kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

How to Create an Ironclad Cybersecurity Posture & Why

What’s an IronClad Cybersecurity Posture? Here’s what you can learn:

  • Hacking Today & Tomorrow
  • Who are the Hackers?
  • Common Cybersecurity Myths
  • Information Security vs. Information Technology
  • Cybersecurity Fundamentals
  • The Most Critical Security Layers
  • NIST Cybersecurity Framework

Prefer to read? (Transcription)

TOM: Welcome, everybody. My name’s Tom Kirkham. I am Founder and CEO of IronTech, and today we are going to talk about 3 easy and inexpensive things to make your cybersecurity ironclad. You will get some valuable information to take away from this. You can go to your IT people, and we’re going to talk about that also during the program today, how there’s a natural fundamental conflict of interest with IT and security. But nevertheless, talk to any other security company and say, “I need this, I need this, and I need this,” because it’ll be the 3 things you need to put into place.

Kindsey – hi, Kindsey.

KINDSEY: Hi.

TOM: Kindsey has put some links into chat, and one of those is the security assessment. We will do a free high-level security assessment for your organization. It’s pretty painless, it’s less than 1 page of questions, practically do it verbally and give you a good idea of what these 3 things and maybe other suggestions that we have, what it’s going to cost, how it’s going to protect you, how it’s going to lower your risk, and really get you a good idea.

Even if you don’t use us, that’s fine. It’s free. I would encourage everybody to sign up for that. We’re doing assessments even as we speak, and we’ve got a lot of them underway. So the sooner you get signed up for one of those, the better. We can slot you in and get it done quickly. We’re doing these webinars constantly, and more and more every week, so take advantage while we’re still able to slot people in there. Get on that. It won’t cost you a thing and you’ll learn a lot more about it.

If you’re on this webinar, you obviously are worried about security, so get an assessment. Did I take care of all the housekeeping, Kindsey?

KINDSEY: There’s really no housekeeping other than just the chat box and the Q&A buttons at the bottom. If you do have any questions throughout the webinar, feel free to throw them in there.

TOM: Yeah, thank you. Chat, Q&A. I keep an eye on that, Kindsey keeps an eye on that. With that said, let’s go.

When we look at the numbers of ransomware, especially – that’s your number one threat. 2 out of 5 SMBs or small businesses have fallen victim to a ransomware attack since ransomware’s been out there. We’ve seen it with our own clients. Not as much anymore. We see it now, but it’s not successful. But the ransomware payments themselves have more than doubled just from the third quarter of ’19 to the fourth quarter of 2019. They’ve gone from $41,000 to over $84,000 just in that one quarter. I don’t know what the numbers are for 2020 yet, but I promise you it’s increased even more, and these attacks are growing at more than 350% annually. This is by far the biggest single threat for most every organization out there.

If you’re in businesses with intellectual property and maybe government, you’ve got other things you have to worry about. But most businesses, the big threat is ransomware. They’ve changed it, too, now, where they’re not just unencrypting – let’s say you decide, “I’ve got a good backup. I’m just going to restore everything from backup and not pay the ransom.” Now they’ve added another twist on it where they’re actually retrieving the data that they’ve encrypted and now they’re holding it hostage to not release it publicly. So if you’ve got customer or client or patient information, you may think you’re out of the woods if you’ve got a good backup, but you’re not. They’re going to still want a ransom for them not to release it.

One of the questions I hear is, “How do I know they’re going to unencrypt my files or do what they promised to do?” If they fail to follow through, their business model is destroyed. That’s one of their codes. It’s customer service. They want to do what they say they’re going to do, or else no one would ever pay the ransom in the first place. So generally speaking, the data gets unencrypted if the ransom is paid. In fact, it’s a mistake on their side, a glitch occurred, if the files don’t get unencrypted. I promise you it’s not done intentionally. These threats are growing exponentially every year.

One of the things that is a big help is to classify the hackers. If you know who’s attacking you or who might be attacking you, then you know what defense to put into place. If you’re a military and you know that your foe has real strong air support, then you know you’ve got to have a real strong defensive missile system, and so forth and so on. If they’ve got a real strong navy, then you need a real strong offensive submarine and other capabilities to do torpedoes and things like that. We do the same thing in cybersecurity.

One of the groups you have to worry about is organized crime. This is a multi-trillion-dollar business worldwide, and that’s trillion with a ‘T.’ It is bigger than the worldwide illegal drug market. Think about that. It’s much bigger than that. In fact, if it was a nation, it would be in the top 10 of GDPs worldwide. It’s bigger than Australia’s GDP and a lot of other countries. Not sure about California. That’s not a country, but California we know has a big GDP – bigger than most countries, actually. At any rate, it’s so big that they’re vertically specialized.

Think about the medical industry. You’ve got registered nurses, you’ve got LPNs, you’ve got hematologists, oncologists, neurologists, neurosurgeons, rheumatologists, orthopedic surgeons, gastroenterologists, radiologists. You think about all these different specialties. When you get a test done, you’ve probably got a phlebotomist or maybe an x-ray technician or MRI, whatever they call them, and then – say it’s an MRI. Then it goes to a radiologist for review, and in turn, the radiologist results and their interpretation of the imaging then goes to whatever specialist ordered it, and then it may go back to your general practitioner.

