Stop 90% of Ransomware Attacks with Basic Cyber Hygiene

Most ransomware attacks succeed for one reason, somebody skipped the

basics, patch management, password management, MFA or pass keys.

These three things, do those right and you stop roughly 90% of the attacks.

This week, Dr. Mike Saylor, Prasanna and I walk through each one,

what it is, why it matters, and what happens when you ignore it.

Things like WannaCry, Rackspace.

These, stories are all real, and the lesson is the same every time.

The basics weren't done.

You don't need a massive budget or a fancy security stack to stop most hackers.

You just need to do the boring stuff.

Here we turn admins into cyber recovery heroes.

This is the Backup Wrap Up

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with

me, a guy who apparently shaved last week and I didn't even notice.

Prasanna, Prasanna Malaiyandi, how's it going?

Prasanna.

I am good Curtis.

Yeah.

my wife was very surprised after the podcast recording when she

was like, did Curtis notice?

of course, I. I texted you and you're like, no, or no, I think

No.

on the phone and you're like, no, what are you talking about?

Yeah.

and apparently Mike didn't notice either, so I feel somewhat better, but, yeah.

So you've gone down to the goatee,

Yep.

many, many years since I've done this.

I've seen a picture of you with the goatee.

yeah.

I think you should go back to your cut from college.

That's what I think.

The buzz cut.

Yeah.

I'd love to see you in the buzz cut again.

Walked away.

speaking of buzz cuts, Dr. Mike Sailor, how's it going, Mike?

Going Good guys.

It's going good.

All right.

So he of course, is the co-author on, learning Ransomware Response and

Recovery, which came out last month.

Which, uh, do you have one with you now?

Did you, did you prepare this time?

I did not prepare this time.

I have yet I still don't have mine and I have yet to actually see the

a physical printed book even like a video of a physical printed book with

the book is gonna be the size of the thing in your background?

Curtis?

yeah I would dear Lord I hope not And you know what's funny is like in on the

camera this thing looks fine but this is like this far back from me right And so

this thing is I think it's 15 by 24 That thing is massive so yeah I surely hope not

For those

but

watch us on YouTube, we do have videos out, but Curtis was just

pointing at the title page?

The front

It's the cover the front cover Yeah yeah yeah And uh available at uh

So or you can order them directly from O'Reilly for the record if you order

directly from O'Reilly Mike and I make more um So uh there's that All right

we're gonna talk so we're gonna jump into this week we're gonna talk about

the title It's gonna sound I I never know exactly what the title's gonna

be but it's gonna be something along the lines of stop 90 of the ransomware

attacks that could possibly happen to you That's a really long title but I it

may sound like a bold claim but I think it's pretty straightforward And Mike I'd

like to start out this week What's that

before you

Yeah

can I make a bold claim?

claim

A

please

That you can stop a hundred percent of ransomware if you

never do anything online.

not, I think there's still some room there for infection.

if they do the the drop the one that we covered in the what do

you call it when we did the MR Robot remember the drop USB stick

Oh, that's

Tchotchke drops.

Yeah what's that

you win.

We call 'em tchotchke drops.

Tchotchke drops Yeah Yeah So even then but what is this not do things online

thing that you're talking about I don't know what in the world I don't even know

Like saying you can't get sick if you don't go outside.

that's not true either.

Exactly all right Mike do you have a story to start us out with this week

man, there's so many to pick from, but, from the book, we talk about WannaCry.

and similar to kinda what we touched on here, good hygiene

can prevent a lot of stuff.

And I think WannaCry is an example of bad guys identified of a

vulnerability that was out there.

They created a. a payload and a, and an attack vector to take advantage of that,

realizing that, there's a very large percentage of, company and organization

populations that don't have a solid patch management program or, that it's pretty

lax, there's a lot of organizations that, that say we have a patch program,

but it's, 2, 3, 4 months behind, or it's gotta meet certain criteria

and some things never get patched.

that's what happened with WannaCry.

found a vulnerability,

For those of us that haven't lived the cyber world Why don't you tell us what

was want Tory What did it make you want to cry Is that why it was called

that And what when did it happen and

I was

I think there was about 200,000,

Yeah.

200,000 people crying in unison,

exactly

with WannaCry.

I was going to say Curtis, that because there have been so many of these

attacks over the years, it's also hard to keep like, which keep it straight

in terms of like which one was which.

So why don't you tell us the story of WannaCry Mike

WannaCry, was developed, to take advantage of a vulnerability in

SMB or a, a Windows, service.

That had a patch.

So Microsoft came out with a patch.

So it was several months later that the malware, this

attack vector really came out.

and it was all of those organizations that did not apply that critical, patch.

And if, if you were paying attention at all, you probably got

an email from Microsoft saying, you really need to patch this.

This, this vulnerability.

or you've got automatic patches turned off, which is common too.

'cause a lot of organizations don't want to automatically apply

patches to production systems and have them reboot and cause issues.

But nonetheless, bad guys found a vulnerability, took advantage of it

several months after the fact even,

yeah

and.

how many people were impacted

not necessarily people, but sy well over 200,000 systems

were infected with WannaCry.

that's quite a bit that hint your comment earlier 200,000 people all

crying out at once just like in what do you call it star Wars I I'm

Yes,

okay Alright but and the thing is this is yet this is one of many examples of

hacks, of attacks that had the victims of the attack practiced basic cyber hygiene.

They would not have, been, they would not have been victimized by this attack.

Does that sound, is that about right?

good chance they would not have been a victim.

Yes.

the only caveat that is that Ry is one of those ransomware

malware that was also a worm.

so as it infected a machine, it's worm like behavior was what?

What led itself to propagate in kind of an al alternative method.

So if you weren't vulnerable to the SMB with Microsoft, you might've been

vulnerable some other way that this, uh, this worm was able to compromise you.

I think back to the Rackspace hack, because that was one

where, again, it was a patch.

There was a patch to the vulnerability in Microsoft Exchange that, again,

had Rackspace simply applied that patch, they would not have been,

subject to this particular attack.

And in this case, there was, was a workaround there was a vulnerability.

And then there was a workaround to the vulnerability while

they were waiting on the patch.

But what happened is there was a, an undisclosed, a zero day additional

vulnerability that if they had applied the patch to fix the first

vulnerability they would not have been subject to the zero day exploit.

But they said to themselves, uh, this is my theory, uh, is that they said,

well, we, we put in the workaround.

And so therefore the criticality of this patch was not, it wasn't as critical.

And so they didn't put in the patch yet.

And two weeks, after the.

this exploit came out.

they were attacked and that cost them entire business line.

because they had to, they had to stop.

and it, there was a, there was lawsuits.

it was very messy.

so let's talk about, when we talk about, cyber hygiene.

do you want to, do you wanna just define that, Mike.

And if I could back up just a minute.

'cause you made a comment about mitigation, so we weren't able

to apply the patch for whatever reason, so we mitigated the risk.

something that I think is critically important for people to consider

when we talk about mitigation, and this comes from my audit.

My audit life, where I had to go and determine if people were

following the rules, whether it was hygiene or we also called them,

general controls or best practices.

If they weren't, then they had to demonstrate what they were

doing to mitigate the risk.

Presented by the absence of doing what we expected and the audit guidance and

what we would tell people and what people should consider is that your mitigation

strategy should be more effective.

Had you done it the right way to begin with.

a

So if the control says, do one, two, and three, and you say, I

can't do one, two, and three, you better do 4, 5, 6, 7, 8, 9, and 10.

Your mitigation needs to be stronger than the original control or activity.

which

Interesting.

But I guess in your experience, Mike, how often were people

able to meet that higher bar?

if you were a regulated organization, you had to, or you failed.

Or,

Yep.

often would they just say four, five and six, seven are two difficult.

Let me just go back and implement one, two, and three.

With a grain of salt, obviously.

So I was a technology auditor, so I was auditing it people that generally

don't run the business, right?

They're being, they're given direction from the business of, we can't fix

that thing because our website will stop working or it'll be down too

long, we'll lose too much money.

So businesses directing the technology, groups and infrastructure

of what they can and can't do.

And so when you talk to them about, you couldn't do one, two, and three, because

it'll break things or for whatever reason.

So what are you doing?

we're doing four, five, and six.

four, five and six are okay.

I'm gonna say that's maybe effective with opportunity for improvement.

or they're doing a whole lot or they're not doing really anything because they.

They didn't know.

And so those are the really, the three options.

you fail 'cause you didn't do what you were supposed to

and you weren't mitigating it or mitigating it effectively.

You were mitigating it somewhat effectively, but I

think it could be stronger.

And that's from a, an auditor's perspective, there is that kind

of, latitude where I can add some.

Objectivity, or I say subjectivity.

Uh, and then lastly, wow, you, you really, you really are, you really do understand

that mitigation's gotta be stronger.

And, and, but that's, that's rare.

Very rarely did I see the mitigating controls more effective

than the, the original controls.

I'm glad that you, you mentioned, the comment that you made, I is one

that we make a lot from the opposite side, and that is the backup.

People should never be setting policy.

They should never be determining, retention periods, RTOs and RPOs.

you know that should never be the case.

That should always come from the business.

and so we say that a lot and so it, it's good to hear it just

from a different, frame of view.

I don't think you ever got around to defining cyber hygiene.

So cyber hygiene.

if we keep in our discussions, we keep coming back to the real world.

'cause I think that helps people, relate.

so applying real world stuff to cyber hygiene is very similar.

if you're not.

Keeping or maintaining your own personal hygiene, you're gonna get sick.

so in cyber there are things that you should be doing just like in real world.

Take your vitamins, go see a doctor, get your checkups, do healthy things.

One, cyber, those.

Activities are making sure that your systems aren't vulnerable.

, And we do that through patches.

so we subscribe to services.

If it's a Windows machine that do it automatically, if you've got it turned

on, It and it will check your systems to determine if there's a vulnerable,

configuration or a patch that's out, that, that would, address a known problem.

so patch management is very important.

the other part of that is, who can access my stuff?

that's me obviously, and the people that I give access to my systems.

But then how do we know that it's really them because.

The number one traded commodity on the dark web right now is

access, and that's credentials.

