Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Mastering Cybersecurity: Strategies, Predictive Solutions, and Simplifying Protection for Businesses with Bala Ramaya
Unlock the mysteries of cybersecurity and learn to navigate the complexities of compliance with expert insights from Bala Ramaya, CEO of ISSquared. This episode takes you on a journey through the evolving world of managed service providers, shedding light on how IA Squared transformed itself into a cybersecurity force. Bala not only shares the company's bootstrapped origins but also reveals strategies for overcoming talent shortages and optimizing cybersecurity investments. Discover the delicate balance companies must strike between cost and security, and why choosing the right solutions matters more than you might think.
Imagine a world where cybersecurity threats are not just anticipated but predicted with revolutionary precision. Our conversation with Bala Ramaya takes a turn into the future with StarWatch, an innovative platform that merges system health with security data for predictive event analysis. We tackle the tough challenges that big corporations face, from managing B2B relationships to navigating the evolving Cybersecurity Maturity Model Certification. It's a revealing look at the threats lurking in the shadows of our increasingly connected world, from IoT vulnerabilities to the potential impact of quantum computing on encryption.
For small businesses, cybersecurity can seem like a labyrinth of confusion, but it doesn't have to be. Wrapping up our discussion, we lay out a straightforward approach to keeping your business data safe. We examine the critical role of layered security, the necessity for third-party testing, and the often-overlooked importance of cloud service configurations. Bala's expertise offers a compass to guide small businesses through the security maze, ensuring they can defend against the ever-growing threats in the digital landscape. Join us to arm yourself with the knowledge to protect your most valuable assets in the cyber world.
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Hello everybody, welcome to another episode of Cybersecurity and Compliance with Craig Pacinello. Obviously, no needs, no introduction. Craig is here, of course I am here, Blake, as always, and we have a special guest from IAS, squared Bala. Please introduce yourself.
Speaker 3:Hello folks, I'm Bala Ramaya, ceo of IA Squared. We are a cybersecurity MSSP company. We also have a number of products, very specifically around identity and access governance. We do a lot of work pre post events. We help our customers manage their identity posture. We use our products where the customers don't have a solution or we are open to supporting the solutions that the customers have.
Speaker 1:Tell us about the journey of IS Squared and how you guys evolved into an MSP and MSSP.
Speaker 3:So IS Squared. I started the company in 2010. And I used to work for an enterprise and pretty much my entire journey has been working for the enterprises. I was an identity and security architect a global architect in a pretty large biotech company, and I had certain product ideas that I wanted to bring it to market and that's how the company was formed in 2010. I quit and I started IA Squared and we are completely bootstrapped company. We didn't go for any funding or anything like that.
Speaker 3:So we started off doing consulting work in the security and the identity space and we use those funds to fund the product development. So it was basically slowly evolved over the last 14 years or so in building this particular set of products and as we built the products, we also built the consulting and the managed services arm. And as we got customers aboard in the enterprise mid space, we found that the cybersecurity requirements were changing and evolving pretty rapidly. So we expanded the portfolio of services that we actually gave to the customers and we split the services that we actually gave to the customers and we split the services that we provided into MSP and MSSP with specific focus for the cybersecurity. We basically brought in a CISO who took care of the security side, and then a completely separate person who took care of the infrastructure side of the business. So that's how we are actually structured. We basically have a separate arm that takes care of all the security-related stuff and a separate arm that takes care of the non-security stuff.
Speaker 1:Fair enough. What are some of the biggest challenges that you guys faced as an MSP, MSSP, and how does IA Squared address those to the customers?
Speaker 3:There are two aspects, I think, from a management of infrastructure and security are critical from a customer perspective. One, availability of talent, which is difficult in today's market because the need for cybersecurity has grown so much that everybody wants the top talent and everybody cannot get the top talent and yet there is certain budget into which you have to actually play in. And then, because of the requirements, the landscape, with the number of vendors who are bringing products, is constantly evolving. So one year one vendor, you have the best product. The next year, someone else basically becomes the best product and you can't keep changing best product. The next year, someone else basically becomes the best product and you can't keep changing the product.