In the criminal cybersecurity world, there are people that specialize in doing nothing but sending ransomware attacks out. There are people that specialize in doing nothing but exploiting server backdoors. There’s people that are specialized in doing nothing but building software kits of hacking tools to create a ransomware attack. So it’s very, very specialized across all types of threats. It really takes a while to wrap your head around how big this threat is, from all sorts of things, not just ransomware.

It’s not some guy just doing it to be fun. There’s people that have literally made hundreds of millions of dollars and have completely retired from the industry after they buy themselves a private island. Criminals. And probably buy another passport or two, buy a private island or move wherever and change their name and all of that stuff, and that’s what you’re dealing with when you’ve got a big successful ransomware attack.

These people are generally in countries that are untouchable, so to speak. It’s going to be former Eastern Bloc countries – Russia, China, North Korea. That’s where they’re located. But you’ve got to keep in mind it’s a huge, huge industry with tens of thousands of bad guys out there. The organized crime is in it strictly for the money.

The next group that you really need to be aware of – if there’s anybody with a water utility on the webinar, you do have some issues with nation-states because a lot of the attacks from nation-states are there to create chaos and political unrest, and one of the things they do is attack critical infrastructure – electric grid, gas valves, water utilities, wastewater, and this, that, and the other. They’re called APT groups because they generally are advanced persistent threats. They don’t want to be detected on the network until they’re ready to create the chaos, and even then sometimes they’re not discovered.

In the case of China, they’re well known for stealing intellectual property. They’ll break into companies that have really key critical intellectual property, and they want to stay on the network undetected as long as they can. They may be on that network for 5 years, gathering intel. They get new intellectual property all the time. That’s why they’re called advanced persistent threat groups. But it’s primarily China.

In the case of North Korea, they do the chaos stuff, attacking critical infrastructure, and distribute ransomware because they desperately need cash, U.S. dollars. Iran, they do some ransomware stuff now, but they also do the chaos stuff and the typical government type cyber warfare.

Even the United States is considered one of the cyber – well, it’s not criminals, but they are an actor. They’re a cyber actor, a threat actor in the worldwide stage. We attacked Iran’s centrifuges with an advanced persistent threat technical tool that resisted detection. It spun their centrifuges up real fast and it reported back to the guys in the control room that they were operating normally when in fact they were spinning way beyond their operational limits, and they were self-destructing. And they had no idea.

Additionally, that threat was deployed even though the facility itself was air gapped. It was not in any way attached to the internet. The NSA, CIA, and Israel – we were cohorts with Israel on this – managed to get it into the facility.

So yes, there’s about 30 nations that wage cyber warfare for political, economic, military, and commercial objectives. Of course, we all know about Russia trying to influence the elections and things like that.

Let’s talk about insider threats. There’s tow types of insider threats. One is malicious and the other is non-malicious. The malicious one is pretty self-explanatory. Disgruntled employees, former employees, anybody that has or did have access to the network, if they’re unhappy and want to commit felonies and create havoc, you’ve got to worry about them.

The other one is a little bit trickier, and we’re going to talk about a way to fix this on the 3 things. Don’t forget your notepads. Take these notes down. The non-malicious insider threat is from someone unknowingly or unwittingly executing a ransomware attack. The vast majority of ransomware comes in through email. You may think, and you’ve probably seen, very poorly worded emails, bad grammar, misspelled words. It’s very obvious that this is suspicious. But let me tell you, they have upped their game in continuing to improve, and some of the stuff is so good it can fool even a security expert like me. And I keep tabs on this. I love to see how good they are getting.

If you take that, you take a typical ransomware attack and make it part of a spear phishing campaign where they know a little bit about your company, then they can really scam or con job their way into your organization and get someone unknowingly opening up an Excel spreadsheet and triggering a ransomware attack. Antivirus does not detect those because there is no virus. We’re going to get to that. Stick a pin in that. We’re going to get to that in another slide.

Then finally, the rest of it is lone wolves and other malcontents. Lone wolves are especially important to me because I got a visit from the FBI about 4 years ago and they said, “Congratulations, Mr. Kirkham. You are on an ISIS kill list.” It wasn’t a group. It wasn’t everybody in my town. I’m not part of the military. I have no reason to be on any terrorist kill list. But yet I was.

It was a lone wolf, an American sympathetic to ISIS, who hacked into an old social media database and sent it to the United Cyber Caliphate, which is ISIS’s cyber warfare arm, and bam. Here’s 9,000 United States citizens that we’re just going to create chaos, totally random. It kept the FBI busy all across the country for however long it took to notify everybody that was on the list, the 9,000 people. It was just merely a lone wolf trying to get street cred with ISIS. Could’ve been Al Qaeda. It could’ve been North Korean sympathizers or Russian sympathizers. Could’ve been anybody.

That’s a lifetime sentence for me. Just because ISIS is beat down, doesn’t mean all this is going away, because another lone wolf that could be right here, homegrown, in my hometown, might be sympathetic to ISIS – and there has been a couple, a husband and wife team that was actually arrested here because they were sympathetic and terrorists threatening with guns at a shopping mall. They could’ve easily taken this ISIS kill list and said, “I know this guy.” It’s not like I’m the most famous person in town, but a lot of people know who I am and where I’m at and everything else. It would be nothing for them to kill me just to get street cred with ISIS. They’d put them on an airplane and start training them in the middle of the desert. So this is a serious thing that can happen to anybody. Totally random.