So how do we, you know, what's a good practice for making sure that

you know, someone that, that I trust, uh, that their credentials

aren't out there and someone's, you know, some bad guy's not using them.

So that's where multifactor authentication comes in, but very similar to.

in the real world, vitamins and all these other healthy things, you have

to do it responsibly and appropriately.

And MFA is definitely one of those that I think the majority of organizations just

say we have it and they're not using it.

Right.

and then lastly, password management, probably, appropriately

at the bottom of the list.

it's still part of hygiene, but not as effective as it used to be 'cause.

bad guys aren't trying to guess your password, they're just stealing

it from somewhere else, right?

your work password is probably a password you've used somewhere

else at some point in time.

bad guys are just

Yeah, but that's the point of good.

Cyber hygiene Is not doing that.

We're gonna get to that in, in a

So we'll get into the details of what, what a good password practice,

would be, similar to patching and MFA.

Mike, so these are three great sort of.

Things you should be doing from a cyber hygiene perspective.

but how did you come up with this list, like right, or, I know you

and Curtis have been talking about this for a while, but like, why

are these the three most important?

Is it based on like scenarios you've encountered working with customers,

helping them recover from ransomware?

Like why should someone believe the sort of 90% of ransomware could be?

I can jump in on that one.

it's because of the stories that I've read over the last, so many years, it

was always one of these three, right?

if they had just patched the system, then they wouldn't have

the vulnerability if they had just either not allowed the password to

be stolen or compromised in some way.

And then, if they were just using MFA, then even if they had the password,

then they would've been able to get in.

Assuming that you didn't have MFA fatigue by the employee?

But the thing is, if they had these things when you read back on the stories, and I

would add because we're tech technically talking about cyber hygiene here and not

backup hygiene, but I'll add to this.

Immutable backups, right?

If we have that, if we have those four, then not only would you stop the, the bulk

of the attacks, you would, also be able to respond to the 10% that, that you get.

would your answer be any different there, Mike?

Oh, very similar.

So yeah, they, these three are the greatest common denominators, of

a lot of the, if not the majority of, Incidents that are out there.

but to Curtis's point and maybe where you were going, Prasanna.

Yeah.

This list could get really long.

it's, it's not just these three and the backups, it's also network segmentation

and turning, secure build guidelines and secure coding and, perimeter protection

and vendor management and anti-malware and training and all those things.

but when you look at the numbers, the statistics of incidents

that are out there and what.

You know what, how you boil those down to the Common denominators.

it's primarily these three.

Because these are, it's this is to, again, going back to the real world, in the real

world when we talk about investing, The very first thing they tell you to do is

to have, 90 days of an emergency fund.

And that should be your first thing because there's no point in talking about

4 0 1 Ks and Roth IRAs and all these things if you can't survive, losing a

paycheck for a couple of weeks, right?

This is the, if you're not doing these.

Then just stop.

in the book we said if you're not doing these three things, just stop

reading right now and go do those three things because it will stop 90%,

the other 10%, like everything else.

The other 10% is the hard part, right?

It's the more expensive part.

But doing password management and patch management and MFA or, pass

keys, which, we'll talk about that a little bit more, but if we do that.

Then it's a, it's the low hanging fruit.

that, that allows us to secure the environment, without

massive cost or anything.

If you're not doing these things and don't, it's like when we start talking

about, offsite backups, there's no point in talking about offsite backups if you're

not making backups in the first place.

this is the, if you're not doing these things, and don't even talk to me.

Don't even start, if you're not doing basic cyber hygiene, then,

then there's no point in continuing on with further discussions.

let's just talk a little bit about, when we talk about patching, how do we know,

and we're gonna do an episode on each of these things, but just the basic thing,

what do you think would be the easiest?

that's what, 'cause that's what we're trying to do here.

What would be the easiest way to make sure that we're running all

of the appropriate patches, Mike, especially the critical ones.

it's easy if you're organized and the first step in getting organized is doing

an inventory of the things that you have, because, you have to work off your

inventory to know who to get patches from.

Right.

Is it, is it.

Red Hat Linux.

Is it Windows?

Is it third party tools?

Adobe, uh, you know that 3D modeling tool?

So you've gotta inventory all this stuff first and then find out if you can

actually get notifications from them.

For when patches are available.

if you don't do that on the proactive side, then you're gonna

get it on the reactive side.

'cause hopefully part of hygiene is also your periodic vulnerability assessments.

And if you need help with that, we can walk you through some

free open source ways to do that.

Every now and then you need to be scanning all of your assets for vulnerabilities.

That's gonna turn up some configuration problems, some missing patches.

then, alright, reactively, now I, there's a missing patch and usually it comes with

a link from these vulnerability tools.

so go do that and while you're doing it, find out if there's a way

to subscribe to that information.

It's not easy, and that's one of the reasons people don't

do it 'cause it's not easy.

and there are tools out there that are fairly expensive to

do it in an automated fashion.

it's gotta start with understanding what it is you have, and then figuring out

where to get the information for available patches and issues with those assets.

this is the hardest thing today versus back in the day, right?

Back in the day, I could walk into a server room and I could literally just

have a piece of paper and check off.

I have this one, I have this one, I have this one.

Now We don't have any service to point at.

Everything's virtual.

Everything's in the cloud.

And we have, IAS we have PAS we have SAS, right?

We have all of these different ways where, and I'd say the SaaS is probably the

worst because it's so easy to propagate.

The, to go across the, the thing and you did remind me when we

talk about inventory, you did remind me again back in the day.

We had, when I was the backup guy, my very first job in it.

we had a very boring naming convention.

We had H-P-D-B-S-V-A HP database server, a right, bbc, so on.

And I ha I was becoming worried that I wasn't getting all the servers.

'cause we started out, we literally, when I started at the bank, we had seven.

Anyway, so we went from having seven servers to having 200 servers, and

I was starting to panic that we.

We didn't have a correct inventory.

And but the naming convention was very helpful.

And so I had this practice of when you had a new server, you had to give me a

form to say, I want this server backed up.

And I put this thing on there that said, don't consider it backed up

until you get the form back for me.

Signed that, said that I saw the form and I put it on the list.

And then one day somebody handed me a form and they, it

said H-P-D-B-S-V and I'm like.

And they're like, yes.

I go, so that would by, you know my inference, that means there's

an M and an L a K somewhere.

And they're like, yeah.

And I'm like, I only know up to j. so I'm gonna go find K and l and m and

and we'll start backing all of them up.

I agree with you, Mike.

A hundred percent.

That inventory is absolutely the place to start.

No, it, that's actually a pretty funny story, Curtis, but I'm not surprised.

You always have all these great stories from working at the bank and other places.

But Mike, I know you talked about patch management, right,

and how to apply patches.

is there something similar for cases where maybe patches aren't available?

Like, it's great you have an inventory of everything that's

there, but how do you deal with sort of, exploits that are currently

out there before patches come out?

So those are zero days in, in most cases.

so zero day is something was identified today, and vendors haven't had a

chance to respond to that with a patch.

and I'll add real quick, sometimes the patch that's available

becomes your zero day because it doesn't work in your environment.

and so along with patch management, you need to develop.

Process for testing the patch, applying it to a test machine to

see its effects on how things run before you move it into production.

be mindful of that too, but to your point, Prasanna about things

that come up that don't have a fix, those mitigating controls.

Like how do we, alright, so there in.

So is this a public facing thing?

do people log into it?

is it a, prized possession of our company with, sensitive data?

Or is it just that, that thing I could potentially turn off or isolate?

so you've gotta do some analysis first, like what's the risk, what's the impact?

And then respond accordingly if it's.

Publicly accessible internet facing.

Then put some monitoring on it, put some logging on it, try to isolate it.

those mitigating controls in the absence of a, a true solution have to be

assessed and applied as fast as possible.

I like that.

and

so

there are services out there.

I ran into one not too long ago.

It's outta New Zealand and it's, I don't have a fix for this.

It's essentially a proxy.

So they stand up a An internet facing version of whatever it is

that's fed from your environment.

And they analyze and filter all the requests for that information as a proxy.

and you can subscribe to that until a solution is, is applied.

So that was pretty interesting.

I did see that.

that's the patches world.

Let's talk a little bit about the passwords.

and I think we can all agree one.

some method.

Again, I'm a big fan of a password manager.

But you need some method.

So you absolutely do not ever use the same password in multiple places.

because that is the problem is, I, and I got a, I got in a argument

is a strong term, but I got into a discussion with a guy on.

I think it was somebody that commented on one of our videos and where

he was saying that he was using.

this system where he, what he does is he has a password that he uses

on like a small subset of systems.

Like he has 10 passwords that he uses everywhere.

And so his method of mitigating the risk is that he doesn't

wanna use a password manager.

He doesn't believe in using a password manager.

So he has 10 passwords that he sprinkles around and he just has to

remember, 10 passwords in his head.

and he uses the battery horse staple method.

which is a good method, right?

I'm sorry.

It is just this idea of having an password that is long but actually

easy to remember because most of the passwords that we have that are long

are total garbly gook and they can only be remembered by a password manager.

So he uses that method and then he has 10 passwords and I was like, that's.

better than using the same password everywhere.

But if any one of those systems where you're using that same password

are ever compromised, then you have to change the password everywhere

where you're using that password.

And potentially by the time you get around to doing it,

it's already been compromised.

And so this is just, again, my way to do this is password

manager and I think that's the number one most recommended way.

But besides making sure that we do not use the same password in multiple places.

What else?

Basic, password hygiene stuff do we need to talk about, Mike?

I think a good term for your, your disagreement.

and it's an older term, that you just don't hear very often is a kerfluffle.

Careful.

think that's a good yes.

Uh, anyway, so back to passwords.

I think a good practice these days, especially as we suggest passwords become

longer and longer, and, I don't know if, if you guys realize where that came from.

so it stemmed from the length of a password.

okay.

How long

So a stem.

compute right?

So when Windows or Linux, Unix, encrypts a password, with, a ES

2 56 or whatever it is, there's a ma math, there's a mathematical,

response to how long it would take to crack a password of certain length.

that's been defeated, by a project called Rainbow Tables.

Rainbow tables just encrypts and captures the hash value of

every conceivable, random known dictionary, multiple languages.