Speaker 3:So it's a fine balance that the customers have to go through to keep things under wrap, provide the best security for the business, and what we have seen is the customers are starting to think towards hey, how can I actually get the best bang for the buck?
Speaker 3:And in that case what we are seeing is the customers are trying to do more architecture and more design and higher level work and keeping it within the house and then trying to outsource a lot of the operational activities that are repetitive tasks or tasks that can be shared across people to someone like an MSSP, so they basically get the best of both worlds From a costing perspective. Also, what we are seeing is customers who actually don't have a need for presence of people to be in the US not on the DoD side or on the non-governmental side. They are looking to run their 24 by 7 operations on a 24 by 7, companies that can provide 24 by 7, follow the Sun model to keep their costs down. So those are all some of the things that the customers are doing today to get the best bang for the buck and to provide better security for what they can, given the budget constraints and the people constraints.
Speaker 1:Yeah, they sound like pretty complicated challenges, as always.
Speaker 2:How do you balance Go ahead, no, go ahead. I was going to say how do you balance the pressures of price versus giving them the right solution, Because obviously you can't always have the best or lowest price and offer the highest security.
Speaker 3:Yeah, from an mssp perspective, the advantage that we get is one from a software and hardware side, sourcing. So when we are basically doing the msp model for a number of customers, we buy licenses in volume and we basically get better discounts, so those discounts can be passed on to the customers so we are able to basically reduce the cost if the customer has to go and buy it by themselves. That's one. Two, and one of the reasons why we are building our own products is because then we actually get the cost advantage because we own the product. So we basically again bring the cost there because we own the product, so we basically again bring the cost there.
Speaker 3:From a people perspective it's one half dozen other. The cost is pretty much the same whether you go with us or with someone else, because you are still going to source the people from the US. You're going to pay the same amount. But we also have offshore options and from a US perspective, we also have an option of hiring people in Guam and some of those places where the costs are a little bit more competitive in terms of people who are US citizens. So we basically allow putting these three things into the equation to keep the cost for the customers down. Having said that, unfortunately security is not all about reducing the cost. We ought to be very careful that we don't bring wrong solution to the customer so we don't cut corners in bringing wrong solution to the customer. So we are careful in not pitching the MSSP as just a cost proposition. It is about what we can actually provide as a value chain to the customer at the end of the day.
Speaker 1:Yeah, we find that it's challenging to balance an off an offensive strategy versus a defensive strategy. So you obviously, as an MSSP, have to coach your customers that, hey, you need to be proactive here to do things to develop and grow your business, but then you still need to have some form of defense. You know, obviously a football team cannot win with an all offensive team or an all defensive team, and that is a huge challenge that we've noticed ourselves personally.
Speaker 3:You are absolutely right and enterprise customers are a little different than the SMB, are a little different than the SMB, are a little different than the midsize customers and when you traverse across the spectrum, the understanding of what the needs are are drastically different. If I take an SMB customer, the difference between a backup and a DR their thought process is different than explaining a backup and a DR to an enterprise right? A lot of people think that if I take a backup, that's my DR strategy. They expect right. Or some people think that if I have a DR, then I don't need backups.
Speaker 3:So you absolutely bring up a good point that it's always not offensive, it's also defensive strategy. We try to explain to the customers hey, even if you have all the tools in the world, you could still get hacked and most likely you will get hacked. How quickly can you recover when that hack happens? That's important. How quickly can you identify that you are in middle of an event is critical. So when you put a strategy to the customer, it's not just about the fact that how can we protect you, it's about the fact when the event happens, how quickly can you recover and how can you actually reduce the blast. Radius is as important as not getting hacked itself. So those are all the things that we actually work with the customers when we are giving them a solution for cybersecurity. We noticed those are good points go ahead.
Speaker 1:Oh, I was right, I was thought you were. Um, uh, so yeah, we've noticed a lot of our listeners are kind of small to medium-sized businesses that are essentially trying to to play-doh their own cyber security. Um, so if you could literally reach directly out to small business owners and our listeners, right, and you could give them kind of a strategy, a map or advice. To you know, obviously, reaching out to somebody like you or us, vice versa, but it takes, it takes companies to get there. Obviously, there is a huge part of the market that doesn't want to come off as ignorant or negligent, whichever you prefer to use to event. You know you have to a lot of brands, a lot of companies have to suck up their pride before they make contact with a brand like yours or ours before they say, hey look, I am not compliant, I am not doing the right things. It takes a lot to get there. So, um, if you could say something to that audience, I mean so, um, don't try to boil the ocean from a security perspective.
