPs will concentrate a lot of our efforts on protection, prevention, and very little time on detection and logging, right? So yeah, you have to, these days you have to assume that they're already in and how do you detect them once they're, when they do get in? Because especially with the advent of AI, ⁓

Justin Shelley (08:35)
Yes.

which yes, go ahead, no, sorry.

Bryan Lachapelle (08:53)
They have attacked the attackers have a lot more resources in their belts now than they ever have. And they can try 24 hours a day, seven days a week with automated tools. So.

Mario Zaki (09:05)
Yeah, compared to like a lot of the other things that we've talked about, a lot of like you can do it yourself. This is one of the ones that are harder to do yourself because a lot of the companies that do this, this isn't something you can just turn on. ⁓ You have to use like a third party company and a lot of those companies will require a significant amount of minimal licenses like.

Bryan Lachapelle (09:23)
Mm-mm.

Mario Zaki (09:32)
you know, 500, a thousand or something like that. They don't want to just say, okay, yeah, you have 13 users. We'll enable it for you for 13 users. Unless you're spending, you know, $50 a user.

Bryan Lachapelle (09:40)
Yeah.

Yeah, the irony is most business owners and folks who are not in the industry will think, well, we'll know if there's an attacker in because they'll hold us ransom or they'll do something to my network. And the reality is, like you said, some of don't. And you might be wondering, well, what do they do? What's the point of having access to the network? What's the point? Well, there's many points, right? Espionage is one of them, is just learning what you got. Maybe you're a business that has a lot of intellectual property.

Justin Shelley (09:54)
Right.

Bryan Lachapelle (10:12)
but you're also an attack service for every one of your vendors and every one of your customers. So they might just be in your network to leverage you and your clients and vendors and go after them without you ever realizing you're the one that's the attack vector for them. Yeah, it's crazy.

Justin Shelley (10:26)
Right. Yeah.

Mario Zaki (10:30)
And sometimes

Justin Shelley (10:30)
Here's why.

Mario Zaki (10:31)
they're using your system to attack like DDoS attack. They'll gather up thousands of computers across the world. And then all of a sudden at a certain time, they'll find the target that they're trying to go after. Sometimes it's a paid target. And then they will use all these computers at one time to just take down a network or a website or something like that.

Justin Shelley (10:54)
And sometimes I set up, okay. So I mentioned the case of the guy who set up camp, you know, in the crawl space and he had tapped into their electricity. You know, that's not a huge expense. but this is a very direct, you know, tie into where they'll come in and they will, ⁓ access your servers, your workstations and leverage those resources for crypto mining. ⁓ you know, I, I've read cases where they would set up web hosting for, you know,

Mario Zaki (11:15)
Mm-hmm.

Justin Shelley (11:22)
horrific things like child pornography or other illegal activity. And now that's on your system. This is scary.

Bryan Lachapelle (11:22)
the Underground.

Mario Zaki (11:28)
Yeah.

Bryan Lachapelle (11:32)
So

yeah, funny story about, I wanna say it's about 10 years ago. We used to have clients that, know, back in the day where we would just be their IT provider, but it would be like an as needed ad hoc basis. So we didn't have any cybersecurity or any tools. I think we were just doing backups for this company. Since then we've obviously changed our model and we won't work with anybody who isn't allowing us to protect them. But in this particular case,

the client had called us and says, well, you know, all of our files are encrypted. Can you restore from back up? Sure. So we go to the backup and we go to restore and ⁓ their files were encrypted and then re-encrypted and then re-encrypted. these, the attackers had been in there for quite some time. So multiple attackers and one of them had set up a Bitcoin mining rig operation where they were using the server's extra resources.

Justin Shelley (12:19)
Yeah.

Bryan Lachapelle (12:29)
exactly for that mining Bitcoin 10 years ago. Right. So, yeah, they had set up camp, not with the intention of doing anything. But then somebody else came in, a second attacker, encrypted them and a third attacker came in and encrypted the encrypted. It was just it was a mess. You know, at the end of the day, we couldn't do anything for them because they didn't have any proactive security. And it had been months and months and months that these these attackers were in their system. Well, unbeknownst to anybody else. Right. So. Oops.

Mario Zaki (12:58)
You

Justin Shelley (12:58)
times.