Let’s take a look at some myths. That’s one of the myths, by the way. It can happen to anybody. There’s no such thing as being too small. In the grand scheme of things, I am nothing. There’s billions of people in this world, and it was totally random. And that’s the way ransomware attackers work. They get a list of 10 million emails. They don’t care who you are. They don’t know who you are. They’re just playing a numbers game. They’re going to blast out 10 million emails worldwide and see how many people fall for it.

If you’re extorting $50,000 for ransom, you want $50,000 to unlock the files, it doesn’t take many people out of 10 million to be a substantial amount of money. Now, they take it a little bit further and they can automate and find out how big the network is. How many endpoints are on this network? If there’s more than 100 – let’s say it detects 1,000 endpoints on a network – they’ll change the ransomware from say $50,000 or $5,000 to $200,000 or $2 million. You see these headlines about hospitals getting held ransom for $2 million, or cities for $10 million. That’s one way that happens.

It could be the ransomware attacker themselves, that they’re directly attacking cities of certain sizes. You never know. But if I were to create a ransomware attack, I would go out and say, “Tell me how many endpoints on this network” and automatically adjust the ransom. And then I would say, “Double it every day and give them 5 days, and then nothing. If they don’t pay, it’s all gone. Done. Totally encrypted.”

And it’s all automated. These attacks that we see coming into our clients’ networks happen hundreds of times a second. If you plug a computer directly into the internet – no router, it’s just getting an IP straight from your cable company – it’s only seconds. Within seconds, that computer is being probed for vulnerabilities. And it’s not like there was some guy in Russia that saw, “Oh, Tom just plugged his computer into the network. Let’s go see what he’s got!” No, they’re using automated tools that are seeing things light up constantly, and they’re hitting tens of thousands of IP addresses at once. It’s done at scale. So there’s no such thing as being too small or being unknown. They don’t care. They don’t care how small you are, they don’t care who you are. All they want you to do is execute the ransomware attack.

I hear this: “Our data is not valuable.” I don’t usually hear this from businesses, but I hear it from individuals. First of all, I don’t care who you are, your data is valuable and you have things you keep private. A perfect illustration of that is the credentials for your online banking. You keep that private. You’re not going to give that to me. You’re not going to give me your credentials to your email account. If you did and your email gets compromised and somebody’s got access to your email, how do you reset your password at your bank? They send you an email.

I would be an advanced persistent threat on your email and try to figure out where you bank, do a password reset, delete that message before you see it, and then get into your bank account. Then maybe I can do an ACH or do a wire transfer or whatever, as quickly as possible, flush the funds out. So you have things you want to keep private, or at the very least things you want to save. Maybe it’s pictures of grandchildren or children. Maybe you’ve got decades of family photos that you want to get unencrypted because it got held for ransom. So even individuals need to be aware of all these different things.

Another myth I commonly hear: “Cybersecurity is too expensive.” It’s not you can put Fortune 100 technology into your business. I guarantee you it’s affordable. It is surprisingly affordable. You just have to get it from people that know what they’re doing. It’s not available to everybody. You can’t buy this stuff off the shelf. I can’t buy it from Amazon. You can’t buy it at Office Depot or Staples. This stuff is generally sold only through security companies like IronTech. It includes IT companies as well.

Another myth I commonly hear is “Antivirus is good enough and that’s all there is.” It is not. In fact, antivirus is about one step above useless. Remember I told you that ransomware does not have a virus. There is no antivirus that can detect a malicious threat that doesn’t have a virus. The stuff we use, and other security companies use, is in a different class. I hate to even compare it to antivirus, but it’s like super turbo deluxe antivirus.

It uses artificial intelligence and machine learning to look at the behavior of the computer itself and detect anomalies, unexpected behavior, that is executing real time that is not normal and then stops it. It doesn’t have to know what the threat is. It just knows that this action is not normal. It’s not normal to open a spreadsheet that calls the Windows encryption service, and it freezes it right there on the spot. There’s no virus there. It’s an Excel macro, Excel spreadsheet, and it’s the Windows encryption service.

And if you’re doing a good job with privacy protection, you’ve encrypted your hard drive. It’s the same executable. It’s the same program that you use to encrypt your data. For good reasons. So there’s no virus to detect. You can’t say “Let me know every time the encryption service runs” because if you’re encrypting your disk – if the computer’s on, it’s encrypting. It’s running.

Another myth I commonly hear – I just added this one to the slides, by the way – “We survived a ransomware attack” – however you did it. It doesn’t matter. You restored from a backup or you paid the ransom. “Thank God that’s over with.” Oh, no, no, no. They are deploying multiple malicious viruses, trojans, and other things at the same time. Remember how I said they were vertically specialized? Let me give you an example.

I’m doing a ransomware attack and I’ve already got the email list and I built the program, I got my Excel spreadsheets. I’m ready to send it out. Oh, wait a minute. I think I’m going to deploy some keyloggers to all the workstations, and all the servers I find, I’m going to put a backdoor. So I run my ransomware attack, distributing the keyloggers on the workstations and the backdoors on the servers and collect all my money, and before I go buy my island, I’m going to sell that list of servers with backdoors on them to another individual or criminal group, a syndicate, that specializes in exploiting server backdoors. Maybe the nation of China.