And so it's not, I don't have to crack your password anymore, I just have to

take your password hash and go look it up.

And see if that's already been done.

So it's not a math problem anymore.

it's a research problem.

All right, then a vulnerability came out in, with Windows.

'cause if you had, NTLM, the hash in windows turned on, it would take

your password hash and break it up into two eight character hashes.

now I can crack them individually.

Instead of cracking one large, I can do two small ones.

And there's vulnerability associated with that.

So now we should have greater than 16 character passwords for that reason.

and it, and I can drive policy now, it says it's gotta be 16.

if it has to be 16, the IT guys that have not wanted to change the LTLM

now have to, they have to turn that off to, to generate, and so there's.

It's political game, but also based on, some known

vulnerabilities around passwords.

Alright, now we've got 16 character or greater passwords.

How are you gonna get users to remember that?

password managers are great because it can also randomize passwords so

you don't have to remember it anymore.

You just log into your password manager and copy and paste.

and so you, you don't have to remember it anymore.

And it can be random, which is also.

Helpful, but then not everybody can subscribe to that approach.

So they want these password phrases now.

And so some interesting things about password phrases, and similar to what

Curtis was describing with, having a root password and then you know,

something at the beginning and something at the end that's helpful, especially

if it's, if you want the same route password for everything, and then you

just change the front and the back depending on what you're logging into.

'cause as a bad guy, I just need two of those to realize that's a pattern and

I can just guess, what, what your bank password is if I don't have that already.

so some things to think about.

if you're logging into your bank, maybe your past phrase is, I like getting paid

on Friday, and then at the beginning or the end, and that makes me happy.

Or, added emotion or add a color that makes you think of, that emo it's blue.

I think that's calming, right?

and then change up how it felt.

the way, Mike.

Green.

Green is okay.

for money.

red.

So then, do some substitution.

So instead of, ease, use threes and capitalize, the first letter

of a word or spell it backwards.

I had a password and man, long time, 20, 30 years ago, where it was,

I spelled everything backwards.

So there, there are some unique things that you can do with passwords.

You just have to figure out which one works for you, and that

you can be consistent with it.

The password manager will also help you remember to, it's about time you've

been using this password for 10 years.

Yeah.

time to change it.

basically the idea is the overall overriding concept is to not

use the same password anywhere.

Never use the same password twice.

and if you're not using some kind of system, my method is password manager.

the one that you talked about, Mike, the one where you append it and pre-end

it with something and you have this core password that used to be my method

before I went to a password manager.

and the, and then there's this, these other ways to have it, but.

I can't, ima I have 500 passwords at this point, right?

so I can't imagine, not having, a password manager at this point.

But, so that's my way to do that.

But the core concept is you cannot use the same password at multiple places.

And why is that, Mike?

we alluded it to it, a few minutes ago.

and the reason you don't wanna use them in more than one place is because

you've gotta rely on the security of more than one thing to make sure

your password isn't compromised.

And when bad guys compromise one data set, they're gonna use that data set

across everything they can think of.

So if I've got one of Curtis's passwords and I know he has 500 accounts out

there, I'm gonna use that one password to try and log into 499 of those,

And especially

could be.

one username is your email address, right?

so you already know my email address and you go out there and you use the.

Password everywhere.

you just, you don't even need to know where I have the thing.

you just try it.

All the places that you have access and you're, and this is a numbers game.

You're trying every account that you have access to with every password

you have access to in every place that you have access to the system.

so yeah, that's why we don't do it

Yep.

and how do you mitigate that?

by using the different password in every place.

what if they guess what if they have a password?

You forgot you used 20 years ago and now there's an account

that password's gonna work on.

How do you mitigate that MFA.

so MFA, is the final thing on our trifecta of basic cyber hygiene.

and I'll put MFA slash pass keys, which is it's like the next thing.

'cause we'll, as we, when we talk about MFA.

We will mention that MFA is not perfect.

Prasanna's already alluded to it.

there's this thing called MFA exhaustion.

there are other issues with it, but let's just start with what MFA is.

Prasanna, why don't you define MFA?

What is it, and how does it work?

So with MFA, it's really, someone might compromise your password

and so it's something you know and something you have, right?

And so that something you have piece is normally, say your

biometrics like a fingerprint.

It could be your face, right?

It could be a. Electronic token that gets generated periodically

or some other application, right?

That generates that such that you have a second factor, which previously was

called sort of two-factor authentication.

Right now it's multifactor in order to be able to say, yes, this really is me.

I'd say the most common one is probably SMS.

it's definitely not the best one, but it's certainly the most common, I

think the most common use to be email.

I really don't like email, like, in good, better, best.

It's barely good, uh, because again, if you, uh, if somebody's

compromised your email account, especially if it's the email account

that you use for everything, right?

Think SMS is actually better today than it used to be it's harder to do

sim hacking today than it used to be, at least in, in certain circumstances.

and then, but then, the, I think the best one that we have today that's

available to pretty much everybody is, an authenticator type app.

You wanna talk about that, Mike?

Sure.

Uh, and, and those apps are generally free, uh, and, and don't require any.

Infrastructure changes.

There are some, like duo, that would require some licensing and set up

on the inside of, your organization.

but others like the Microsoft Authenticator app, Google

has one, they're free.

You just get 'em in the play store.

And then whenever you want to register your multifactor with a vendor, a

lot of times there's like a QR code or a set up your account this way.

Similar to a password manager, you would log into your authenticator app and it

would show all your different accounts, which you could revoke or delete if

you think that's compromised as well.

And, MFA, fatigue, MFA fatigue is a real thing.

It's more of a. It's just annoyance.

so you log into something and you, oh, I've gotta wait for my phone to ding.

Now what if you don't have cell phone coverage or data, wireless data?

a lot of these authenticator apps also allow you to save.

Backup codes, things like, so there's any number of ways

of using what works for you.

the important thing is to figure out something other than email, for your

MFA if the account that you're wanting to apply MFA to will support it.

And Mike, I know on a previous podcast you sort of mentioned one of the

downsides with many websites, right?

Which have MFA, and then they sort of have the remember me

next time on this thing, right?

So it's whether it's a website like, I don't know,

Amazon.

Amazon, right?

yeah.

remember this device, you don't want to do that because your MFA token

is then stored in your browser.

And so now a bad guy just asked to get you to a position or a situation where I can

scrape that MFA token out of your browser if I already have your credentials.

The only thing I need now is your MFA token, and now

I can get into your account.

So good MFA has to come with good policy and good practice.

So the point of this episode here is just to if you're not familiar with any

of those three things, go get familiar.

and the best way to do that is to, log in next week and we'll

cover each of these in detail.

but, the idea behind MFA is that if somebody gets a hold of your password,

they won't be able to log in because they don't have that additional factor,

whatever it is, whether it's SMS or, an authenticator app or a token, right?

We'll talk about these more and all of those and passwords

and MFA have limitations and those limitations are us, right?

It's the human, and that's why I think pass keys is the better option.

As we move forward in the future, and I've been rolling out Pasky,

in many places, wherever I can.

it, I'm not sure if it's great for the average Joe, there, it can be confusing.

PAs keys can be confusing if you don't, if you don't know what you're doing.

But, but I.

Did you ever use iron keys?

Curtis?

what's a iron key?

So an iron key is a military grade USB, and in it, it's got its own, TPM chip.

Its own encryption, its own password manager, its own MFA.

And if you log into it, I think it's 20 times wrong, it self-destructs,

it's got a little capacitor in it.

and if you try to cut into it to get to the chips, it's also got

a sensor and will self-destruct.

Yeah,

Yeah, it's pretty cool.

that, but doesn't surprise me that you probably have.

Um, but anyway, so the, again, this is meant to be an overview episode.

and if some of this was confusing or frustrating or you felt like we didn't

go into detail enough, then just, we're gonna do three more episodes where we

go into each of these, in more detail.

but it just.

start looking into these three things.

Make sure you're doing pa patch management, right?

that some sort of automated system.

and we're gonna start with an inventory, right?

A physical inventory, a virtual inventory, and a, an a SaaS inventory

of your entire environment to make sure that you know what it is you're

supposed to be looking out after.

You're gonna have a good password manager and you're gonna have good.

you're gonna have an MFA or you're gonna have a passkey based system.

because, without these three things, no point in having, like

looking into A EDR or an XDR system.

and, or any of the other stuff that we're talking about because it's

like looking into a Roth IRA if you don't even have a savings account.

With that, any final thoughts, Mike?

Doing something's better than nothing.

one of these and do something about it.

absolutely.

What about you, Prasanna?

Well, I think the three makes sense and hopefully everyone

is using a password manage.

There.

All right, Prasanna.

Thanks.

Thanks for, being here again as well.

Forever.

and look, see I shaved, just so you know.

Yeah, absolutely.

Absolutely.

Alright.

Actually, I don't know if anybody can tell, but I had my beard trimmed.

I had a photo op yesterday, so it, my beard's all nice and trimmed.

So anyway, or as my granddaughter said, slay.

Um, and that is a wrap.

All right.

Um,

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have a, with

me, a guy who apparently shaved last week and I didn't even notice.

Prasanna

Prasanna

Malaiyandi how's it going?

Prasanna

I am good Curtis.

Yeah.

Uh, my wife was very surprised after the podcast recording when

she was like, did Curtis notice?

of course, I. I texted you and you're like, no, or no, I think

No.

on the phone and you're like, no, what are you talking about?

And I had to send you a picture,

Yeah.

And, and apparently Mike, Mike didn't notice either, so I feel

somewhat better, but, uh, yeah.

So you, you, you've gone down to the goatee,

Yep.

um, and, um.

many, many years since I've done this.

Pre

I've seen a picture of you with the goatee.

Yeah.

Pre, yeah, yeah, yeah.

I think you should go back to your cut from college.

That's what I think.

The buzz.

The buzz cut.

Yeah.

Yeah.

I, I'd love to see you in the buzz cut again.

Walked away.

but, uh, anyway, speaking of buzz cuts, Dr. Mike Sailor, how's it going, Mike?

Going Good guys.

It's going good.

All right.

So he of course, is the co-author on, uh, uh, learning Ransomware Response

and Recovery, which came out last month.

Which, uh, do you have one with you now?