These are fun times. ⁓

Bryan Lachapelle (13:00)
Yeah. See

nowadays, that's why we don't allow anybody to be a client of ours unless we're actually taking care of the full stack. Because at the end of the day, we were still blamed even we had nothing to do with it. We weren't providing cybersecurity services to this company just back up. We did our job. We backed up. We backed up all the fake cryptophiles.

Justin Shelley (13:20)
Well, let's, let's, let's talk about some of the, ⁓ the problems, the reason, because like I said, this is, if you go out and, ⁓ audit, let's say, or, or assess 20 companies, how many of them would you say have proper logging monitoring and detection services in place?

Bryan Lachapelle (13:26)
Yeah.

Mm-hmm.

I think I have the people that we've audited directly maybe one in the last 10 years.

Justin Shelley (13:50)
Okay. Why?

Why don't if this is so important, like we're letting people take up camp in our crawl space and our addicts and sneak into our kids' bedrooms in a business sense. Why are we doing that?

Bryan Lachapelle (14:04)
In the case of the people that we've audited over the last 10 years, the majority of them didn't have an IT partner that they were working with, or they were working off the old model, which is call me when you need me. When things break, I'll bring it. I'll let you know when things break and you can come and fix it. Right? Well, if they don't call, the IT provider isn't going in. They're not doing anything proactively. the old model in our audits was the cause of it. There was no proactive services. And to be honest, a lot of MSBs still don't have

monitoring and detection capabilities. So I would even hazard a guess that today, if we were to audit a client who had an MSP or an IT provider, it likely still isn't being done.

Mario Zaki (14:45)
Now, Brian and I both said one out of twenty, you know, and I'm pretty sure you're probably gonna give a similar number as well, Justin, but... ⁓

Justin Shelley (14:54)
I'm making shit up, Mario. I haven't done this and I haven't read it. I'm just saying in my

Bryan Lachapelle (14:56)
In the fuc-

Justin Shelley (14:58)
experience, I don't see it out there. I don't find it, period.

Mario Zaki (15:01)
Yeah, but

also, and the thing is, a lot of times, out of those 20 people, 20 companies that we are talking with, sitting down with, is because there were some sort of issues. Look at a lot of Brian saying, they had a one-man shop that they're dealing with or somebody in-house. We already mentioned that if it's in-house, you have a minimum requirement of licenses.

Nobody in the house ever gets, you know, signs up with something like this. One man shop, know, IT companies, they can't afford it, you know. ⁓ Larger ones they may, but you may not be sitting with them if they got their shit together. You know, so the larger MSPs that we're sitting down with, because they just don't have their shit together. So that is also a reason why you may not see something like

Justin Shelley (15:54)
I'm going to throw two other reasons out there because you're right. Right. Okay. But let's number one, let's talk about how the cybersecurity landscape, both the, the attacks that are coming at us and the method to prevent those attacks changes all the goddamn time. Right. So if we do everything we're supposed to do, we'll never stop spending money. And then that brings me to the second point. It's expensive when, when cybersecurity is done, right. It is expensive.

Bryan Lachapelle (16:17)
expensive.

Justin Shelley (16:20)
So you've got the constant change and we as MSPs are constantly having to re-educate our clients, re-quote the services we're already providing them, telling, hey, I know last year we said this was great, but this year, guess what? It's a different world we're living in and now we've got to add this to it. And people quite frankly get sick of their prices going up. ⁓ And what's the ROI at best? Zero. And now know we did have the one guy that we interviewed and I loved it. He's like, you know, let's take the average cost of a breach.

Mario Zaki (16:40)
Mm-hmm.

Justin Shelley (16:49)
And we'll do the math backwards to find out what you're spending on cybersecurity. And that gives you your ROI. It was great. It's true to an extent. ⁓

day to day, don't see anything coming back for this. That's problem number, well, one and one B or one and two, if we want to call it that. The other thing is this is not simple because it's not like you can just, you know, we've, we've said that this is kind of an outsource thing. I do not have my internal team managing this. I want it outsourced. ⁓ but here's the problem because I'm, actually evaluating a new vendor for this right now. And I set it up on some, on some, ⁓ sample units, right in the house.

Mario Zaki (17:20)
Same here.

Bryan Lachapelle (17:21)
same.