Then I’m going to sell the keyloggers list of workstations to groups or individuals that specialize in exploiting keyloggers. And keyloggers, in case you don’t know, record keystrokes. Remember your online credentials? A keylogger just grabs those. Then you interpret the data and now you’ve got access to the online banking without anybody even knowing. So I’ve got another revenue source while I’m on my island.

So if you’ve been hit with a ransomware attack – in fact, we have yet to go in to a brand new client that had previously been a victim of ransomware that we did not find something else on the network that they had no idea had been there for months. And sometimes it’s months or even years before those are exploited. They just sit there. They are a persistent threat just waiting on somebody to exploit.

And then finally, the biggest myth – not the biggest one, but an important myth, and this is important to learn and we’re going to go a little bit more into it – oh, I forgot to put my little “busted” things up here. Myth busted! All right, we’re busting all the myths here. Finally, the last one is the “Cybersecurity is an IT issue.” It is not. IT is a component. Cybersecurity, when you look at – I used the medical industry. The IT business has got all these specialties, but cybersecurity specialists aren’t under the medical industry, they aren’t under the IT business. They actually, for an analogy, would belike a lawyer, maybe. They’re in the security business first.

We have to think about things like physical security. Who has physical access to these computers, these industrial control systems, these SCADA devices? What are the vulnerabilities? What human beings are vulnerable to being exploited or conned into giving up access to these computers, servers, and industrial control systems? We have to think about things like that. IT doesn’t necessarily have to. It’s not their job.

A security company is always going to do forensics. After the attack is over and the business is back up and running and everybody is getting their work done and they’re productive and all this kind of stuff, security companies go in after the fact and always, always do post mortems. It’s like “Why did this airplane crash?”

Just like airplane crashes and train crashes and space shuttles blowing up, there’s usually three or four or five things that all together allowed this to happen. We want to go through, put the pieces together, and see where something broke. It was either an administrative process, a technical tool that failed to protect everything, or a human being fired it off. Why did the training not work? We want to know all those things so we continuously fine-tune not only the technical tools we use, but more importantly the administrative policies and procedures. These are called administrative controls in our business. So you’ve got to remember that it’s not an IT issue because you’ve got to be security focused first.

So it creates conflicts of interest. If I made your computer system 100% bulletproof – and I can do it, the IT side of it, just simply by unplugging and removing the power and taking it off the internet. But guess what? It doesn’t work. If these tools, these PCs and servers and the network and the routers and the switches and the industrial control systems are going to function, they’ve got to be up and running and connected. So there’s always compromises and conflicts of interest.

The IT guy, for example, wants to make sure it all stays up. He’s the CIO. “I want this stuff to stay up and keep everybody in the company productive, being able to do their job, keeping customers happy” and all of this stuff. It is fundamentally opposed to what my objective is. The accounting guy says, “It costs too much.” “Well, okay. I’m telling you, you need this. We have to work it out. We’re going to budget for this. These 3 things I’m going to tell you about, we’ve got to do at least these 3 things. Come on, give me the budget for it.”

So I convince them and we work with IT people. We’ve got an IT partner program. And you work with finance, and you work with the operations guy. He goes, “I don’t have time for no stinking training.” You’ve got to make time. Humans are the weakest link. Over 90% of exploits are due to humans firing it off, getting conned.

These are con jobs. Just like getting hustled on the street. They’re just using the internet to do it, and they’re doing it at scale. A street hustler can do a one-on-one con; an internet artist can do 10 million cons automatically. It’s really con jobs. A lot of them are con jobs – most of them, almost all the ransomware attacks are. They’re con jobs at scale. The criminals just merely moved to another place where they can get a lot more victims a lot quicker, more efficiently, a lot cheaper, a lot less risk.

Every time new technology comes along, criminals use it. I hear this thing about bitcoin, and it’s only a place for criminals to buy drugs and other stuff. You know what is used most for criminal stuff? Paper money. U.S. dollars. U.S. dollars worldwide is the number one way to buy and sell drugs, by far. It just doesn’t work in the case of ransomware.

Anyway, you have these conflicts of interest with the best security versus the most productivity, or the budget, or operations efficiency. What happens, because people have this mindset that cybersecurity is part of IT, they typically put the cybersecurity specialist under the CIO or the IT guy. The security specialist has to report to the IT guy, and then that gets filtered to the CEO. Well, guess whose head is going to be on the chopping block if their company gets breached and patient data is released, client data or customer credit cards are released to the Dark Web, or intellectual property is stolen by nation-state threat actors?

It’s going to be the CEO. And he’s going to say, “Why didn’t I know?” What’s going to happen is the IT guy says, “Well, I didn’t think it was important enough,” and the security guy is going to be sitting there pounding on the desk saying, “I told him, I told him, I told him it was important.” The CEO goes, “Well, I’m firing the IT guy.”

What smart companies are doing these days is making it a C-level position, because the CEO ultimately has to understand the risk to his business. That is part of the leader’s, manager’s, president’s, director’s – whatever your title is, your company is probably not nearly this big. Our company’s not this big. We have people that sometimes do two different roles. There’s a guy in our company who has the title of president; he does operations and sales. But ultimately, it comes down to understanding the risk and who’s responsible for it. And the buck stops with the CEO.