Speaker 3:Don't, don't try to boil the ocean from a security perspective. Sometimes security is not just about how much money and how many tools you are spending. Some very basic stuff that you can do to protect, to start with is what we tell the customers patching, changing the default passwords on the devices and laptops, rotating the passwords, using long password chains these are all some things that the small businesses can do without spending a dollar on additional security products when you go to the products. Antivirus, basic web hygiene. Training your regular employees on the cybersecurity is very critical. Something like Ninjio, which basically creates small, bite-sized cybersecurity training modules it's four minutes modules and we actually do this every week, even within our company that everybody has to take the training, everybody has to go through these four minute modules, and we keep repeating this week after week after week on small topics phishing, sphere phishing or whatever that might be but at the end of the day, it basically starts recording into everybody's brain that, hey, before I click the email, should I really click this link? Is the email coming from the right person? These are some of the basic stuff which is not that expensive to do. It's where you actually start. You don't need to spend millions of dollars in building a big strategic infrastructure to protect your environment. So these basic stuff is where I would actually start for the small businesses.
Speaker 3:Don't share the passwords. Create individual accounts for people, admin passwords. Put it in a vault, right. You don't need to buy a big solution for the vault. Just take an open source key pass and store it there, right. So these are all some of the things that everybody should be doing.
Speaker 2:You know. Well said. Tell us about your Fabulix solution. Well said.
Speaker 3:Tell us about your Fabulix solution. So we started looking at Fabulix somewhere around 2011. And this is when everybody was trying to move to the cloud. We felt that cloud was a great solution for workloads that can be moved to a centralized location. But there are still going to be workloads that basically have to stay on-prem, and the examples that I can give you is manufacturing, utilities, oil and gas, construction. They need to have certain amounts of workloads that basically needs to be behind the firewall, in a segregated environment, and you need to run this particular piece of infrastructure and you needed the same cloud flexibility to run the infrastructure. But you wanted it behind the firewall, not connected to the external world. So that's where the Fabrics comes in.
Speaker 3:So we actually have built an HCI solution which comes in multiple flavors.
Speaker 3:We actually have an edge.
Speaker 3:So where we actually go and deploy it in buildings which can be shared with the tenants within the building, and then it is connected to say, with the tenants within the building, and then it is connected to say, the AWS or the Azure, if you want to actually have a DR or a backup plan, or to our centralized what we call it, the hub and the core, which is again connected to the AWS or the Azure for allowing you to migrate workloads between on-prem and off-prem as you need.
Speaker 3:So that's where the Fablix comes in. It's basically a suite of products which consists of hardware, software and it's basically our infrastructure management platform. It has its own ticketing system. It has a cloud management console. It basically has an HCI stack where storage, compute network. It comes in different flavors 25 gig backplane, 100 gig backplane, 400 gig backplane, depending on what you need and we actually have our own carrier division which basically brings the last mile connectivity into the box. So you basically write an SD-WAN network on the backplane to connect your remote sites into your centralized hub. So that's Fabrics in a nutshell.
Speaker 1:Wow, seems like you guys just literally just capitalized on the huge need that was out there. And we kind of brought it all together.
Speaker 3:Yep, that's pretty much what we are trying to do and we are actually getting very good response from customers. Now that the customers are trying to segregate their manufacturing plants because of some cyber events that happened a few years ago with a lot of companies in the IoT space, it's basically bringing back the need for some secure compute environment behind the firewall, which is not connected to the web.
Speaker 1:I'm curious for you to talk a little bit about your external identities and government, like your EIAG platform, which is I mean I'm going to speak to a lot of our audience here.