Did you, did you prepare this time?

I did not prepare this time.

me Mike I have yet I still don't have mine and I have yet to actually see the a

physical printed book even like a video of a physical printed book with with you know

The book is gonna be the size of the thing in your background?

Curtis?

yeah I I would dear Lord dear Lord I hope not And you know what's funny is like

in on the camera this thing looks fine but this is this is like this far back

from me right And so this thing is like I think it's 15 by 24 That thing is massive

Um so yeah I sure I surely hope not

For those

but

watch us on YouTube, uh, we do have videos out, but Curtis was just pointing at

the, what do you call it, the title page?

The front

It's the cover the front cover Yeah yeah yeah And uh available at uh

So or you can order them directly from O'Reilly for the record if you order

directly from O'Reilly Mike and I make more um So uh there's that All right uh

we're gonna talk so we're gonna jump into this week we're gonna talk about the title

It's gonna sound I I you know I never know exactly what the title's gonna be but it's

gonna be something along the lines of stop 90 of the ransomware attacks that could

possibly happen to you That's a really long title but um I I I you know it may

sound like a bold claim but I I think it's pretty straightforward And Mike uh I'd

like to start out this week What's that

before, you

Yeah

can I make a bold claim?

claim

A

please

That you can stop a hundred percent of ransomware if you

never do anything online.

Um

not, I think there's still some, some, some room there for infection.

sorry.

Well you know like if you if you if they do the um the drop you know the

the one that we covered in the in the uh what do you call it Um when we did

the MR Robot remember the drop USB stick

Oh, that's

Tchotchke drops.

Yeah What what's that

you win.

We call 'em tchotchke drops.

Tchotchke drops Yeah Yeah So even then um um but what what is this what is

this not do things online thing that you're talking about I don't know what

in the world Like I I don't even know

Like saying you can't get sick if you don't go outside.

Well, that's not true either.

yeah Exactly all right Mike well do we do you have a story to

start us out with this week I

I do.

Um, well man, there's so many to pick from, but, um, from the book,

you know, we talk about WannaCry.

Um, and similar to, to kinda what we touched on here, good hygiene

can prevent a lot of stuff.

And I think WannaCry is an example of bad guys identified of a

vulnerability that was out there.

They created a.

Uh, a payload and a, and an attack vector to take advantage of that,

realizing that, uh, there's a, a very large percentage of, uh, company and

organization populations that don't have a, a solid patch management program or,

uh, that it, it's pretty lax, you know, there's a lot of organizations that,

that say we have a patch program, but it's, you know, 2, 3, 4 months behind,

or it's gotta meet certain criteria and some things never get patched.

Well, that's what happened with WannaCry.

Well

found a vulnerability,

for those of us yeah For those of us that that you know haven't lived uh the

the cyber world Why don't you tell us what was want Tory What you know did it

did it make you want to cry Is that why it was called that And what you know

when did it happen and you know what

I was

I think there was about 200,000,

Yeah.

I.

200,000 people crying in unison,

exactly

uh, with WannaCry.

I was going to say Curtis, that because there have been so many of these

attacks over the years, it's also hard to keep like, which keep it straight

in terms of like which one was which.

Yeah Yeah So why don't you tell us the story of WannaCry Mike

WannaCry, uh, was developed, uh, to take advantage of a vulnerability in

SMB or a, uh, a Windows, uh, service.

Um.

That had a patch.

So Microsoft came out with a patch.

So it was several months later that the malware, this

attack vector really came out.

Um, and it was all of those organizations that did not

apply that critical, uh, patch.

And if, if, uh, if you were paying attention at all, you probably got

an email from Microsoft saying, you really need to patch this.

This, uh, this vulnerability.

Um, or you've got automatic patches turned off, uh, which is common too.

'cause a lot of organizations don't want to automatically apply

patches to production systems and have them reboot and cause issues.

But nonetheless, bad guys found a vulnerability, took advantage of it

several months after the fact even,

yeah And

and.

how many people were impacted

Well, um, not, not necessarily people, but sy well over 200,000 systems

were, were infected with WannaCry.

That's that's quite a bit that hint your comment earlier 200,000 people all crying

out at once Just like in just like in uh what do you call it Uh star Wars I I'm

Yes,

a Star Wars reference Um okay Alright but like and the thing is this is yet this

is one of many many examples of hacks of attacks that had the um uh victims of

the attack practiced basic cyber hygiene They would not have um been they they

would not have been victimized by this attack Does that sound is that about right

Good, good chance they would not have been a victim.

Yes.

Yeah yeah

The, the, the only, the only, the only caveat that is that Ry is one of those

ransomware malware that was also a worm.

mm

so as it infected a, a machine, uh, it's worm like behavior was what?

Uh.

What led itself to propagate in kind of an al alternative method.

So if you weren't vulnerable to the SMB with Microsoft, you might've been

vulnerable some other way that this, uh, this worm was able to compromise you.

Okay Okay yeah when when I think back on uh my history I I think back um to shit

um what's the name of the company The

The one that uh Thank you Thank you Thank you Um I think back to

the that was what two years ago

I think it was two years ago.

Yeah.

Yeah Yeah I think back to the Rackspace hack because that was one where again

it was a patch There was a patch to the vulnerability in Microsoft Exchange that

uh again had Rackspace simply applied that patch they would not have been uh subject

to this this particular attack And in this case there was um was a workaround

there was a there was a vulnerability And then there was a workaround to the

vulnerability while they were waiting on the patch But what happened is there was

a um an undisclosed a zero day additional vulnerability that if they had they

had applied the patch to fix the first the first vulnerability they would have

been they would not have been subject to the to the zero day exploit um But they

said to themselves uh this is my theory uh is that they said well we we put

in the workaround And so therefore the criticality of this patch was not um you

know it wasn't as critical And so they didn't put in the patch yet And two weeks

uh after the You know this exploit came out Um they they were attacked and that

cost them entire business line Right Um because they had to um they had to stop

and it there was a there was lawsuits It was it was it was it was very very messy

so let's talk about when we talk about uh cyber hygiene Um do you know do you want

to do you wanna just define that uh Mike

I will.

And if, if I could back up just a minute.

'cause you made a, a, a comment about mitigation, so we weren't

able to apply the patch for whatever reason, so we mitigated the risk.

Right

Well, something that I think is critically important for people to

consider when we talk about mitigation, and this comes from my, my audit.

My audit life, uh, where, where I had to go and determine if people were

following the rules, whether it was hygiene or we also called them, uh,

general controls or best practices.

If they weren't, then they had to demonstrate what they were

doing to mitigate the risk.

Presented by the absence of doing what we expected and the audit guidance and

what we would tell people and what people should consider is that your mitigation

strategy should be more effective.

Had you done it the right way to begin with.

Hmm

a

So if the control says, do one, two, and three, and you say, I can't

do one, two, and three, well, you better do 4, 5, 6, 7, 8, 9, and 10.

Your mitigation needs to be stronger than the original control or activity.

which

Interesting

But I guess in your experience, Mike, how often were people

able to meet that higher bar?

Well, if you were a regulated organization, you had to, or you failed.

Or, or I

Yep.

often would they just say four, five and six, seven are two difficult.

Let me just go back and implement one, two, and three.

Never, never did they do that.

Uh, so they either so and, and it, and.

With a grain of salt, obviously.

So I was, I was a technology auditor, so I was auditing it people, it people that

generally don't run the business, right?

They're being, they're given direction from the business of, you know, we

can't fix that thing because our website will stop working or it'll be down

too long, we'll lose too much money.

So businesses directing the technology, uh.

Um, you know, groups and, and infrastructure of, of

what they can and can't do.

And so when, when you talk to them about, well, you, you couldn't do

one, two, and three, so, because it'll break things or for whatever reason.

So what are you doing?

Well, we're doing four, five, and six.

Well, four, five and six are kind of, okay.

I'm gonna say that's maybe effective with opportunity for improvement.

Uh, or they, they, they're doing a whole lot or they're not doing

really anything because they.

They didn't know.

And so those are the really, the three options.

You, you fail 'cause you didn't do what you were supposed to

and you weren't mitigating it or mitigating it effectively.

You were mitigating it somewhat effectively, but I

think it could be stronger.

And that's from a, an auditor's perspective, there is that kind of, uh,

latitude where I can, I can add some.

Objectivity, um, or I say subjectivity.

Uh, and then lastly, wow, you, you really, you really are, you really do understand

that mitigation's gotta be stronger.

And, and, but that's, that's rare.

Very rarely did I see the mitigating controls more effective

than the, the original controls.

I'm glad that you you mentioned um the the the the the comment that you made

I is one that we make a lot from the opposite side and that is the backup

People should never be setting policy They should never be determining you know

retention periods uh RTOs and RPOs Uh you know that that should never be the

case That should always come from the business Um and so we we we say that a

lot and so it it's good to hear it just from a from a from a different uh frame

of view Um uh I don't think you ever got around to defining defining cyber hygiene

So cyber hygiene.

I mean, if, if we keep in, in our, in our, uh, in our discussions, we

keep coming back to the real world.

'cause I think that's helped, that helps people, uh, relate.

Uh, so applying real world stuff to cyber hygiene is very similar.

If you, if you're not.

Keeping or maintaining your own personal hygiene, you're gonna get sick.

Um, or, or people are gonna think you're sick, one of the two.

Uh, so in cyber there are things that you should be doing just

like in real, in real world.

Take your vitamins, go see a doctor, get your checkups, uh, do healthy things.

One, cyber, those, those.

Activities are making sure that your systems aren't vulnerable.

So, uh, inoculating them for, in, in, uh, kind of as a, an analogy there.

Uh, and we do that through patches.

Uh, so we, we subscribe to services.

If it's a Windows machine that do it automatically, if

you've got it turned on, um.

It and it will check your systems to determine if there's a vulnerable,

uh, configuration or a, a, a patch that's out, that, that would,

um, address a, a known problem.

Um, so patch management is very important.

Um, the other part of that is, well, who can access my stuff?

Uh, that's me obviously, and the people that I give access to my systems.

But then how do we know that it's really them because.

The number one traded commodity on the dark web web right now is

access, and that's credentials.