Justin Shelley (17:30)
And then, and I was going through the training with them. I'm like, okay, so, you know, it's set up. What do I have to do now? And they're like, ⁓ don't worry. We got it. You don't have to do anything. I'm like, that's not sitting right with me. I don't want that. I want way more, you know, a closer relationship with this. ⁓ but that's, think maybe a good selling point. If you're trying to like, you don't have to have one more thing on your plate. So maybe that's a good thing, but, we've got to have some oversight and you know, somehow we've got to know that.

that things are working and being picked up and reviewed. ⁓ But also you've got to have it set up right. If you don't have logging properly configured, then the system that is reviewing those logs isn't going to give you the right information. And if you're not filtering it right, mean, there's how many, ⁓ how many log entries come off of a single server in an hour, if you had to guess.

Mario Zaki (18:24)
hundreds if not thousands.

Bryan Lachapelle (18:26)
Yeah, it's not more.

Justin Shelley (18:26)
per hour all day,

every single day. And that's one server in one environment. And we've got to do this for servers, ideally for workstations, definitely for firewalls, Microsoft 365, this, the number of alerts is staggering. absolutely, yep, absolutely not.

Mario Zaki (18:30)
you

Bryan Lachapelle (18:43)
is not something you can manually do.

I wanted to add one more thing to what you had said earlier, Justin, and that is, you know, the cost is significantly high, but I think that it's important to point out too, that our industry, and we've said it a couple of times on our podcasts and in different conversations, our industry is not regulated, right? We don't have any rules to follow. There is no governing body. Even the standards we have, there's like five or six different standards, like different organizations that put out standards.

Mario Zaki (18:48)
And not every...

Justin Shelley (18:50)
Okay.

Mm-hmm.

Bryan Lachapelle (19:16)
And sometimes those are conflicting and sometimes those disagree with each other. And the problem with that is, is that I can have all the best tools and my client can have a price and they can be happy until some schmuck in a, in a truck comes in and knocks on my client's door and says, I can do it for 10 % of what that guy's doing it for. my. Resolve we'll do, we'll do all the same thing they're doing. it's, and, and of course the client not being aware that that's not possible.

Justin Shelley (19:35)
Yeah, same results won't do the same thing.

Mario Zaki (19:35)
Mm-hmm.

Bryan Lachapelle (19:46)
It's just not feasible. There isn't 90 % profit margins in our industry. And so they're obviously not doing the same thing. But to the end, client, they don't know any better. And so they're stuck going, I can do it for 10%. And I exaggerate when I said 10%. Maybe it's only 70 % or 60 % of the cost. The point being is that they all of sudden then switch because it's the cheapest solution. that we see, like it hasn't happened to us because we have a pretty good, decent relationship with our clients.

Justin Shelley (19:50)
No.

Bryan Lachapelle (20:15)
and we do show them value, but what happens when we're doing audits for other people? They're like, well, I already got all that covered and it's 60 % of what our fee is. It's like, well, no, they're not even doing any of these things, right? But they claim they are. And so the client thinks that they're getting, you know, ⁓ a raw deal because we're trying to charge them more, but you know, it's a different solution entirely. It's like getting a Chevette versus a Ferrari. So.

Mario Zaki (20:36)
You know, the

problem is with this monitoring and detection and stuff like that, is unlike some of the things that we've talked about, like backups and stuff like that. This one is very hard to test. You have to do something malicious, click on a million links and enter your password into a suspicious website to really test it. Now I'm not.

suggesting anybody or any of our listeners to actually do that. But it is one of those, like it is very hard for us to walk in and say, yes, you have this in place or not. It's not something that we can do unless we have administrative privileges, which, or our clients have administrative privileges and are able to log in and see it. It's not one of those things that we can go in there and say, yes, we see.

you have a backup device sitting next to your server. does look like it's working. does have, they're getting reports. I mean, you can set up this stuff to get reports too, but it's a lot of noise and a lot of people don't want it. So this one is also very, it's like one of those things that you have to know what it is and then you have to ask for it specifically and say, do we have this? Right?

Justin Shelley (21:59)
Yeah. And half the time, honestly, our clients or prospects don't really even know the terminology well enough to know, you know, unless it shows up on an invoice. ⁓ well then all you know is that they're paying for it, you know, and that's if it's coded in a way that you can read the invoice and know what's happening behind the scenes. Cause honestly, most of our invoices don't give out the full recipe. ⁓ so I mean, this is, this is a tough one guys. It's the, it's the

Bryan Lachapelle (22:07)
Mm-hmm.