Speaker 3:So a lot of focus over the last couple of decades was actually given to the internal employee, contractor type identities. How do you manage the lifecycle? How do you basically get them into the system, give them access whether it is birthright access or eliminating them when their attributes change, like when they move from one department to the other? How do we basically give them new access to new applications or remove access? But there was a gap where you still had a lot of vendors, suppliers, distributors, who would come in into your environment or applications using, potentially, their accounts.
Speaker 3:So if I'm a vendor who wants to work in a large company, the large company would have to actually consider me and create an account for me on their internal network and treat me like an employee for all practical purposes, and HR in that company didn't want to deal with my account because I was not paid by a W-2 or a 1099. So there was a need for these types of accounts that need to be managed and we saw, we started seeing that the customers were struggling with how do we handle these accounts. There were custom solutions that were being built. Federations made it easier for these applications to be plugged in. But then, once you were federated these identities when they went out of scope in their company, did not go out of scope in the other side, because the other side never knew that these people don't no longer work in their source company.
Speaker 3:So there was a lot of gaps in the grc space. So that's where the eieg comes in. The eieg basically provides a framework for the customers to be able to onboard, manage, recertify and off-board people who are not part of your organization, who do not come in directly using a W-2 or a 1099, but they are more of a B2B type of relationships, who are controlled by contracts managed by the business directly, not by the IT, not by the HR. So it basically tries to automate all those things, tries to integrate that into your internal identity platform, if you have one, or else it integrates into our identity platform for provisioning, deprovisioning, into the targets identity platform for provisioning deprovisioning into the targets.
Speaker 2:Wow, very cool.
Speaker 1:Sounds like a pretty awesome little solution.
Speaker 2:Yep, okay. So what about CMMC? Do you guys do anything with the new cybersecurity maturity model?
Speaker 3:certification for the defense industrial base. We are working on putting a solution for the customers to get to that. We are not there yet. Things are rapidly evolving in that space. From an IS Quiet perspective, we don't have a lot of customers who are in the federal space. We are more on the commercial side of the customer. So for us from a focus perspective, that is not a primary focus that we are in, but we have gotten pinged with a few customers because of our Go-On presence. They are looking for those solutions. So the CISO is actually working on putting a solution together for that okay are there certain?
Speaker 2:verticals that go ahead. No, sorry, go ahead, I was going to ask you if you had a, I guess, pick top three verticals of your specialty. What would they be?
Speaker 3:um, we are very deep in pharma, healthcare sector. I would say that's number one, two would be financial and number three would be manufacturing. So we do a lot of the IT, ot integration, operational technology, those types of systems. So we have a pretty deep understanding of that. So how do we marry the IT requirements to the OT requirements? We do a lot of work around it.
Speaker 1:Okay awesome, something that sticks out to me, and obviously I was doing a little bit of homework before you came on. An interesting product that I think was very cool is Starwatch. I noticed you didn't mention it. You didn't mention it when we first started talking, but I was like why are you not talking about this?
Speaker 3:it is a product. That's because, um, there are some we are working through some patent slash legal stuff around the star watch platform. It's not fully out yet that's the reason why I didn't want to talk a whole lot about it, but but since you brought it up. Let me give you a little bit of a flavor of what we are trying to do with the platform.
Speaker 1:The cat is out of the bag.
Speaker 3:Yeah, cat's out of the bag. Exactly Without going into the specifics, that's a platform that is going to bring the system health, system performance and system security data all together and perform analytics on the data correlated between system performance, health and security and do predictive event analysis and do predictive event analysis. So what we are trying to get to is be able to predict certain events that are going to happen, given certain data elements that we are seeing combined together with performance, health of the system and security. So, for example, if we see that there are too many logon events and the system performance has changed, say, about 10% over the last two hours, and we see that there are certain types of event IDs that are getting gendered I'm just getting a very, very high level overview then we will be able to predict that this potentially could be correlating the event that there is a lower performance events that are specific to login ID onto a database or onto a directory server or something like that. Hey, is there something wrong going on? So we will be able to correlate that based on oh, but this event was exactly the thing that happened yesterday. Same thing was happened day before.