So how do we, you know, what's a good practice for making sure that

you know, someone that, that I trust, uh, that their credentials

aren't out there and someone's, you know, some bad guy's not using them.

So that's, that's where multifactor authentication

comes in, but very similar to.

You know, in the real world, vitamins and all these other healthy things, you have

to do it responsibly and appropriately.

And MFA is definitely one of those that I think the majority of organizations just

say we have it and they're not using it.

Right.

Um, and then lastly, you know, password management, um, probably, um,

appropriately at the bottom of the list.

Uh, it's still part of hygiene, but not as effective as it used to be 'cause.

You know, bad guys aren't trying to guess your password, they're just

stealing it from somewhere else, right?

Your, your work password is probably a password you've used somewhere

else at some point in time.

Well I

bad guys are just

Yeah but that but that's the point of of good Cyber hygiene Right Is

not doing that Right We're gonna get to I think we'll get to that in in a

right.

Yep.

So we'll get into the details of what, uh, what a good password

practice, uh, uh, would be, uh, similar to patching and, and MFA.

Mike, so these are three great sort of.

Things you should be doing from a cyber hygiene perspective.

Um, but how did you come up with this list, like right, or, I know

you and Curtis have been talking about this for a while, but like, why

are these the three most important?

Is it based on like scenarios you've encountered working with customers,

helping them recover from ransomware?

Like why should someone believe the sort of 90% of ransomware could be?

I can jump in on that one I mean it it's because it of the stories that

I've read over the last you know so many years it it was always it was always

one of these three right If if if they had just patched the system then they

wouldn't have the vulnerability if they had just either not allowed the password

to be stolen or if they had the if or or compromised in some way And then uh

if if if that had happened if they had just had MFA And you know in uh you know

what's the word I'm looking for Um if they if they were just using MFA then

then even if they had the password then they would've been able to get in Right

Assuming that you didn't have MFA fatigue by the employee?

But yeah we're we're gonna get to that We'll get to that But the the thing

is if if if they had these things when you when you read back on the stories

and I would add like because we're tech technically talking about cyber

hygiene here and not backup hygiene but I'll add to this Immutable backups

right If we have that if we have those four then um not only would you stop

the you know the bulk of the attacks you would uh also be able to respond

to the 10 that that you get Uh would your answer be any different there Mike

Oh, very similar.

So yeah, they, these three are the greatest common denominators, uh, of, of

a lot of the, if not the majority of, uh.

Incidents that are out there.

Uh, but to Curtis's point and maybe where you were going, Prasanna Yeah.

This list could get really long.

It's, it's, you know, it's not just these three and the backups, it's also network

segmentation and turning, you know, secure build guidelines and secure coding

and, uh, you know, perimeter protection and vendor management and anti-malware

and training and all those things.

Uh, but when you look at the numbers, uh, the statistics of incidents

that are out there and, and what.

You know what, how you boil those down to the common denominate.

Common denominators.

It's, it's primarily these three.

Because these are it's like this is to again going back to the real world this

is the um I This is the have in in the real world when we talk about investing

The very first thing they tell you to do is to have uh you know 90 days of

of an emergency fund And that should be your first thing because there's no

point in talking about like you know 4 0 1 Ks and Roth IRAs and all these things

if you can't survive uh you know losing a paycheck for a couple of weeks right

This is the um if you're not doing these Then just stop Like you know in the book

we said like if you're not doing these three things just stop reading right now

and go do those three things because it will stop 90 the other 10 like everything

else The other 10 is the is the hard part right It's the more expensive part

But doing password management and patch management and and MFA or um uh pass

keys which we'll we'll talk about that a little bit more but if if we do that

Then it it's it's a it's the low hanging fruit Um you know that that allows

us to secure the the environment um without without massive cost or anything

weird I I still hear your your fan

came back on.

Yeah it just came back on even though we have the noise reduction on

And there, there's zero change on my side, so there's no extra noise or anything.

And then it and then it just left

It's like a power surge or something.

I'm not sure.

I got nothing Um I So weird Um all right Well luckily it was me that was talking

so I could mute it out Um yeah so this this is like this is the if you're not

doing these things and don't it's like it's like when we start talking about

uh offsite backups there's no point in talking about offsite backups if you're

not making backups in the first place Right Right This is the this is the if

you're not doing these things and don't even talk to me Don't even start if you're

not doing basic cyber hygiene then um then there's no point in in continuing

on with with further discussions

Uh let's see here Um all right so I Let's just let's just talk a little bit about

when we talk about patching how do we know uh and we're gonna do an episode

on each of these things but just the basic thing what what do you think would

be the easiest That that's what cause that's what we're trying to do here What

would be the easiest way to make sure that we're running all of the appropriate

patches Mike especially the critical ones

It's, it's easy if you're organized and the first step in getting organized is

doing an inventory of the things that you have, because, you know, patch,

you have to work off your inventory to know who, who to get patches from.

Right.

Is it, is it.

Red Hat Linux.

Is it Windows?

Is it third party tools?

Adobe, uh, you know that 3D modeling tool?

You use AutoCAD?

What is it?

So you've gotta inventory all this stuff first and then find out if you can

actually get notifications from them.

For when patches are available.

Uh, if you don't do that on the proactive side, then you're gonna

get it on the reactive side.

'cause hopefully part of hygiene is also your periodic vulnerability assessments.

And if, if you need help with that, we can, we can walk you through some

free open source ways to do that.

But.

Every now and then you need to be scanning all of your assets for vulnerabilities.

That's gonna turn up some configuration problems, some missing patches.

Well then, alright, reactively, now I, well there's a missing patch

and usually it comes with a link from these vulnerability tools.

Uh, so go do that and while you're doing it, find out if there's a way

to subscribe to that information.

Um, so.

Easy.

It's not easy, but organi, and that's one of the reasons people

don't do it 'cause it's not easy.

Um, and there are tools out there that are fairly expensive to

do it in an automated fashion.

And then somewhere in between there's managed services and other

things, but it's gotta start with understanding what it is you have,

uh, and then figuring out where to get the information for available patches

and issues with those, those assets.

this is the hardest thing today versus back in the day right Back in the day I

could walk into a server room and I could I could literally just have a piece of

paper and check off I have this one I have this one I have this one Now we have

a We don't have any service to point at Everything's virtual Everything's in the

cloud And we have we have you know um IAS we have PAS we have SAS right We have all

of these different ways where uh and and I'd say the SaaS is probably the worst

because it's so easy to to propagate Um The you know to to go across the um the

thing and and you did you did remind me when we talk about inventory you did

remind me again back in the day We had uh when I was the backup guy my very first

job in it We had we had a very boring naming convention We had H-P-D-B-S-V-A

HP database server a right bbc so on And I ha I was I was becoming worried that I

wasn't getting all the servers cause we started out we literally when I started

at the bank we had seven Servers at T three B twos by the way for those you

know that's what we had which was for the record the first computer designed to run

Unix so they were old right Anyway so we went from having seven servers to having

like 200 servers and I was starting to panic that we We didn't have a correct

inventory And so um but the the naming convention was very helpful And so I had

this this practice of when you had a new server you had to give me a form to say I

want this server backed up And I put this thing on there that said don't consider

it backed up until you get the form back for me Signed that said that I saw the

form and I put it on the list And then one day somebody handed me a form and they

it said like H-P-D-B-S-V and I'm like And they're like yes I go so that would by by

you know my inference that means there's an M and an L a K somewhere And they're

like well yeah And I'm like I only know up to j So so I'm gonna go find K and l

and m and uh and we'll start backing all of them up I agree with you Mike A hundred

percent That inventory is absolutely the place to start And Prasanna you were

about to say something before I waxed up

No, it, that's actually a pretty funny story, Curtis, but I'm not surprised.

You always have all these great stories from working at the bank and other places.

But Mike, I know you talked about patch management, right,

and how to apply patches.

is there something similar for cases where maybe patches aren't available?

Like, it's great you have an inventory of everything that's there, but

how do you deal with sort of, um, exploits that are currently out

there before patches come out?

So those are zero days in, in most cases.

Uh, so zero day is something was identified today, and vendors haven't had

a chance to respond to that with a patch.

Um, well, and, and I'll add real quick, sometimes the patch that's

available becomes your zero day because it doesn't work in your environment.

Uh, and so along with patch management, you need to develop.

Process for testing the patch, applying it to a test machine to

see its effects on how things run before you move it into production.

So, uh, be mindful of that too, but to your point, Prasanna about things

that come up that don't have a, a fix, uh, those mitigating controls.

Like how do we, alright, so there in.

It does depend.

So is this a public facing thing?

Uh, do people log into it?

Is it a, is it a, you know, prized possession of our company

with, you know, sensitive data?

Or is it just that, that thing I could potentially turn off or isolate?

Um, so you've gotta do some analysis first, like what's

the risk, what's the impact?

And then respond accordingly if it's.

Publicly accessible internet facing.

Then put some monitoring on it, put some logging on it, try to isolate it.

Uh, those mitigating controls in the absence of a, uh, a true

solution have to be assessed and applied as fast as possible.

I like that Um

and

so

there, there are, there are services out there.

I ran into one not too long ago.

It's outta New Zealand and it's, I don't have a fix for this.

It's essentially a proxy.

So they, they stand up a uh, um.

An internet facing version of whatever it is that's fed from your environment.

And they analyze and filter all the requests for that information as a proxy.

Uh, and, and you can, you can subscribe to that until a solution is, uh, is applied.

So that was pretty interesting.

I did, I did see that.