Still not up yet.

Justin Shelley (22:28)
I guess it's not the last, we do have one more episode. but up until now we have been talking a lot about prevention. This is a shift where we're talking about detection, ⁓ and, and response next week, we're going to get into a little bit more about the response part of this. ⁓ but when you look at the frameworks and stuff, this is definitely not where people start. And, and I think it was you, Brian, you mentioned that even the frameworks conflict on, on w when this gets put into place, if it gets put into place,

But I do want to make the point that yes, there is an additional cost as we start getting more advanced in our cybersecurity protections. ⁓ But the cost of not doing this is always going to outweigh the cost of the protection if you get breached. And these days we've gone past the if. It's going to happen. You better be ready for it. You better be putting ⁓ some time, some money, some energy into this. ⁓

I don't know, I'm-

Mario Zaki (23:28)
And I want to paint a picture and to kind of build on to what you were talking about earlier This is very similar to like having security cameras like outside your house or a ring a ring camera You know, like I know on my ring camera. It will give me an alert, you know and when you know, the Amazon truck pulls up to my house which is usually about five times a day because my wife, you know has a bad habit and ⁓

Justin Shelley (23:31)
Okay.

It is, yeah.

Bryan Lachapelle (23:50)
Hahaha

Justin Shelley (23:50)
Your wife right, Mario right!

It's my wife.

Mario Zaki (23:57)
You

know, so think of it this way where this detection will see will detect right away when it's somebody that is not that somebody tries to come in a Were they able to get in D or not or a yes or no and B if they were able to log in it it automatically shuts everything down it it locks down the like the Microsoft 365 account and alerts

You know, the user alerts us, it alerts, you know, it's alarms in place. That's exactly what we are talking about right now. It's monitoring, like your perimeter, your house, your 365, your servers and stuff like that. In the event something happens, we're able to see it right away. It's just like having a security camera on every aspect of your business.

Bryan Lachapelle (24:47)
It's the analogy. Other analogy I use is you have locks on your doors and you have alarm contacts on your door. So, you know, if somebody gets in right or somebody tries to get in, but whether they found a sneaky way into your into your facility, that's what the motion detectors are for. Why would we have motion detectors and alarm contacts on the door and locks on the door? Well, that's because some people get tricky and they find a way around it without tripping the alarm and then the motion detectors get them. So, you know,

In IT, our motion detectors would be maybe like a canary file. That's like, you know, a file that's left on servers or workstations that nobody should ever touch because nobody even knows they're there. But a bot or an attacker would know that that's a file that nobody would use. As soon as it gets accessed or encrypted, boom, triggers the alarms. That's one way. There's many, many other ways, but that's one way. You know, looking through log files to look for people who are trying to log in repeatedly and eventually they get in. That would be another.

know, way to detect. But yeah, there's tons of solutions that we implement that detect them once they're in the network, just like the motion detector lets us know that somebody's broken into our house already, even if the door contact didn't trip.

Justin Shelley (25:57)
Yeah. Well, I'll give you guys a great example of what this stuff can do if it's set up. Right. ⁓ Cause I pause here. Cause I'm like, I was on a Microsoft support and they remote it into my computer the other day. Like that's the beginning of every breach ever. Right. Cause it's, it's never really Microsoft. Well, this one was, ⁓ I initiated this through logging into the Microsoft portal, initiated a support request. And of course then they come in and they want access to my

Bryan Lachapelle (26:14)
Yeah.

Justin Shelley (26:27)
to my computer to go through and troubleshoot some stuff with my Microsoft account. And as they did this, I'm like, Jesus Christ, this is like, I can't even admit this that I'm doing this because every story ever starts with, the Microsoft guy said he needed to look at my system to see if whatever. Okay. So I'm doing it. I let them in and, ⁓ I get, I get alerts from my, ⁓ my logging or my monitoring, detection system that says,

Bryan Lachapelle (26:43)
Yeah.

Justin Shelley (26:56)
Somebody just created a, what do they even call it? Cause I never use it. What's Microsoft's support thing? Anybody know? Quick assist. Yeah. And so it popped up, you know, I've got a ticket in my system. I've got an email ⁓ saying that, you know, click assist was running on my computer. Now I knew that. was, but you're saying Mario, you know, it's hard to test this stuff. That was a great test because I'm, I am evaluating this new system.