Speaker 3:So we'll basically bring all that data together and then give you a score saying that, hey, the potential that this is an event security event is 90%. So you want to go take a look at this. Or we can actually say you know what? This is more of a network event. So you have a performance problem, you have to increase the memory or processor or whatever. So that's StarWatch. So we are going to watch through, gather all the analytics, and what we are going to do is we are basically creating pods across the internet where we are going to gather data based on what's happening on the internet and be able to say, hey, we saw these types of events happening in one part of the world and we saw the same event happening after two hours in this part of the world. So something is moving. So we will be able to do predictive analytics on. Okay, some event is happening. So can we actually protect the customers based on events that are moving across the parts of the globe? Moving across the parts of the globe?
Speaker 1:Does it not only act as a forecasting model but also like a threat detection and prevention, so like, let's just say, for example, it does pick up on an odd event? Does Starwatch, then what? Communicate a message to the systems administrators to say, or does it actually put measures in place to keep that event from continuing to happen?
Speaker 3:So right now we are working on passive mechanisms rather than aggressive mechanisms. So basically, what we will do is, if we see certain events happening, certain threats happening, we are working. Let me give one example with like IPSs, where we can actually change the policy to protect the customer, or with firewalls to protect the customer or to notify, but what we are not doing yet is to go and attack the vector from where this event is happening because of a lot of legal implications of that. So it's more of a defensive mechanism, but predictive, not an offensive mechanism. So that's where we draw the line right now.
Speaker 2:So I guess what's different about your vision of this solution? Because I've seen solutions that exist like that today. So what's different from your perspective?
Speaker 3:So the goal of this would be to actually have central solutions, central intelligence created across which can be shared between our customers. But I mean, there are things that are already there that we are leveraging, like threat databases and stuff like that, and the idea would be to reduce the number of events that actually happen before it actually happens. That's our goal, that's where we want to be. We want to be more of a predictive company than a response post-incident response company. So that's pretty much where the Star Watch is going. And what we are trying to do is we are trying to not only correlate just the security events. We are trying to correlate performance and system events with the security events and try to do correlation to see, hey, when there is a security event, what type of performance hit do the networks take, or what type of performance hit do the networks take, or what type of performance hit do the systems take? Can we actually correlate the data to reduce the amount of time of exposure of an event and recovery of a breach? So that's where Starwatch is going.
Speaker 2:So is one of the focal points forensic analysis to maybe help with a breach were to happen, or is it more on the front end? Yes, yes.
Speaker 3:And we are working on some. I would say I don't want to throw the word AI, as you have seen that I have not actually used that word, but that's the catchphrase of today but basically, at the end of the day, these are algorithms that need to be written and that's what we are actually working on in the backend.
Speaker 1:Obviously, during development of this product, you guys are obviously probably using mass amounts of data, ingesting tons of data, to create results. So, yeah, I'm assuming, during that ingestion process, you guys are probably seeing new types of threats that maybe be that maybe haven't you know existed, or maybe like new, uh, new types of breaches, new types of attacks. Um, is there anything interesting that you guys have seen during this ingestion process that you can speak about? Of course, I noticed you're biting your tongue a lot.
Speaker 3:So let me just keep it. Yes, we see a bunch of stuff when, basically, we are coming through a bunch of stuff, when, basically, we are coming through A lot of new tactics and a lot of new, I would say, change in the attack vectors themselves. What is being attacked is also changing. We are actually seeing it. Just as an example, right, the voice platform is actually being now heavily used because everybody is using MFA, so everybody's going after MFA now, right?
Speaker 3:So those types of changes are some of them, space, because most of the IoT unfortunately, the IoT devices and OT devices that were built were built for a purpose of doing, not connected to the internet, so they are completely open and these are systems that control manufacturing, systems that were built to perform certain things and it is not easy to just rip and replace these things. These are controlled, these are certified and those are places where we are actually seeing the threats are moving to attack those. Because those are open, it's easier I would call it Apple to catch at the bottom of the tree, right? So those things, we are actually seeing a lot in what we see. Of course, we strip out a lot of the specifics before we put that into the model, because we don't want customer data privacy. There's lots of other things, but yes, you are right, we are seeing interesting stuff.