When you take security and you treat it seriously – because you could get put out of business. I think the statistic is something like 40% of small businesses that get breached are out of business within 6 months. It could easily put you out of business and cause grave damage to jobs and to finances and to reputation. Who’s going to be in front of the 5 o’clock news TV cameras if your water utility is breached? It’s going to be the CEO. It’s not going to be some IT guy that works part time with a different company. It’s going to be the CEO or the director or the utility manager, or whatever your position is. You’re going to be the responsible person to explain to your friends and family why you got breached, or to your customers why you got breached. It’s not going to be the IT guy.

What they’re doing is by moving it up – the CISO is what it’s called – the CISO is the Chief Information Security Officer, and he’s got a direct line of communications to the CEO. He is not outranked by the Chief Information Officer. He is on par, because he’s got to be able to explain, “Marketing wants something that is increasing our risk dramatically, and I’m telling you we don’t need to do it that way. We need a zero trust environment, and what marketing wants to do breaks that policy.”

The CEO gets to make the call, and he gets to understand what level of risk is being taken. Now, the marketing guy may have a valid point and the security guy’s got to say, “Okay, let’s do it and still make it as secure as we possibly can.” But it’s a balancing act, and the CEO’s got to know what risk they’re taking every minute of the day.

And it’s no different than any other risk. Locking the office door. Okay, we open at 8:00, close at 5:00. He knows that that office door is unlocked for those 9 hours, and he knows what risk that is. Any risk analysis you do has to have security first and foremost.

So let’s take a look at IronTech’s Cybersecurity Fundamentals. First and foremost, we are a best of breed company. We only use best of breed policies, only use best of breed tools. We take those and put them together to create multiple layers of defense. It’s known as defense in depth or layered principle. Then we correlate all of that stuff with the NIST Cybersecurity Framework. Anyone that has looked into “Where do I start? How do I know what I need and how do I know what’s vulnerable?” – well, you take that NIST Cybersecurity Framework, and I’m going to walk you through it here in just a minute, and it’s the same tool that is used by organizations of all types, all over the world. Not just the United States. So we correlate everything with the Cybersecurity Framework.

Let’s look at best of breed versus integrated solutions. Very often, after one of these webinars – maybe we’ve been in touch with somebody, and we’re following up, “Hey, did you attend the webinar?” “Oh yeah, I did. As a matter of fact, I was listening to Tom and he said I need this and I need this and I need this, and I thought, I think McAfee’s got that,” or Symantec or whatever you’re using. They send you emails, “We got this now, we got this now, and we got this now.” So they call up McAfee, and McAfee says, “Oh, yes sir, we do all of those things too.”

That’s an integrated solution. That’s a single vendor solution. That is not a best of breed solution. Almost all of the technical tools in our security stack are not only best of breed, but they’re also from vendors that only do one thing and do it as best they can. They don’t have a suite, or if they do, it’s very few things, and they don’t try to be everything to everybody. They go, “This particular tool we are the best in the world at,” and that’s what we use. We don’t put suites out there because the problem with suites is not only are none of the components a best of breed, but they are typically about one step above useless.

Now, the good thing about an integrated solution is you’ve only got one throat to choke – which you actually do with us too. But you know all the stuff’s going to work together, or it should work together. Shouldn’t be any incompatibility issues. So we have to make sure that what’s in our technology stack, we know what works and what doesn’t play well with the others. It’s like putting two antiviruses on your computer. That’s not a good idea because they don’t play nicely together.

Well, we will put two of our technical controls of the same family on the same computer, but it’s because we know what their exact capabilities are and what their exact objectives are, and perhaps how their humans – because this stuff’s all monitored by human beings – we know that they’re compatible, is the bottom line. And we know that one of them is filling a gap that the other one doesn’t. We just don’t believe in integrated solutions. If you’re going to go integrated, you don’t need us. You need to go straight to the vendor and buy their suite of tools. It makes it a whole lot easier. Got a lot less problems with support, and you’ve got a lot more vulnerability. That’s it in a nutshell. We just don’t believe in integrated solutions at all. There are companies that will disagree with that, but I have yet to see one that’s really good, or good enough for my friends and family to use.

So what do I mean by defense in depth? We want to identify what that core asset is. What’s the gold in the middle? That’s the first step of the Cybersecurity Framework, by the way. We want to protect that with multiple layers of defense. We want those layers to bend, but if they do break, there’s another layer there.

Think of the French after World War I. They were paranoid that Germany was going to attack again. They were right. So they built this magnificent Maginot Line with these magnificent artillery weapons and trenches, and they thought it was going to be another trench warfare and everything else. They poured all of their money, all their defense military budget, or most of it, into building the Maginot Line. It went for hundreds of miles – neglecting their navy, their army, their air force. They didn’t have anything left to upgrade their tanks or to create new fighter planes. Everything was poured into the Maginot Line.

So what did Germany do? They had all facets. At the time they started attacking, their air force was superior to everybody, their tanks were superior over everybody. They had the sheer number of troops that they needed. Their submarines were awesome. And their encryption was incredible. So they balanced their budget around building multiple layers – in the military it’s generally offense and defense. Multiple layers of offensive stuff, but they used it on defense too. When the Russians were attacking, they sent their air force in, they used their tanks, they used their air force, artillery, all these different things to defend themselves as well.

Once the Germans went past the Maginot Line, there was nothing left. That’s why Paris fell in 6 weeks. The Germans couldn’t move fast enough. They probably could’ve done it faster with tanks we have today, tanks that are able to go 70 miles an hour instead of 25. They could’ve been there in 3 days. I mean, I don’t know, but anyway that’s a perfect example of why a single layer of security doesn’t work. It’s not effective. That’s why antivirus is not effective by itself. Our fancy stuff, like EDR, is not good enough by itself. It’s better than nothing, but it’s not going to defend against everything you really need to be defended against.