Bryan Lachapelle (27:03)
Yeah.

Mario Zaki (27:04)
assist.

Mm.

Justin Shelley (27:25)
And it showed me because if I'm asleep at night and somebody gets on my computer, how else am I going to know? You know, now in this case, um, I need to, need to do some tweaking because all they did was create a ticket in my system. Like, great, but they didn't shut it down. You know, they didn't ask me to verify they didn't call me. So somebody still could have got in and you know, there's a, there's a, I'll remove names to protect the innocent and the guilty, um, a colleague came into work.

Mario Zaki (27:32)
Yeah.

Bryan Lachapelle (27:38)
Yes. Right.

and did some bad things.

Justin Shelley (27:55)
one morning and to see his workstation actively being controlled by a bad actor. Right. I mean, I don't think they did anything. I don't know that there was any damage done, but that's not comfortable. Right. So this is the, this is the kind of stuff that we've got to be able to protect against. We have the protections in place, but there's always a crawl space that's not protected. There's always an attic. I mean, some of these stories I was reading up on this, they were living in a closet.

of all places like Jesus. ⁓

Bryan Lachapelle (28:27)
So we had a

recent incident with a client. I won't mention names and I won't mention the agreement we have with them or anything like that, but needless to say that ⁓ an attacker managed to get through all the other layers that we had. Now it was a bad password on a user that had remote access. So, you know, obviously that's why we keep saying passwords are still the most common way people get in. But anyway, but because the attacker had repeatedly tried over and over and over again,

Justin Shelley (28:49)
Yeah.

Mario Zaki (28:51)
you

Bryan Lachapelle (28:55)
our monitoring company, the monitoring ⁓ back end ⁓ operation center we use detected this attempted, you know, they saw the attempts. And then finally it was success. It's like, okay, that's odd. And then what they started to try to do and they were monitoring, like they don't know if this is a legitimate user, not a legitimate user. Maybe it just happens to be the legitimate one I got in. But then all of sudden the attackers started to try to do something that was clearly malicious.

Within one and a half minutes of the initial successful login, the company who we use for our back end knock locked them down and locked every single computer in the entire organization as a precaution because this was a server and crisis averted because they could have done a lot of damage because this all happened at what time do you think Justin? What time though? 2 a.m. Yes, sir. Always 2 a.m.

Justin Shelley (29:42)
middle of the night, 2 a.m. It's always 2 a.m.

Mario Zaki (29:46)
Hm hm.

Justin Shelley (29:49)
or lunch hour. You know, that's another one they'll attack on lunch hour or weekends.

Bryan Lachapelle (29:53)
Yeah, but yeah,

it was phenomenal. Like we came in, we came like, obviously we knew about the incident and everything like that because we were alerted to it. ⁓ you know, by the time ⁓ most of our staff rolled in, the problem was already resolved and the client was notified of things that had occurred when it occurred and that everything has been, ⁓ you know, no data was exfiltrated, but they were in the process of zipping up the entire data directory to send it off site.

Justin Shelley (30:22)
God.

Mario Zaki (30:22)
And the thing is, we gotta understand that it's not just something like a crawl space that they don't find. It could be a user, they clicked on something and thought it was really an email from Microsoft or an email from Best Buy to log in, whatever, and they clicked on something and allowed them in. If you're opening the window and letting the guy in, now you still need to know that he got in. Because...

Unfortunately, the majority of employees, when they do something stupid, they won't tell anybody. They're like, shit, this doesn't look right. They think if they just close the browser that they've cleared everything, which is not the case. So it could happen accidentally by an actual employee.

Justin Shelley (30:58)
Right.

which we talk about culture, you know, regularly. And that, is another case where you have to have the right culture so that when something happens, your team feels comfortable raising that, raising that issue to the right people and knows what to do, like even who to talk to about it. Right. There's gotta be processes and training around this. and then Brian, you, you touched on something you said a minute and a half, you know, and that is a metric that comes up in this, with this particular topic.

Mario Zaki (31:14)
Yeah. Yeah.

