kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

The Biggest Cybersecurity Mistakes You Don’t Want To Make

One cybersecurity mistake can leave your organization in ruins… Assuming you’re “too small” to be a target or relying on antivirus to protect your organization leaves you vulnerable to cyber criminals.

Prefer to read? (Transcription)

TOM: You guys feel free to use the chat box. Actually, Kindsey, we can turn their mic on if they want to ask some questions as we go through, because these are some things – I’m not going to remember everything about some of these topics. I’ll be done with this webinar and go “Oh, forgot about that, forgot about that.” And we would like to hear things that you guys do, like when it comes to poor passwords or reusing passwords.

This is something that’s really pretty easy to stop doing. It does take a commitment, which we’ll get to in a later slide, but if you do take security seriously, you cannot reuse credentials. So what does that mean? That means, like so many people out there, they use the same set of credentials for multiple websites. And if any one of those websites get hacked and the credentials are stolen, then the hackers in turn start trying those credentials on other websites.

So if you’re using the same set of credentials for your Facebook account that you do for your email account, well, congratulations – not only do they have your email address and your password, but now they can go into your email. And if you can get access to anybody’s email, you’re home free because how are passwords reset, typically? Email addresses. They send a link to your email, say “Click on this,” and they presume that your email has not been hacked.

Your LinkedIn, if you use the same thing for LinkedIn that you do for Twitter, they’re both compromised. If you do it across 6 websites, all 6 are potentially compromised. If you do it on 100 websites, they’re all compromised. If you do it with your banking account, they can flush all the funds out of your bank account and steal personally identifiable information.

Now, poor passwords are things like – there’s a list every year that gets published, like “the 20 most common passwords,” and invariably the word “password” is in the top 10. In fact, for many years it was actually number one. But people use things like “letmein,” “iloveyou.” In Arkansas, it’s “razorbacks.” We’re not blessed with an NFL team, and we only have one serious – I hate to say that. The biggest university is the Razorbacks, so “razorback” is something.

If I’m in someone’s office and they went to school at Oklahoma State, they’ve got a bunch of OSC stuff all over, then I know that there’s a good chance that “cowboys” may be their password. I’d look around their office and see their children – go on Facebook, I found out their son’s name is Teddy, so I try “theodore.” Those are bad passwords. They got a family photo with a pet in it, what’s the pet’s name? “Oh, that’s Fred.” Is “fred” the password? That’s the way that hacking and social engineering is done.

I’m using if I was in the office, but all of this stuff’s on Facebook. In fact, some people even fall for the game where you say “What’s your mother’s maiden name?” and all this, and they fill it out. Mother’s maiden name is very common as a security question. Often you can see what year someone graduated. You can find out their birthday. If you go on my Facebook page, you will not see my birthday announcement. I took it off. I don’t use things like my high school mascot. I only use pets’ names in combination with other words, characters, and symbols. And that’s very rare anymore because I use a password manager.

Using an antivirus or relying on an antivirus or trusting an antivirus. Built into Windows is a surprisingly effective antivirus that in some ways is more effective than off the shelf. But in no way would we pretend that it’s a suitable substitute for an EDR like SentinelOne. If you’re a client of ours, you know – you can’t be a client of ours unless you’re paying for and we are monitoring with SentinelOne. At least SentinelOne. That’s an EDR. It is generally considered the best, because we’re a best of breed company.

In fact, we get vendors calling us – there’s lots of vendors that make EDR products, and they’re all very, very good. Or most of them are. But no matter who they are, the sales pitch invariably begins with, “Do you guys use an EDR in your practice?” We go, “Yeah.” Which one?” “SentinelOne.” “Oh, okay. Well, thanks for taking my call.” That’s the way it usually goes because even within the competitors, it is generally acknowledged as the best EDR out there.