So let’s talk about the Cybersecurity Framework. If you have looked into this, there’s a lot of stuff. It’s a real dense document. I think it’s on Version 1.1. It actually doesn’t get updated very often. It’s been around for years and years and years, which tells you how good the document is if it’s only been in one major – or even a minor – revision. That tells you something about how good this framework actually is.

Let me simplify it. It’s basically composed of 5 things. You’ve got to identify, what is it you need to protect? Where’s the gold? Accounting files, customer files, patient files, client files, intellectual property, passwords, credentials, things like that. ICS, SCADA devices, industrial control systems, CAD machines, whatever it is. You’ve got to identify what needs to be protected. You already do that. You know you lock your office door so nobody breaks in and steals stuff. You’re already doing that. Let’s just take it one step further and put it down on paper. What electronic data do you need to protect and where is it?

Then you’ve got to protect it. Disk encryption. You’ve got laptops that leave the building, that disk needs to be encrypted. It’s called data at rest, and it’s vulnerable to being stolen or damaged and lost. You’ve got to encrypt that data if it leaves the building. You need to encrypt it in the building because people can break in and steal servers. It happens. It’s happened to us. Then you’ve got to protect it.

Now you want to be able to detect intrusions real time, so you can respond in real time. If the Germans are attacking, I need to be able to respond. If I’m not the French and I’m the English, I’ve got a navy, I’ve got an air force, I’ve got Spitfires, I’ve got battleships. I’ve got multiple ways to respond. You want to be ready for that.

And then finally, the fifth thing that you’ve got to plan is for recovery. What happens is the attacker, what happens if the enemy is successful? How are we going to recover from this? To live, to fight another day. How are we going to recover from this? How is my business going to stay operational to keep us from going out of business, or to keep that water or that electricity being delivered? How do we recover from it? You’ve got to plan for it. If any security company says you won’t need to worry about that or you’re covered completely, run. There’s no such thing. You have to accept the fact that a breach might be successful.

Now, these 3 things I’m going to tell you about are going to dramatically decrease the possibility that an attack is going to be successful. Let’s talk about them. This is where you need to write this stuff down or add this to your list of things you’ve written down.

#1 is continuous security awareness training for everybody in the organization, not just for key operators. As a manager, an owner, a president, head of the law firm, managing partner, I don’t care – you get security awareness training. It’s only as good as the weakest link, and if the owner of the business decides he doesn’t have the time and he doesn’t need it, then he should never, ever – well, first of all, he ought to be fired. From the top down. If everybody sees the owner of the company is not doing the cybersecurity training, what is that going to do to the morale? And why would anybody take it seriously?

But not only that, he’s not being trained and he’s probably the one most likely to fire something off. Finance or accounting may do it, too. They’re up the list. But the head guy is usually doing all sorts of things on the internet. Research and market research and financial stuff and law stuff and all of this other stuff. They’re exposed to all sorts of things, incoming and outgoing. The chances of a con getting through are higher. If all I do is accounts payable every day, then the only emails I’m really worried about are vendors that say the bill hasn’t been paid. The attack surface is smaller.

Anyway, it’s got to be continuous because these cons and these threats change all the time. Dramatic difference in the types of styles of attacks since COVID than there was pre-COVID. Dramatic. There’s a dramatic difference when there’s a major tsunami. The big tsunami that hit the Indian Ocean a few years ago, there’s all kinds of cons around charities. Just about anything that makes headlines, people exploit to get money or whatever, to get a hook into a network or computer or to steal data or money or whatever it is. So it has to be continuously updated.

And then, as a leader, you have to monitor everybody and make sure nobody’s falling behind. Make sure they get it. Make it a game. It’s your attitude that’s going to make that environment secure. We’re dealing with human beings here. Human beings naturally resist change. And they do resist training a lot. Something if you’re really excited about it, yeah, it’s fun. Security training is “ugh.” I mean, I love it, but most people – “Eh, I’ve just got to do it.” You don’t want that attitude in your business.

So you have to really embrace it and make sure everybody understands that any one of them can be guilty of causing something that would make the company destruct. That’s how serious this is. You don’t want them to have that burden on them, so get the training. If you do the training and you keep your scores up and you continue all the training, if you do inadvertently fire something off, then it’s not your fault. We’ve got a response plan and a recovery plan. We did the best we could with you. We’ll worry about improving that later, what broke on that thing, why you opened that Excel spreadsheet. We’ll worry about that later, but it wasn’t your fault. If they didn’t have training and you didn’t educate them on how to identify malicious emails, what are you going to do? That’s your fault. It’s not their fault. It’s your fault.

Second thing is an EDR. That is that super turbo deluxe antivirus. It looks at the behavior. You open up an email; an EDR will say, “Oh, Tom just opened an email.” Then I double-click on the Excel spreadsheet or Word document, whatever’s there. EDR says, “Eh, that’s normal. Opened up a Word document.” Then a macro is executed. The EDR says, “Hey, I see a macro going off here. I’m going to keep an eye on that.” And then it sees the macro calling the encryption service, and the EDR will step in and freeze that process and say, “That is anomalous behavior. That is not predicted. That is not normal.”