Justin Shelley (31:40)
is the meantime to detection. And if it's can, you know, contained, it happens within minutes. If you then you can consider it contained, right? But if it goes days, if it goes, ⁓ weeks, months, it's not contained. You've got a full blown crisis and you don't even really know at that point, what's what's happened. ⁓ especially if you don't have the right logging to detect it, you sure don't know what they did once they got in. So correct. Yeah.

Bryan Lachapelle (31:40)
Mm-hmm.

Mm-hmm.

Not contained.

They probably deleted the logs anyway, right? So that's the first

thing they do is turn off all logging and then proceed with whatever they're going to do. And sorry, to add one more thing, it's no longer all, we've talked about this many times, but it's no longer just like my network, right? We are now dealing with all of our cloud SaaS applications, all of the different tools we use across the internet, right? Maybe they breached one piece, but not the other.

Justin Shelley (32:11)
Yeah, right. Yeah.

All right, guys. Nope.

I know.

Bryan Lachapelle (32:36)
Right? Do you have logging on your QuickBooks logins? Do you have logging on, you know, in our case, like our RMM or PSA, right? Like all these different tools we use internally is logging happening on all of those devices and all of those systems and all of those software packages. I would hazard a guess, probably not. Right. Mm hmm. Yeah. So all of that has to be considered as part of the overall.

Justin Shelley (32:52)
And if it is, is it being reviewed?

Bryan Lachapelle (33:02)
security architecture, when we're talking about detection and ⁓ monitoring, it's not just one, know, not just your office, it's everything you use outside of that too.

Mario Zaki (33:12)
Yeah.

And I know Justin touched on, no, sorry, Brian touched on it a few minutes ago. This is not a product that this is not our guys in the office doing this work. It's not just a normal ticket. We, we have this, this is a tool that we purchase that we set up for everybody. And those guys are, they're, they are set up to only be looking at this stuff. They're not, you know, fixing printers. They're not fixing, you know, onboardings and off boardings.

Bryan Lachapelle (33:36)
Mm-hmm.

Mario Zaki (33:42)
They are literally, this is their job that 24 seven 365, that is their job to watch this. And you know, it is when you look at like these pictures of people sitting in rooms and they have, you know, monitors all over the place. This is what we're referring to. You know, those pictures are these type of security operations center. This is what those guys are doing all the time.

Justin Shelley (34:08)
I'm gonna I'm gonna rat on so I'll leave the name out of it, even though I do like to name drop this one because they're a they're a big name. But I was visiting the office of a very well known cybersecurity firm up in your neck of the word woods brand. And, you know, they're very, very proud of their facilities as they should be. You know, they we walk down the hall and the owner of the place, he's kind of talking to us and then he know, hits a little button. And this wall of frosted glass goes immediately clear.

Bryan Lachapelle (34:22)
Yep, I know the story.

Justin Shelley (34:37)
And you can see their sock, their security operations center. And you've got a bunch of guys sitting, guys and gals sitting at desks, looking at, know, doing whatever they're doing. And you can't really see that part, but then up against the wall, ⁓ there was probably 20 great big flat screen TVs that were all showing these really cool, like almost like war games. If you go back to the 1980s, the movie war games, you know, they've got these missiles graphically being depicted, launching at one country and then back at the other.

And this is supposed to be a representation of the attacks as they happen. don't, I don't know. I mean, it looked bad ass. And then I was able to, you know, I went back home and looking at my house. wanted to set something similar. And I realized, ⁓ these are all just like simulated images, but it doesn't matter. I still put them up on my screen. Cause I thought it was so cool. ⁓ point is this stuff is not cool. Looking through these logs, the real work that goes on here.

Bryan Lachapelle (35:26)
Hahaha

Justin Shelley (35:35)
is boring. It's terrible. ⁓ It's not fun. It's not exciting. Yeah, is not possible. You're you're in the millions and millions and millions of, you know, items that you have to look through. So crazy stuff, guys. I mean, I wish that ⁓ back in the day, tell me I'm wrong. Back in the day, when I was a boy, the world of technology kept getting better and better.

Bryan Lachapelle (35:39)
And today uses AI and automation because this is not possible to look through them all. so, no.