Speaker 1:Amazing and, as far as the evolution of cybersecurity, this is something that we always ask our guests about. We had a previous guest that talked about oauth breaches, you know, which is something like that nobody really talks about. We had another previous guest that talked about the um, the actual security infrastructure on on airplanes, which, again, is something that nobody's talking about. So, in terms of the threat evolution within the next decade, how do you see these breaches changing?
Speaker 3:that I can actually bring up a topic about what just happened to one of I can call my friend. Recently their car was stolen from a lot and the car was stolen because they could actually simulate the signals that were coming between the car and the key fob and they could basically coming between the car and the key fob and they could basically break into the car. Yeah, craig has that device.
Speaker 2:Craig was that you no, but, as you know, we are a cybersecurity and pen testing company, so that is one of the things that we help companies with. But go ahead.
Speaker 3:Yeah, so I think, with everything having some digital component that is actually being built on and a lot of it being used, whether it is Bluetooth or infra or any of these um I would say near um distance communication mechanisms, which are a little bit more open than, say, a wifi or or or 5g, 6g, whatever you want to call it Um, that is going to be a lot of be a lot of cyber events that are going to happen here, because you are talking about regular people who probably don't have a lot of tech savvy. It's day-to-day users, right, and it's easier to con that system than, potentially, you and me. I'm not saying that I'm never going to get conned. Probably there is going to be.
Speaker 3:It also depends on human emotions, what state of mind you are in lots of things that goes in when someone is basically getting hacked, but this type of events are actually going to become a lot more prevalent in the next couple of decades. My worry is um self-driving cars or self-driving modes of transport. What happens if a bad actor takes over? Do we really need anything else to cause havoc?
Speaker 1:so you saw, saw the Netflix show Me and Craig were talking about it the Netflix movie or whatever with Sandra Bullock, where the self-driving Tesla you see that and they hacked the. You saw that.
Speaker 3:Yes, I did not see that movie, but I have seen some horror trailers of that because I was involved in 2010, I think, yeah, somewhere around 2010 when we were actually trying to integrate an application using Bluetooth to communicate with the car and to be able to bring things on the dashboard. That was my first work with integrating phones with the cars. So that time we were like, how do we secure this communication? Should we build a PKI certificate based private keys? We went through a lot of things, but then there was also ease of use from a. You cannot make it so tech heavy that the end users cannot use it. So there's like a lot of give and take that you actually have to work through. But yeah, that scares me.
Speaker 1:Something that scares me is obviously, like I remember TVs, for example, used to be like, um, you know, tvs, for example, used to be like crazy expensive. Like you know, you used to be able to get like the nicest TV for like 3000, $4,000. And you're like, cool, I got a TV. But now those same TVs, uh, like six or seven years ago, eight years ago, are now like 300, 400. And so, you see, the cost to produce technology is going down.
Speaker 1:So, in relatable to our industry, um, that, that technology, uh, savings. Right, if we whatever we're going to call it the the value is, as the technology is evolving, it makes, uh, it makes uh, access to hackers, like access to hackers, like access to equipment, access to technology, more obtainable. You know, like 20 years ago, like nobody would be able to get into a car but the flipper, you know you could buy it on. I probably shouldn't have said it out loud, but you know people can buy it on Amazon, right, you know, and you know it's 150 bucks, or I think it's even cheaper than that, now 120. You know, and you know it's 150 bucks, or I think it's even cheaper than that, now 120.
Speaker 3:Um, so this, this technology, is getting cheaper and becoming more accessible, and then that's what scares me so the other thing that I can actually um think of right now is um, I know that quantum computing is still in its very infancy stages, but it is not a myth anymore.
Speaker 3:There are quantum computers that are available and today's encryption technology that we take it for granted is going to protect us most likely is going to go away overnight when, at some point in time, quantum computing becomes available to the masses.
Speaker 3:Right, and that's probably five, 10 years, depending on how much effort is being put in and how much money is pumped into that system. But it is going to become available one day or the other. And what we walk with 4096-bit keys today, which we feel are one of the most secure and it's going to take many years to break is probably going to become many minutes to break, become many minutes to break. So post-quantum encryption is slowly starting to get a feet to stand on and I think that's going to be one of the most critical things that at least the financial industry and the industry which has a lot of intellectual property to protect is going to spend time and money on that. They are not sure if I can use the word naked stand naked on the street on the day, when it happens. I think that's another thing that scares me, because when that day comes, and if you are not ready, it's going to be a problem.