Yeah that's that does sound interesting uh from the so that's the the patches

world and again we're gonna do an episode on each of these three Uh but that's the

patches world Let's talk a little bit about the passwords Um and and I think we

can all agree one some method Again I'm I'm a big fan of of password management

like a password manager But you need some method So you absolutely do not ever

use the same password in multiple places because that is the problem is uh I and

I got a I got a um I got in a argument is a is a strong term but I got into a

discussion with a with a guy on I think it was somebody that commented on one

of our videos and um where he was saying that he was using Uh this system where

he what he does is he he has a password that he uses on like a a small subset

of systems Like he has like 10 passwords that he uses everywhere And so his method

of like mitigating the risk is that he doesn't wanna use a password manager

He doesn't believe in using a password manager So he has like 10 passwords that

he sprinkles around and he just has to remember uh 10 passwords in his head um

and he uses the the battery horse staple method Um right which is which is a good

method right Uh for those of you who don't know what I'm talking about This is

the um the idea of what we're gonna talk more about I'm sorry It is just this idea

of having an password that is long but actually easy to remember because most of

the passwords that we have that are long are total garbly gook and they can only

be remembered by a password manager So he uses that method and then he has like

10 passwords and I was like well that's Again better than nothing better than

using the same password everywhere But if if there's avol if there if if any one

of those systems where you're using that same password are ever compromised then

you have to change the password everywhere where you're using that password And

potentially by the time you get around to doing it it's already been compromised

And um so this is just again my way to do this is password manager and I think

that's the number one most recommended way But besides making sure that we do

not use the same password in multiple places What else Basic uh password hygiene

stuff do we need to talk about Mike

Real quick, I think a good term for your, uh, your disagreement.

Uh, and it's an older term, uh, that, that you just don't hear

very often is a kerfluffle.

Careful

I think that's a good yes.

Uh, anyway, so back to back to passwords.

Uh, I think a good practice these days, especially as we suggest passwords

become longer and longer, and, uh, I don't know if, if, uh, if, if you

guys realize where that came from.

Uh, so it stemmed from the, the, the length of a password.

okay

How long

So a stem.

compute right?

So that's.

A combination of things, right?

So when, when Windows or, or Linux, Unix, uh, encrypts a password, uh, with,

you know, a ES 2 56 or whatever it is, there's a ma math, there's a mathematical,

um, response to how long it would take to crack a password of certain length.

Well, that's been defeated, uh, by a project called Rainbow Tables.

Rainbow tables just encrypts and, and captures the, the hash value

of every conceivable, random known dictionary, multiple languages.

And so it's not, I don't have to crack your password anymore, I just have to

take your password hash and go look it up.

And see if that's already been done.

So it's not a math problem anymore.

It's, it's a, it's a, it's a research problem.

All right, well then a vulnerability came out in, uh, with Windows.

'cause if you had, uh, um, NTLM, the, the hash in windows turned on, it would

take your password hash and break it up into two eight character hashes.

Well, now I can, I can crack them individually.

Instead of cracking one large, I can do two small ones.

And there's vulnerability associated with that.

So now we should have greater than 16 character passwords for that reason.

And, and it, and you know, I can drive policy now, it says it's gotta be 16.

Well, if it has to be 16, the IT guys that have not wanted to change the LTLM now

have to, they have to turn that off to, to generate, you know, and so there's.

It's political game, but also based on, um, some known

vulnerabilities around passwords.

Alright, well now we've got 16 character or greater passwords.

How are you gonna get users to remember that?

Password hackers are great.

Uh, password managers are great because it can also randomize passwords so

you don't have to remember it anymore.

You just log into your password manager and copy and paste.

Um, and so you, you don't have to remember it anymore.

And it can be random, which is also.

Helpful, but then not everybody can subscribe to that approach.

So they, they want these password phrases now.

And so some interesting things about password phrases, uh, and similar to

what Curtis was describing with, you know, having a root password and then

you know, something at the beginning and something at the end that's helpful,

especially if it's, if you want the same route password for everything, and then

you just change the front and the back depending on what you're logging into.

Uh, that can be troublesome though.

'cause as a bad guy, I just need two of those to realize that's a pattern

and I can just kind of guess, uh, what, uh, what, what your bank password

is if, if I don't have that already.

Um, so some things to think about.

Um, you know, if you're logging into your bank, maybe your past phrase is,

uh, I like getting paid on Friday, and then at the beginning or the end, uh,

you know, uh, and that makes me happy.

Or, you know, added emotion or add a, add a color that makes you think

of, you know, that emo it's blue.

Uh, I think that's calming, right?

Uh, and then, and then change up how it felt.

the way Mike I was gonna

Green.

Green is okay.

for for money

red.

So then, you know, do some substitution.

So instead of, you know, ease, use threes and capitalize, you know, the first

letter of a word or spell it backwards.

Um, I had a password and man, long time, 20, 30 years ago, uh, where it

was, I spelled everything backwards.

Um.

So there, there are some unique things that you can do with passwords.

You just have to figure out which one works for you, uh, and that

you can be consistent with it.

The password manager will also help you remember to, it's about time you've

been using this password for 10 years.

Now

Yeah

time to change it.

you if you do use it in multiple places right It was like Hey you you've used

this password elsewhere I'm I'm a big fan of password Brandon I know

Prasanna You have one right What

do, should we wait to talk about this on the

Yeah Yeah you're right You're right you're right Yeah Yeah All right So yeah

so basically the idea is the the the overall overriding concept is to not use

the same password anywhere Never use the same password twice And and if you're not

using some kind of system my method is password manager Um you know the the the

the one that you talked about Mike the the one where you append it and pre-end

it with with something and you have this core password that used to be my method

before I went to a password manager Um and the the you know and then there's there's

this these other ways to to have it but I I can't ima I have like 500 passwords

at this point right so I can't imagine um not having uh a password manager at

this point But so that's that's my way to do that But the core concept is you

cannot use the same password at multiple places And why is that Mike We we kind

of alluded it to it uh a few minutes ago

You remember, we call those coincidental passwords.

Uh, and and the reason you don't wanna use them in more than one place

is because you've gotta rely on the security of more than one thing to make

sure your password isn't compromised.

And when bad guys compromise one data set, they're gonna use that data set

across everything they can think of.

So if I've got one of Curtis's passwords and I know he has 500 accounts out

there, I'm gonna use that one password to try and log into 499 of those,

And especially

could be.

one username is your email address right So you so you already know my email

address and you go out there and you use the Password everywhere You know you

just you don't even need to know where I have the thing You just you just try

it All the places that you have access and you're and this is a numbers game

You're trying every every account that you have access to with every password

you have access to in every place that you have access to the the system Right

Um so yeah that's why we don't do it

Yep.

And, and how do you mitigate that?

by using the different password in every place Right

Well, well, how so?

What if, what if they guess what if they have a password?

You forgot you used 20 years ago and now there's an account that

that password's gonna work on.

How do you mitigate that MFA.

Oh okay I was I I should have known this answer Dammit Uh yeah So yeah so so MFA

uh you know is the final thing on our on our on our trifecta of of basic cyber

hygiene And I and I'll put MFA slash slash um you know pass keys which is like it's

like the next thing cause we'll as we when we talk about MFA We will mention that

MFA is not perfect Uh Prasanna's already alluded to it You know there's this thing

called MFA exhaustion There are there are other issues with it but let's just

start with what MFA is Um uh Prasanna why don't why don't why don't you define MFA

What is it you know and how does it work

Sure.

So with MFA, it's really, Mike said, someone might compromise your

password and so it's something you know and something you have, right?

And so that something you have piece is normally, say your

biometrics like a fingerprint.

It could be your face, right?

It could be a. Electronic token that gets generated periodically

or some other application, right?

That generates that such that you have a second factor, which previously was

called sort of two-factor authentication.

Right now it's multifactor in order to be able to say, yes, this really is me.

The most common one I'd say

I'd say the most common one is probably SMS Um it's definitely not the best

one uh but it's certainly the most common I think the most common use to

be email I really don't like email like in good better best It's barely good uh

because again if you uh if somebody's compromised your email account especially

if it's the email account that you use for everything right Um SMS is not as

good because SMSI think SMS is actually better today than it used to be uh it's

harder to do sim hacking today than it than it used to be uh at least in in

certain circumstances Um and then but then uh the I think the best one that

we have today that's available to pretty much everybody is uh an authenticator

type app You wanna talk about that Mike

Sure.

Uh, and, and those apps are generally free, uh, and, and don't require any.

Infrastructure changes.

There are some, uh, like duo, uh, that would require some licensing and set up

on the inside of, uh, your organization.

Um, but others like the Microsoft Authenticator app, uh,

Google has one, they're free.

You just get 'em in the play store.

And then whenever you want to register your multifactor with a vendor, a

lot of times there's like a QR code or a set up your account this way.

Um.

Similar to a password manager, you would log into your authenticator app and it

would show all your different accounts, uh, which you could revoke or delete if

you think that's compromised as well.

So you can manage it that way, but pretty, pretty straightforward.

And, you know, MFA, uh,

um, fatigue, MFA fatigue is a real thing.

It's more of a. It's just annoyance.

Uh, so you log into something and you, oh, I've gotta wait for my phone to ding.

Now what if, what if you don't have cell phone coverage or data,

uh, you know, wireless data?

Um, a lot of these authenticator apps also allow you to save.

Backup codes, um, things like, so there's, there's any number of ways

of, of using what works for you.

Um, the important thing is to figure out something other than email, um, for your

MFA if, if the, the account that you're wanting to apply MFA to will support it.

And Mike, I know on a previous podcast you sort of mentioned one of the

downsides with many websites, right?

Which have MFA, and then they sort of have the remember me

next time on this thing, right?

Right.

So it, it's, it's whether it's a website like, um, I don't know,

Amazon I was gonna

Amazon, right?

yeah

either one of those, there is a, remember, it's, it's, remember this device, um,

you don't want to do that because your MFA token is then stored in your browser.

And so now a bad guy just asked to get you to a position or a situation where I can

scrape that MFA token out of your browser if I already have your credentials.

The only thing I need now is your MFA token, and now

I can get into your account.

So

I was gonna say, so MFA good MFA has to come with good policy and good practice.

So the the the point of this episode here is just to just if you're not familiar

with any of those three things go get familiar Um and the best way to do that

is to uh log in next week and we'll cover each of these in detail Um but uh You

know the idea between behind MFA is that if somebody gets a hold of your password

they won't be able to log in because they don't have that additional factor

whatever it is whether it's SMS or or um you know an authenticator app or a token

right We'll talk about these more and and all of those and passwords and MFA have

limitations and those limitations are us right It's the human and that's why

I think pass keys is the better option As we move forward in the future and I

I've been rolling out Pasky uh in many places wherever I can Uh it I'm not sure

if if it's great for like the average Joe there it can be confusing Um PAs

keys can be confusing if you don't if you don't know what you're doing But um but I

Did you ever use iron keys?