Justin Shelley (36:04)
faster processors, more memory, better motherboards. Like we would sit and geek out about this stuff and it always got cheaper. Now we've got the exact opposite going on. Everything's getting more expensive, more complex, and it seems like it's doing less. It's not, I mean, we are getting more out of it, but holy hell, the amount of money we have to spend on this. And I'm making that point because I am, you know, I get a little bit tired of people saying,

Mario Zaki (36:13)
you

Justin Shelley (36:32)
They don't want to spend money on this. Like, I'm sorry. You have a building. I know that you don't want to have rain on your head. So you put a roof over it. You, you, if you want this, you want to have a business, you've got to protect it. You have to, and it's not even just an insurance policy. used to kind of frame it like that. Hoping nothing happened. This shit's happening all the time. And we're like sitting here, like deflecting with our shields and whatever else, like it's happening all the time. It's not sexy. And it's really hard to.

Bryan Lachapelle (36:49)
Mm-hmm.

Mario Zaki (36:56)
Hahaha

Justin Shelley (37:01)
to demonstrate the value with this stuff, but good Lord, it is a lot of work. A lot of things happen and moving to the cloud, you know, I've said that a hundred times that didn't help anything that made it infinitely worse, more difficult.

Mario Zaki (37:15)
Yeah, I saw and I should have wrote it down or printed it I saw a statistic the other day that there's a higher chance of your business being hacked than your house being broken into and You know, yeah, I forgot what the percentage was So then you still walk your house every time you leave, know, you you leave when you're home. You're locking your door

Justin Shelley (37:29)
⁓ I'm sure.

Bryan Lachapelle (37:29)
yeah, absolutely.

point.

Mario Zaki (37:40)
You know, you're putting on your security alarm when you're going to work or going on vacation. Why aren't you doing this stuff for your business, even though it has such a much higher chance of being attacked?

Justin Shelley (37:52)
because it's a hundred percent chance. It's not a higher chance. It's a hundred percent chance your business is being attacked. Now, are they going to get through and what damage will they do if they get through? TBD. But are you getting attacked right now? Yes. One hundred percent. You are getting attacked right now. Don't put this stuff in place.

Bryan Lachapelle (38:05)
Yes.

Mario Zaki (38:08)
Mm-hmm.

Bryan Lachapelle (38:08)
If you take,

I remember there was an experiment that we used to do, or they used to do live on stage when we went to security conference, they would take an old windows XP machine, if you all remember that. And they would, they would put it on the internet with no protections, like just, just straight plugged in, not through a router, not through a firewall or anything within seconds. The thing is the thing got breached seconds. Like we're not talking about, like we didn't count minutes of seconds. Like, and this was 10, 15, 20 years ago, right? When XP first came out.

Justin Shelley (38:19)
yeah.

Wow. Yeah.

Bryan Lachapelle (38:35)
you know, seconds that these people would get in. And if you looked at a log file on a firewall or any hundreds and hundreds of attempt every seconds, yep, every second, hundreds of attempts, they're just scanning everything. It's not like they're going after you specifically, right? They're just scanning every available address. you know, it'd be like a criminal walking up and down the street or actually forget one criminal, a thousand criminals.

Justin Shelley (38:42)
That's I was gonna say, you All the time, all the time.

No, but they're-

Bryan Lachapelle (39:00)
going door to door on the same street over and over and over and over again. You just see the swarm of people going from door to door trying to see if it's open. Is it open? Is the window open? Is the back door open? Is the basement window open? Right. Yeah. Right. They're checking everything. And then they leave and another one comes in and does exactly the same thing. then they leave and a second later another one comes in, does exactly the same thing. That's what's happening to your firewall, your network, everything. It's all the time.

Justin Shelley (39:10)
Yes, scouring the entire house, not just the door. Yeah. Up on the roof.

I was, I was

reading these stories that right. This is how I introduced today. Um, one of them, some dude got up on the roof and broke through the roof to get down inside the attic of somebody's house. Like that is what's happening. You know, the, use these as illustrations because we can picture that, right? This is what's happening behind the scenes. That is way harder to picture and way harder to demonstrate. Um, but I am telling you guys, this stuff is critical.

So, all right guys, we're gonna go ahead and wrap up. Do you have anything that we've missed? Any final thoughts, key takeaways? Brian, go ahead and go first, Mario, and then we're gonna close out for the week.

Bryan Lachapelle (40:06)
Okay, my key takeaway is ask the question. Whoever is supposed to be taking care of your network, ask the question. What are we doing for detection and response? What are we doing to monitor and detect a breach that has already occurred? If the answer is I don't know.