Speaker 2:Yeah, I would agree with that too. It's mind-boggling to me that banks still think that 128-bit encryption is strong, and it's also mind-boggling and unsettling that why can't we just keep increasing that strength Because it's trivial to do, you know, typically in situations to extend the bit length, I mean, if the, like you said earlier, you know the average user is really oblivious to the rabbit holes that we go down. But you know we put or at least you know people put a lot of trust in these vendors that they kind of take that headache away. Right, but I think that there needs to be more pressure on the vendors to take security more seriously and hire companies like us to do the testing on their products. You know one of the big fears that I have is satellite security and blockchain security, and you know you brought up quantum computers. You know one of the big fears that I have is satellite security and blockchain security, and you know you brought up quantum computers. You know that obviously is a big issue. So there's all these big issues, but but it it does boil down to the people that are making these products and offering these things to market.
Speaker 2:Like the guy. What was the guy's name? Saggy or soggy?
Speaker 1:I mean. I mean, what was the guy's?
Speaker 2:name, uh, saggy or soggy, oh yeah. Yeah, I mean, I mean I'm scared to fly right now. I mean it's like, it's like so you know, but but like the everyday user doesn't see the stuff that we see and they're not exposed to it like we are. So you know, it's kind of like out of sight, out of mind, I guess I. But but yeah, anyway, I guess guess my point is that I feel like there should be constant elevation of security, not just like, oh well, we'll just keep 128 bits, we're a bank, we're secure. We've been this way for three decades or whatever. Yeah, almost three decades now.
Speaker 1:I think banks are some of the worst that we've dealt with because they have so much oversight right. They're handling everybody's money right Mostly everybody's money.
Speaker 2:Well, look at what happened with the bank that hired us to do that huge test. Yeah, yeah Scary.
Speaker 1:It's scary what I did.
Speaker 1:Well, not just you yeah, yeah, what what what I went through uh uncover yeah, what I went through was very scary, um, but, but as technology evolves too, like I was just thinking in my mind, like by the year like 2100, like our kids will be able to build their own satellites and launch them. You know like, like lego builds your own satellite kit, you know like, or you'll be able to get a quantum computer on on amazon for 200, you know. And yeah, sometimes it's scary and depressing to think about the future and I think about.
Speaker 3:yeah, about 50 years ago, 50, 60 years ago 8088 was used to launch a satellite and now we are walking with like supercomputers for that age in our pockets these days, if you compare right, um, yeah, it's. It's like I remember that I started with a, the computer, where I had to actually add extra math processing processor and memory and I had to load. I mean, I started with loading the DOS image from a floppy disk five and a quarter floppy disk. Dos image from a floppy disk five and a quarter floppy disk, right. So, and and one point, when 1.44 meg disks came in, it was like revolutionary for me. Whoa, I can store one and a half megs.
Speaker 1:Yep, I remember my dad used to have this real estate company and this was right when floppies evolved. But the period before floppies, youies it goes to show you how old I am. But there was a big little vinyl disc. It was really flimsy. It was the size of a record that would slide into the side of the computer. Yeah, that was. How old have we?
Speaker 3:changed.
Speaker 2:Yeah, I grew up on the 8086. 8088, the quote-unquote portable, first portable laptop computer. That was about 100 pounds and it was, uh, you know, green screen and two, five and a quarter inch drives on it.
Speaker 1:Yeah, yeah yeah, I don't, I don't think we have much yeah yeah. I was just gonna say, we should probably wrap up was there anything that you feel like we didn't touch on that um that you'd like to to pass to our audience?
Speaker 3:no, just just from a cyber security point of view, I would just say this first do the basics before you start trying to spend money. It's a lot of times common sense items that we actually do and tend to forget could protect you pretty well before you don't need a lot of budget. I'm not saying you don't need budget, but start with the basics. Don't don't start with. I want a flashy tools. Tools will come and go.