Curtis?

Uh what's a iron key

So an iron key is a, it's a military grade USB, and uh, in it, it's

got its own, you know, TPM chip.

Its own encryption, its own password manager, its own MFA.

And if you log into it, I think it's 20 times wrong, it self-destructs,

it's got a little capacitor in it.

It like, it'll smoke, uh, and if you try to cut into it to get to the chips, it's

also got a sensor and will self-destruct.

Yeah

Yeah, it's pretty cool.

that, but doesn't surprise me that you probably have.

Um, but anyway, so the, again, this is meant to be an overview episode.

Um, and if some of this was, was confusing or frustrating or you

felt like we didn't go into detail enough, then just, uh, we're gonna do

three more episodes where we go into each of these, uh, in more detail.

but it just.

You know, start looking into these three things.

Password man, regular password management.

I'm gonna start with that Inventory, right?

Make sure you have an inventory of everything, both your physical, your

virtual, and your, and your cloud systems.

What,

Wait, you said

what?

You meant patch management?

Oh, did I say that?

Okay.

All right.

So again, uh, you know, summary here, we've got three things here, right?

Make sure you're doing pa uh, uh, patch management, right?

Uh, that some sort of automated system.

Uh, and, and we're gonna start with an inventory, right?

A physical inventory, a virtual inventory, and a, an a SaaS inventory

of your entire environment to make sure that you know what it is you're

supposed to be looking out after.

You're gonna have a good password manager and you're gonna have good.

Um, you're gonna have an MFA or you're gonna have a, a passkey based system.

Uh, because, uh, without these three things, no point in having, you know, like

looking into an EEDM or, uh, I'm sorry, EDM looking into A EDR or an XDR system.

Um, and, um, you know, or, or you know, any, any of the other stuff

that we're talking about because it's like looking into a Roth IRA if you

don't even have a savings account.

Right.

Um, so, With that, uh, any final thoughts, Mike?

Doing something's better than nothing.

one of these and

yeah,

do something about it.

absolutely.

What about you, Prasanna

Well, I think the three makes sense and hopefully everyone

is using a password manage.

There.

I'm,

I've got a story about password management.

Please, please,

we were doing a, a red team on a, a brick and mortar nationwide retail.

Sorry.

Yeah.

we save this for the actual password manager episode?

Yeah, maybe

Sure it is a password

besides

management.

it's so weird.

The, the, the, the thing came on there for about 30 seconds and then went off again,

and you don't hear anything on your end.

Nothing changes here.

It's completely quiet in this room.

That's so weird.

Uh, a, it's a, what do they call it?

It's ghost and Shell, um, all right.

Uh, all right.

that up is 'cause we're already at 48 minutes.

So,

Yeah, yeah, yeah.

Well, we're gonna cut, we're gonna cut some of this out pretty much

half the time that Mike talks.

We're just cut it out.

anyway.

All right, Prasanna Thanks.

Thanks for, uh, being here again as well.

Forever.

and look, see I shaved, just so you know.

Yeah, absolutely.

Absolutely.

Alright.

Actually, I, I don't know if anybody can tell, but I, I had

my, I had my beard trimmed.

I had a photo op yesterday, so it, my beard's all nice and trimmed.

So anyway, or as my granddaughter said, slay Um, and that is a wrap.

Why do I stop?

Okay.

Most ransomware attacks succeed for one reason, somebody skipped the

basics, patch management, password management, MFA or pass keys.

These three things, do those right and you stop roughly 90% of the attacks.

This week, Dr. Mike Saylor, uh, Prasanna and I walk through each

one, what it is, why it matters, and what happens when you ignore it.

Things like WannaCry, Rackspace.

These, uh, stories are all real, and the lesson is the same every time.

The basics weren't done.

You don't need a massive budget or a fancy security stack to stop most hackers.

You just need to do the boring stuff.

Here we turn admins into cyber recovery heroes.

This is the Backup Wrap Up

All right.

Um,

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have a, with

me, a guy who apparently shaved last week and I didn't even notice.

Prasanna

Prasanna

Malaiyandi how's it going?

Prasanna

I am good Curtis.

Yeah.

Uh, my wife was very surprised after the podcast recording when

she was like, did Curtis notice?

of course, I. I texted you and you're like, no, or no, I think

No.

on the phone and you're like, no, what are you talking about?

And I had to send you a picture,

Yeah.

And, and apparently Mike, Mike didn't notice either, so I feel

somewhat better, but, uh, yeah.

So you, you, you've gone down to the goatee,

Yep.

um, and, um.

many, many years since I've done this.

Pre

I've seen a picture of you with the goatee.

Yeah.

Pre, yeah, yeah, yeah.

I think you should go back to your cut from college.

That's what I think.

The buzz.

The buzz cut.

Yeah.

Yeah.

I, I'd love to see you in the buzz cut again.

Walked away.

but, uh, anyway, speaking of buzz cuts, Dr. Mike Sailor, how's it going, Mike?

Going Good guys.

It's going good.

All right.

So he of course, is the co-author on, uh, uh, learning Ransomware Response

and Recovery, which came out last month.

Which, uh, do you have one with you now?

Did you, did you prepare this time?

I did not prepare this time.

me Mike I have yet I still don't have mine and I have yet to actually see the a

physical printed book even like a video of a physical printed book with with you know

The book is gonna be the size of the thing in your background?

Curtis?

yeah I I would dear Lord dear Lord I hope not And you know what's funny is like

in on the camera this thing looks fine but this is this is like this far back

from me right And so this thing is like I think it's 15 by 24 That thing is massive

Um so yeah I sure I surely hope not

For those

but

watch us on YouTube, uh, we do have videos out, but Curtis was just pointing at

the, what do you call it, the title page?

The front

It's the cover the front cover Yeah yeah yeah And uh available at uh

So or you can order them directly from O'Reilly for the record if you order

directly from O'Reilly Mike and I make more um So uh there's that All right uh

we're gonna talk so we're gonna jump into this week we're gonna talk about the title

It's gonna sound I I you know I never know exactly what the title's gonna be but it's

gonna be something along the lines of stop 90 of the ransomware attacks that could

possibly happen to you That's a really long title but um I I I you know it may

sound like a bold claim but I I think it's pretty straightforward And Mike uh I'd

like to start out this week What's that

before, you

Yeah

can I make a bold claim?

claim

A

please

That you can stop a hundred percent of ransomware if you

never do anything online.

Um

not, I think there's still some, some, some room there for infection.

sorry.

Well you know like if you if you if they do the um the drop you know the

the one that we covered in the in the uh what do you call it Um when we did

the MR Robot remember the drop USB stick

Oh, that's

Tchotchke drops.

Yeah What what's that

you win.

We call 'em tchotchke drops.

Tchotchke drops Yeah Yeah So even then um um but what what is this what is

this not do things online thing that you're talking about I don't know what

in the world Like I I don't even know

Like saying you can't get sick if you don't go outside.

Well, that's not true either.

yeah Exactly all right Mike well do we do you have a story to

start us out with this week I

I do.

Um, well man, there's so many to pick from, but, um, from the book,

you know, we talk about WannaCry.

Um, and similar to, to kinda what we touched on here, good hygiene

can prevent a lot of stuff.

And I think WannaCry is an example of bad guys identified of a

vulnerability that was out there.

They created a.

Uh, a payload and a, and an attack vector to take advantage of that,

realizing that, uh, there's a, a very large percentage of, uh, company and

organization populations that don't have a, a solid patch management program or,

uh, that it, it's pretty lax, you know, there's a lot of organizations that,

that say we have a patch program, but it's, you know, 2, 3, 4 months behind,

or it's gotta meet certain criteria and some things never get patched.

Well, that's what happened with WannaCry.

Well

found a vulnerability,

for those of us yeah For those of us that that you know haven't lived uh the

the cyber world Why don't you tell us what was want Tory What you know did it

did it make you want to cry Is that why it was called that And what you know

when did it happen and you know what

I was

I think there was about 200,000,

Yeah.

I.

200,000 people crying in unison,

exactly

uh, with WannaCry.

I was going to say Curtis, that because there have been so many of these

attacks over the years, it's also hard to keep like, which keep it straight

in terms of like which one was which.

Yeah Yeah So why don't you tell us the story of WannaCry Mike

WannaCry, uh, was developed, uh, to take advantage of a vulnerability in

SMB or a, uh, a Windows, uh, service.

Um.

That had a patch.

So Microsoft came out with a patch.

So it was several months later that the malware, this

attack vector really came out.

Um, and it was all of those organizations that did not

apply that critical, uh, patch.

And if, if, uh, if you were paying attention at all, you probably got

an email from Microsoft saying, you really need to patch this.

This, uh, this vulnerability.

Um, or you've got automatic patches turned off, uh, which is common too.

'cause a lot of organizations don't want to automatically apply

patches to production systems and have them reboot and cause issues.

But nonetheless, bad guys found a vulnerability, took advantage of it

several months after the fact even,

yeah And

and.

how many people were impacted

Well, um, not, not necessarily people, but sy well over 200,000 systems

were, were infected with WannaCry.

That's that's quite a bit that hint your comment earlier 200,000 people all crying

out at once Just like in just like in uh what do you call it Uh star Wars I I'm

Yes,

a Star Wars reference Um okay Alright but like and the thing is this is yet this

is one of many many examples of hacks of attacks that had the um uh victims of

the attack practiced basic cyber hygiene They would not have um been they they

would not have been victimized by this attack Does that sound is that about right

Good, good chance they would not have been a victim.

Yes.

Yeah yeah

The, the, the only, the only, the only caveat that is that Ry is one of those

ransomware malware that was also a worm.

mm

so as it infected a, a machine, uh, it's worm like behavior was what?

Uh.

What led itself to propagate in kind of an al alternative method.

So if you weren't vulnerable to the SMB with Microsoft, you might've been

vulnerable some other way that this, uh, this worm was able to compromise you.

Okay Okay yeah when when I think back on uh my history I I think back um to shit

um what's the name of the company The

The one that uh Thank you Thank you Thank you Um I think back to

the that was what two years ago

I think it was two years ago.

Yeah.