Justin Shelley (40:25)
You're in trouble.

Bryan Lachapelle (40:26)
You're in trouble. Yeah. That's it. Just ask the question.

Justin Shelley (40:29)
Okay,

Mario.

Mario Zaki (40:32)
But be careful, don't ask a question you don't want the answer to. Because, I forgot what's his name, Joe, Joe the insurance guy. Once you've made that inquiry, and the IT company then replies back and tells you, oh, well, we don't have this in place, you technically are now aware that you don't have this.

Justin Shelley (40:35)
Yeah.

Bryan Lachapelle (40:46)
right.

Mario Zaki (40:58)
Yes, I do agree with Brian. think you need to find out. You need to make sure you have what you ⁓ or don't have what you need. But once you find that answer, definitely make an action towards getting it better. sometimes we come across or sometimes we'll sit with somebody and we'll ask them, show us your last cybersecurity ⁓ insurance application or renewal.

And we take a look at it. Sometimes a lot of these insurance companies will ask those questions. So one thing you can do, if you want, go on chat.gbt, have it create you a insurance questionnaire of like the most common, like security questions and have it have your IT person go in and fill it out for you guys and see what those answers are. You know, that way, you know what they're, what they're doing. You know, if they're aware of

Bryan Lachapelle (41:30)
Mm-hmm.

Mario Zaki (41:54)
these items to protect you. And I'm going to quote Brian here, try to at least get 1 % better every day till you get there.

Justin Shelley (42:08)
Joseph Brunsman, by the way, was, was the guy's name episode 27, go back and listen to it. That one. I mean, I'm just going to straight up say that one changed my life. ⁓ hearing. Yeah. Yeah. The daddy's getting a new boat email that was.

Bryan Lachapelle (42:17)
the cha-ching email. Woohoo!

Yep.

Mario Zaki (42:24)
We need to get him back on.

Justin Shelley (42:26)
We probably do ⁓ good stuff. So, all right. I'm going to, I'm going to wrap up with, know, my final thought is, and this is just kind of a, the frustration that I deal with on a pretty regular basis is like, constantly get price resistance and I get it. Nobody wants to spend money when there's not a very tangible return on that investment, but God damn it guys. You, is something that you can't cheap out on.

but I, but I see it all the time, at least the desire, the intent to cheap out, to cut corners, ⁓ go ahead, but go ahead and disable your seatbelt and your airbag while you're at it because you're not going to, yeah, it's just, this isn't going to work out longterm.

Bryan Lachapelle (43:04)
Stop changing your oil in your car.

Mario Zaki (43:08)
Keep

your house doors unlocked and see how you feel.

Justin Shelley (43:11)
Right.

Exactly. Turn off your cameras, all that. Yeah. If you're going to live on the edge, go ahead and live on the edge. That's what I got guys. We're going to go ahead and wrap up. That's it for this week's episode of unhacked. If you want more, go to unhackmybusiness.com. We've got all the episodes, the show notes, the resources and all that stuff. And yeah, it's a work in progress. We're going to keep building that thing out. Anyways, Brian, thank you as always for being here. You got a final goodbye for everybody.

Bryan Lachapelle (43:37)
Thank you.

Well, my name is Brian Lashbrook, B4 Networks. We help you get 1 % better every day. I hope to us help you on your journey.

Justin Shelley (43:45)
Awesome. Mario again, always. Thank you. Say your goodbyes.

Mario Zaki (43:50)
Thank you, Justin. Guys, if you want ⁓ assurance, if you want peace of mind, listen to our show, like and subscribe and ⁓ reach out to us if you have any questions.

Justin Shelley (44:03)
Yeah. I appreciate you plugging this time. Cause I get tired. I've started doing it, but anyways, and I've just, remember guys, listen, then take action and keep your businesses. Unact. Unact. See you next week.

Mario Zaki (44:04)
Yeah

It's unhacked.

Brian forgot again.

Bryan Lachapelle (44:17)
I keep forgetting.

Justin Shelley (44:17)
Brian always

forgets, Brian. Like, I don't even. There we go, there we go.

Bryan Lachapelle (44:21)
Unhacked. I'll see you guys later. It was just delayed.

Mario Zaki (44:22)
Yeah.