Speaker 2:We like to say and also sorry, just want to interject one thing off of what he just said. I think a lot of people make things more complex than they need it to be too. I mean, back in the day, you know admin system administrators, you know it would be horrifying to allow the user local administrative rights right, and I feel like that kind of got real slack, slack with everything, slack with security, slack with loaded code, all of it. My point is that back in the 90s, you know, a system administrator would only give the user access to what they absolutely needed to have access to to do their work and nothing more, and they could not install anything. And I would say that that is not normal nowadays or not common, where I would say most companies don't do that. Most companies give most people, especially small businesses, full access to everything and it creates a nightmare for security.
Speaker 2:And I think it just all boils down to what I've said for many, many years now it's a layered approach, multiple layers, not a single system or hardware or whatever to buy. You have to do a layered approach, you have to train your people and blend the people, process and technology together and if you have a weak point, like we found with the bank, it was a people issue. They had plenty of money, they had plenty of budget, they had good equipment, but they didn't have the right people watching it and configuring it properly, so they had gaps and exposures. And if you don't do the third party testing on you know your systems across all of the above people, process, technology and the layers you're going to have gaps that you're not going to realize and you're going to have exposure. And if you simplify your environment, you simplify your systems and you simplify everything and distill it down to just what your people have to have access to to do their job. It makes everything easier and I do.
Speaker 1:Go ahead, please.
Speaker 3:Sorry. I just want to add one more point to what you just mentioned. Ever since people started moving to cloud, especially on the small business side mid-size the idea behind the cloud was to make it easy, simple, right. What has happened is the businesses. It has made it simple absolutely. What it has also done is anybody with a credit card a company credit card can actually go and buy stuff off the cloud, and it has created a lot of shadow IT which ID doesn't know. Something that you don't know you cannot protect. That's one problem. Id doesn't know Something that you don't know you cannot protect. That's one problem.
Speaker 3:Number two is people think that anything on the cloud is secure by default. Hey, it isn't the cloud, it's secure. No, it's not. It is secure from an infrastructure perspective, from a cloud provider perspective. They have security measures, but if you are bringing a server up in the cloud, you still need to follow your security best practices to secure that server. If you put an RDP port on the server open and open it to the internet and not put a firewall in front, it is going to get hacked. It's not an if it will. So those are some of the things that the small businesses think, and it's not that they don't want to do it, it's just that they feel that it's just the hype that something was created, that everything is secure by default, is not true something was created.
Speaker 2:That everything is secure by default is not true. Yeah, I think that's absolutely true. I think people think that, oh well, I'm with Microsoft or I'm with Amazon and I'm secure, but they don't realize that they still need to have the same talent and expertise to properly configure that environment. And one could argue that even they might need even more talent and expertise because they have more controls, more dials, more setting, and we've been hired to do forensics and investigations for business email compromise and different kinds of cases like that. And they were using Office 365 and they absolutely did not properly secure it.
Speaker 2:And the point here is that you have all of these things at your fingertips, that you have all of these things at your fingertips and to your point, val you know could be other people's fingertips that you may not be aware of, that are making these changes and you're not aware of it or your team's not aware of it. And now you have exposure and you have gaps. So it's just, in my opinion, super important to have an outsider, third party, trusted vendor do testing regularly to show you and show the C-suite. Hey, look, yeah, you guys are doing a great job here, but you might need to have some improvement here in other places.
Speaker 1:I think and this is a vast oversimplification, but there's three questions you need to ask yourself from a cybersecurity and forensics perspective what data are you collecting, how is that data being transmitted, collecting, how is that data being transmitted and where is that data being stored. And if you can look at those three things from a magnification lens, or if you could blow up how all that works. And if you can't do it, of course you can reach out to any of us. But if you can answer, do it. Of course you can reach out to any of us. But if you can answer those three questions, then you are going to be making steps to securing your business. Alright, guys, I think we're wrapping up here. Reached our time cap here. Thank you so much for the opportunity.
Speaker 3:It was good talking to both of you. Thank you so much, we'll see you was good talking to both of you, thank you so much.
Speaker 1:We will see you on the next one, I'm sure Sure.