Then it’ll alert IronTech or a security partner of ours that monitors these things continuously and say, “You’d better put some human eyes on this and see what’s going on.” In real time. We see that every single day. We work on threats and mitigate attacks every single day, and the key part of that from a technical standpoint is the EDR. Get rid of the AV. Get an EDR in there.

Then finally, you’ve got to plan for backup and business continuity. And this isn’t just for cybersecurity. You’ve got to plan for a catastrophic facility loss. What’s going to happen if a tornado blows your building away, or floods? We’ve seen floods a lot recently. Or wildfires. You’ve got to plan for what happens in case the whole place is gone. How do I stay in business? The best way to do that is to use backup tools and disaster recovery tools. They are different things, and most people get a combination of different things. We rarely put less than two different types of backup and disaster recovery or business continuity tools.

But basically we can set it to where you can spool up say your QuickBooks PC in the cloud that is thousands of miles away, in case you have a catastrophic facility loss. Or in the case of a ransomware attack, we spool up a ransomware-proof backup in the cloud. Or we’ve got a backup on-premise that’s ransomware-proof that we can access. So you want to protect from a number of different scenarios with your backup and disaster recovery planning.

How do those 3 things match up with the Cybersecurity Framework? Down the side are those 5 things. Identify, protect, detect, respond, and recover. Across the top, these are the 3 things that you need in your business, at a minimum. We always think about others, but at a minimum you need these 3 layers. Training, you need the EDR – get rid of the antivirus – and you need backup and resilience tools and policies. The policies are more critical, actually. I mean, the tools are important too; they’ve got to work. But you’ve got to have policies in place to monitor the backup. We do that continuously. We have it automated plus we lay eyes on it every single day. All of the backups are monitored constantly, just like the EDR.

Now, if you look at the 5 things, we’ve got at least two layers on each of the 5 things for the NIST Cybersecurity Framework. With just those 3 things, you’ve dramatically improved your security posture, and it’s affordable. It’s a great way to shortcut and get NIST CSF compliant, so to speak.

I mentioned other security layers. You’ve probably already got a router. There’s a firewall in it, so you’ve got a layer right there. Well, especially these days with so many more people working at home, we’ve got to take a long hard look at remote access. There are very specific things that have to be considered, of which we consider the very least is multi-factor authentication. I do not want a workstation in my office exposed for somebody to use on the beach, on vacation, or from their home like I’m working right now. Kindsey’s working from home.

When we log into the office, we have a third piece of information. It’s called multi-factor authentication, and it’s got a time bomb on it where this 6-digit string is only alive for a minute or 3 minutes or 5 minutes, whatever it’s set up to be – if you’ve used the hardware keys, online access, cash manager type stuff in the banks, that’s what a multi-factor tool is. Investment accounts. A lot of financial stuff, and health records too. But we’re seeing that everywhere.

I turn it on on every single site that I can. Multi-factor authentication. Because that third piece of information is time-sensitive. If somebody gets a copy of it and it’s 10 minutes later, it’s no good anymore. So even if somebody harvests my username and password, they still can’t get into that workstation that I’m trying to log into at the office.

DNS filtering. Basically one of the primary things it does is prevent people inside the company from accessing malicious servers or malicious websites. Websites get compromised constantly. That’s one of the reasons why we sell hosting for WordPress sites. WordPress is the #1 platform; we have very secure hosting, professional hosting that is actively monitored for intrusions. We’ve never had any sites compromised that have been on this platform.

Your IT management itself – Windows patches and Office patches and server patches, generally speaking, the IT team manages that. What we’re going to do as a security team is make sure everything stays up to date. We can do patch management, but if you remember the org chart slide, I will tell IT, “You figure out how you want to do patch management and then my team will monitor it to make sure it’s done.” That’s a great way to do it in a larger company.

But that’s generally IT, but it still needs to be checked. You wouldn’t believe how many times we go into a place and see that there’s 75 high severe security patches that have not been applied. And those are exploited all the time. It’s published. The hackers know what vulnerabilities exist. They know what’s been patched. So when they go out and look at servers, “Oh, is this unpatched? Here’s how I break into it.” The instructions are right there. It’s on the Dark Web. There’s instructions on how to exploit the vulnerabilities that you should’ve patched 6 months ago.

SIEM. Security information and event manager. This is what we use to monitor non-PC or iOS or other network devices. We can monitor switches, we can monitor SCADA devices. Anything that can be plugged into a network, we can monitor it with a SIEM tool. What it does is, in near real time, it’s querying that network device and retrieving a log, and then looking at that log for anomalies, unusual behavior, unusual activity on that connection. And then, in turn, human beings are automatically alerted when it detects an anomaly, and then it flows on through to IronTech and our command center.

That’s how we’re able to monitor things that we don’t install anything on. We can monitor your printer toner – we don’t, but we can see what the toner levels are in your color laser printer. Lots of other things. It’s fascinating what can be done with looking at the logs. That’s how these big huge data companies, like Splunk and some others, are able to analyze just terabytes of information very quickly. That’s by digesting logs. We just do that on a much smaller scale.

Of course, I already mentioned MFA.

Now, the phishing emails. Remember those 10 million emails that I said I was going to send out? Those are phishing emails. You want to simulate and see how everybody is responding to those.