Yeah Yeah I think back to the Rackspace hack because that was one where again

it was a patch There was a patch to the vulnerability in Microsoft Exchange that

uh again had Rackspace simply applied that patch they would not have been uh subject

to this this particular attack And in this case there was um was a workaround

there was a there was a vulnerability And then there was a workaround to the

vulnerability while they were waiting on the patch But what happened is there was

a um an undisclosed a zero day additional vulnerability that if they had they

had applied the patch to fix the first the first vulnerability they would have

been they would not have been subject to the to the zero day exploit um But they

said to themselves uh this is my theory uh is that they said well we we put

in the workaround And so therefore the criticality of this patch was not um you

know it wasn't as critical And so they didn't put in the patch yet And two weeks

uh after the You know this exploit came out Um they they were attacked and that

cost them entire business line Right Um because they had to um they had to stop

and it there was a there was lawsuits It was it was it was it was very very messy

so let's talk about when we talk about uh cyber hygiene Um do you know do you want

to do you wanna just define that uh Mike

I will.

And if, if I could back up just a minute.

'cause you made a, a, a comment about mitigation, so we weren't

able to apply the patch for whatever reason, so we mitigated the risk.

Right

Well, something that I think is critically important for people to

consider when we talk about mitigation, and this comes from my, my audit.

My audit life, uh, where, where I had to go and determine if people were

following the rules, whether it was hygiene or we also called them, uh,

general controls or best practices.

If they weren't, then they had to demonstrate what they were

doing to mitigate the risk.

Presented by the absence of doing what we expected and the audit guidance and

what we would tell people and what people should consider is that your mitigation

strategy should be more effective.

Had you done it the right way to begin with.

Hmm

a

So if the control says, do one, two, and three, and you say, I can't

do one, two, and three, well, you better do 4, 5, 6, 7, 8, 9, and 10.

Your mitigation needs to be stronger than the original control or activity.

which

Interesting

But I guess in your experience, Mike, how often were people

able to meet that higher bar?

Well, if you were a regulated organization, you had to, or you failed.

Or, or I

Yep.

often would they just say four, five and six, seven are two difficult.

Let me just go back and implement one, two, and three.

Never, never did they do that.

Uh, so they either so and, and it, and.

With a grain of salt, obviously.

So I was, I was a technology auditor, so I was auditing it people, it people that

generally don't run the business, right?

They're being, they're given direction from the business of, you know, we

can't fix that thing because our website will stop working or it'll be down

too long, we'll lose too much money.

So businesses directing the technology, uh.

Um, you know, groups and, and infrastructure of, of

what they can and can't do.

And so when, when you talk to them about, well, you, you couldn't do

one, two, and three, so, because it'll break things or for whatever reason.

So what are you doing?

Well, we're doing four, five, and six.

Well, four, five and six are kind of, okay.

I'm gonna say that's maybe effective with opportunity for improvement.

Uh, or they, they, they're doing a whole lot or they're not doing

really anything because they.

They didn't know.

And so those are the really, the three options.

You, you fail 'cause you didn't do what you were supposed to

and you weren't mitigating it or mitigating it effectively.

You were mitigating it somewhat effectively, but I

think it could be stronger.

And that's from a, an auditor's perspective, there is that kind of, uh,

latitude where I can, I can add some.

Objectivity, um, or I say subjectivity.

Uh, and then lastly, wow, you, you really, you really are, you really do understand

that mitigation's gotta be stronger.

And, and, but that's, that's rare.

Very rarely did I see the mitigating controls more effective

than the, the original controls.

I'm glad that you you mentioned um the the the the the comment that you made

I is one that we make a lot from the opposite side and that is the backup

People should never be setting policy They should never be determining you know

retention periods uh RTOs and RPOs Uh you know that that should never be the

case That should always come from the business Um and so we we we say that a

lot and so it it's good to hear it just from a from a from a different uh frame

of view Um uh I don't think you ever got around to defining defining cyber hygiene

So cyber hygiene.

I mean, if, if we keep in, in our, in our, uh, in our discussions, we

keep coming back to the real world.

'cause I think that's helped, that helps people, uh, relate.

Uh, so applying real world stuff to cyber hygiene is very similar.

If you, if you're not.

Keeping or maintaining your own personal hygiene, you're gonna get sick.

Um, or, or people are gonna think you're sick, one of the two.

Uh, so in cyber there are things that you should be doing just

like in real, in real world.

Take your vitamins, go see a doctor, get your checkups, uh, do healthy things.

One, cyber, those, those.

Activities are making sure that your systems aren't vulnerable.

So, uh, inoculating them for, in, in, uh, kind of as a, an analogy there.

Uh, and we do that through patches.

Uh, so we, we subscribe to services.

If it's a Windows machine that do it automatically, if

you've got it turned on, um.

It and it will check your systems to determine if there's a vulnerable,

uh, configuration or a, a, a patch that's out, that, that would,

um, address a, a known problem.

Um, so patch management is very important.

Um, the other part of that is, well, who can access my stuff?

Uh, that's me obviously, and the people that I give access to my systems.

But then how do we know that it's really them because.

The number one traded commodity on the dark web web right now is

access, and that's credentials.

So how do we, you know, what's a good practice for making sure that

you know, someone that, that I trust, uh, that their credentials

aren't out there and someone's, you know, some bad guy's not using them.

So that's, that's where multifactor authentication

comes in, but very similar to.

You know, in the real world, vitamins and all these other healthy things, you have

to do it responsibly and appropriately.

And MFA is definitely one of those that I think the majority of organizations just

say we have it and they're not using it.

Right.

Um, and then lastly, you know, password management, um, probably, um,

appropriately at the bottom of the list.

Uh, it's still part of hygiene, but not as effective as it used to be 'cause.

You know, bad guys aren't trying to guess your password, they're just

stealing it from somewhere else, right?

Your, your work password is probably a password you've used somewhere

else at some point in time.

Well I

bad guys are just

Yeah but that but that's the point of of good Cyber hygiene Right Is

not doing that Right We're gonna get to I think we'll get to that in in a

right.

Yep.

So we'll get into the details of what, uh, what a good password

practice, uh, uh, would be, uh, similar to patching and, and MFA.

Mike, so these are three great sort of.

Things you should be doing from a cyber hygiene perspective.

Um, but how did you come up with this list, like right, or, I know

you and Curtis have been talking about this for a while, but like, why

are these the three most important?

Is it based on like scenarios you've encountered working with customers,

helping them recover from ransomware?

Like why should someone believe the sort of 90% of ransomware could be?

I can jump in on that one I mean it it's because it of the stories that

I've read over the last you know so many years it it was always it was always

one of these three right If if if they had just patched the system then they

wouldn't have the vulnerability if they had just either not allowed the password

to be stolen or if they had the if or or compromised in some way And then uh

if if if that had happened if they had just had MFA And you know in uh you know

what's the word I'm looking for Um if they if they were just using MFA then

then even if they had the password then they would've been able to get in Right

Assuming that you didn't have MFA fatigue by the employee?

But yeah we're we're gonna get to that We'll get to that But the the thing

is if if if they had these things when you when you read back on the stories

and I would add like because we're tech technically talking about cyber

hygiene here and not backup hygiene but I'll add to this Immutable backups

right If we have that if we have those four then um not only would you stop

the you know the bulk of the attacks you would uh also be able to respond

to the 10 that that you get Uh would your answer be any different there Mike

Oh, very similar.

So yeah, they, these three are the greatest common denominators, uh, of, of

a lot of the, if not the majority of, uh.

Incidents that are out there.

Uh, but to Curtis's point and maybe where you were going, Prasanna Yeah.

This list could get really long.

It's, it's, you know, it's not just these three and the backups, it's also network

segmentation and turning, you know, secure build guidelines and secure coding

and, uh, you know, perimeter protection and vendor management and anti-malware

and training and all those things.

Uh, but when you look at the numbers, uh, the statistics of incidents

that are out there and, and what.

You know what, how you boil those down to the common denominate.

Common denominators.

It's, it's primarily these three.

Because these are it's like this is to again going back to the real world this

is the um I This is the have in in the real world when we talk about investing

The very first thing they tell you to do is to have uh you know 90 days of

of an emergency fund And that should be your first thing because there's no

point in talking about like you know 4 0 1 Ks and Roth IRAs and all these things

if you can't survive uh you know losing a paycheck for a couple of weeks right

This is the um if you're not doing these Then just stop Like you know in the book

we said like if you're not doing these three things just stop reading right now

and go do those three things because it will stop 90 the other 10 like everything

else The other 10 is the is the hard part right It's the more expensive part

But doing password management and patch management and and MFA or um uh pass

keys which we'll we'll talk about that a little bit more but if if we do that

Then it it's it's a it's the low hanging fruit Um you know that that allows

us to secure the the environment um without without massive cost or anything

weird I I still hear your your fan

came back on.

Yeah it just came back on even though we have the noise reduction on

And there, there's zero change on my side, so there's no extra noise or anything.

And then it and then it just left

It's like a power surge or something.

I'm not sure.

I got nothing Um I So weird Um all right Well luckily it was me that was talking

so I could mute it out Um yeah so this this is like this is the if you're not

doing these things and don't it's like it's like when we start talking about

uh offsite backups there's no point in talking about offsite backups if you're

not making backups in the first place Right Right This is the this is the if

you're not doing these things and don't even talk to me Don't even start if you're

not doing basic cyber hygiene then um then there's no point in in continuing

on with with further discussions

Uh let's see here Um all right so I Let's just let's just talk a little bit about

when we talk about patching how do we know uh and we're gonna do an episode

on each of these things but just the basic thing what what do you think would

be the easiest That that's what cause that's what we're trying to do here What

would be the easiest way to make sure that we're running all of the appropriate

patches Mike especially the critical ones

It's, it's easy if you're organized and the first step in getting organized is

doing an inventory of the things that you have, because, you know, patch,

you have to work off your inventory to know who, who to get patches from.

Right.

Is it, is it.

Red Hat Linux.

Is it Windows?

Is it third party tools?

Adobe, uh, you know that 3D modeling tool?

You use AutoCAD?

What is it?

So you've gotta inventory all this stuff first and then find out if you can

actually get notifications from them.

For when patches are available.

Uh, if you don't do that on the proactive side, then you're gonna

get it on the reactive side.