I just realized that I’m almost out of time, so basically what you need to put in place is you need to do your security assessment, you need to get in place continuous security awareness training, you need to get rid of your antivirus and put in EDR, you’ve got to get a good backup and DR – they can be two different things for two different timeframes. One of them protects the business and makes it operational; the other is a backup. They are different things, and you need to put both of them in and monitor it and test it, always, continuously, over and over and over again.

You’ve got to have that security-first culture where everybody understands the what, the whys, the hows. They don’t have to know the details of how specializations are in the cybercriminal world. They’ve just got to know they’ve got to be on the lookout for these con jobs that may appear on a pop-up on a website. Everybody’s seen the pop-up that says “Your computer is infected.” That’s a con job. You’re getting scammed. If you let them onto your computer, they’ll go in and show the event log. A Windows event log is a scary thing to look at. There’s all sorts of errors in there. Then they just take that and tell you your computer is infected, that’s why you’ve got all these errors. Nobody knows any better. That’s how that con works. That’s how that scam works. You pay them $100, they clean your computer up when in the first place it never had anything on it.

Then finally, you’ve got to orchestrate all these different players. All these different vendors, all these different tools. You’ve got to keep the policies up to date. You’ve got to adapt on an almost daily basis to new threats, new criminal organizations and new external threats and all of that. You’ve got to orchestrate all of those things. That’s what our specialty is: orchestrating.

Or you can do it the easy way. Remember the security assessment I said that you need to sign up for? Get that scheduled and we’ll help you assess what needs to be protected. We’ll determine what layers you really need and advise you of the risk for the ones you choose not to use, because you’re probably not going to want to add everything. It adds up. It’s a function of time and money, and everybody’s got to balance that risk. We do as a company. Now, ours is a lot higher. People try to breach companies like us constantly, so we invest a lot more in security than any of our clients do.

But then we’ll monitor it, ongoing backups. We’ll look for attacks in real time and respond accordingly. If something happens, you get a security event, we’re going to kill it and fix it and then do a post mortem on it. The bottom line is, we will stop almost all ransomware attacks and lots and lots of other threats. No one is immune to being breached. The National Security Agency, the NSA of the United States, the United States’ premier cryptographic part of cyber warfare, was breached, and all of their tools are available for sale on the Dark Web now. That dramatically changed the threat landscape 2 years ago. That’s actually one of the reasons antivirus is pretty much useless anymore.

The very same tool that we used to destroy those centrifuges in Iran, the source code and everything is available for sale on the Dark Web, and it’s been tweaked to attack other control systems. It can attack anything. It can be adapted and changed to attack any network device. But that’s the easy way forward.

So give us a call. I’m sorry I went over, but there’s our phone number. The link is in the chat box. Get that security assessment scheduled. We’re easy, easy, easy to deal with. No high pressure. But if you don’t have those 3 things in place, you really need them.

Hope you learned something. How are we doing, Kindsey?

KINDSEY: We’re doing good. Just only 4 minutes over, so not too bad.

TOM: What’s really ironic about that is I shortened the webinar

KINDSEY: I know, that’s what I was thinking. It’s okay, though. It’s fine. We do have one question. “If you had to add a fourth core layer, what would it be?”

TOM: Well, MFA, especially these days, is going to be the most common one. But it really depends on the environment. But almost everybody has got some sort of remote access these days, so I would say that with few exceptions we’ll add MFA on there. For our clients, we don’t turn on remote access without MFA. We insist on things, and if they don’t like it, they can go somewhere else.

I guess I could bring up the story – we had an oral surgeon office that was under a ransomware attack, and our layers were slowing it down, but this one was particularly vicious. In fact, we were stopping the encryption side of it; what we weren’t stopping was the lateral movement throughout the whole network. It rapidly infected the whole network and it kept pinging and pinging and pinging, so now everything on the network is trying to encrypt.

It did a marvelous job. I was watching it and I said, “I don’t know if this thing’s going to hold up.” But it delayed the attack. Remember, it bent. It didn’t break. It never broke, but it did delay the attack long enough for us to get with another EDR vendor – this is those two EDR tools. This other vendor says, “We know what that is and we can write code,” and within about 2 hours they gave us the code to kill the thing off and to stop the attack. That’s what you get with a well-orchestrated security response team, because we use vendors to do it, and other stuff. Everything goes through us. They alert us when they see something suspicious if need be, and then we work together until it’s all over with.

And then everybody does post mortems. “Oh, how come this first tool didn’t stop the lateral movement? That’s a big problem.” So we went through that and figured out ways to make sure that never happened again. But it is another layer. I hope that answered it.

KINDSEY: Yeah. It doesn’t’ look like we have any more questions.

TOM: Alrighty. Thank you, everybody, for your time. I know it’s valuable, and I hope you learned something. Every Tuesday at 2:00 we do a Deeper Dive on some of these topics, so if you want to get signed up – if you’re on the website and you don’t want to do a security assessment, you don’t have 30 minutes to fix your security, at least sign up for some Deeper Dives.

We also have a threat warning service that comes from the command center. We don’t send out many. If you saw everything we saw, you’d never touch a computer. [laughs] But when we see something that’s directly imminent, a threat for our client base, we will send out a watch or a warning or an advisement. Probably once a month we might send one out, but it’s really got to be something that’s imminent, something that needs immediate attention. We understand we don’t want to send out every threat.

That is it. Thank you, everybody. I want to thank everybody again, and we will see you next time.