We do another one that’s called Huntress. Many of you maybe also have Huntress installed. They do two different things. You can’t really say SentinelOne is the best. It is the best at certain things, like stopping a ransomware attack. It’s really, really good at that, and many other things too. Huntress approaches it from a different standpoint. I can’t remember all the details, but it does fill in some gaps. We’ve had a lot of success with an attack that SentinelOne wasn’t able to kill off the attack – it could stop it. Remember, we want those security layers to bend but not break. SentinelOne bent and slowed the attack down dramatically, but they didn’t have a cure to destroy the enemy.

Huntress built a piece of software that we could deploy on the network. While SentinelOne was automatically keeping the enemy at bay, another vendor partner of ours developed a fix for it. So we orchestrated that between multiple SOCs, or security operation centers. We were, of course, trying to slow down the attack as much as possible, doing some other things to mitigate it. It was a lateral movement attack, so within seconds of infecting one computer, it was literally attacking every computer in the office.

That’s unusual for a typical ransomware. It was actually more interested in propagating itself than it was encrypting the files, although it was doing that too, or attempting to do that. You just can’t stop a ransomware attack with any antivirus out there. It’s just inadequate. And that’s the number one threat that everyone faces. Short of an EDT, there’s no other way to stop it. So that is stupid, to use antivirus.

Oh, incidentally, Windows Defender I think is what it’s called – they may have renamed it recently – we let that run too, just as another layer. It doesn’t cost anything. It’s built in and it plays nice with all of our other tools. But we would never go in there and put McAfee or Norton or Bitdefender or anything like that. Don’t rely on antivirus.

Relying on IT. This is a typical first-tier IT guy. They want to minimize the support calls. They are more interested in just getting you back up and running. And there’s nothing wrong with that, but that is their number one objective: make you as productive and efficient as possible with fewer help desk calls. That is a great objective for IT. That’s exactly what their job is. Our job is to make you and your business as secure as possible. In its purest sense, we are not interested in how much inconvenience we provide to you. If we require password complexity of 21 characters, it can’t be a word, it can’t be in the dictionary, it’s got to have special characters, upper/lowercase and numbers, in its purest sense we don’t care what trouble that causes you because our objective is to protect the company any way we know how.

Now, out in the real world, that pure belief in security is not good enough. You still have to function as a business. So we all have to make compromises. In the case of forcing really complex passwords, we are also going to recommend the implementation of a password manager because a good password manager will create randomly generated passwords. It’ll make them unique per account, it’ll prevent you from reusing them, it’ll contain upper/lowercase, numbers, and special symbols, and it will store them for you to make it very convenient.

In fact, once you get accustomed – and there’s a hump. It’s like, “Oh, this is a hassle.” That’s a hump you’ve got to get over because once you get over that hump with using a good password manager like 1Password, which is what we recommend, you all of a sudden are free. You don’t care what your password is. You definitely don’t write it down and put it on a sticky note underneath your keyboard because that’s an attack surface. That’s bad.

You get to the point where you don’t know and you don’t even care what the password is because with a couple of mouse clicks, you can populate everything – username, password, and even multi-factor authentication numbers that have the time bomb, the time-sensitive 6-digit numbers you have to type in. A good password manager will manage all of those things for you and really, really make your life convenient, dramatically increasing your defense posture of the company.

Now, 1Password does cost money. LastPass has free versions. So in your personal life, if you don’t want to spend the extra little money for 1Password – which I think is a mistake – LastPass works pretty good too. It’s not as good and slick as 1Password. 1Password works great and they are pouring – I think they’ve got $400 million in funding, so they’re pouring tons of money into the company. They are going to be the dominant force in password management going forward.

Thinking that you’re too small. And yes, these are some of the myths. So you feel like this in a crowd. “We’re just a little-bitty company. All the big companies just walk around us. They don’t even know who we are. Why would any hacker attack us? They’ve never even heard of us. Why would a hacker in Russia attack our little 10-person company that makes widgets that we only sell to 5 other companies, that doesn’t even have our name? We have no branding on anything. We don’t advertise because we don’t need to.”

Here’s the deal. They don’t care. They don’t know who you are. It’s a numbers game. They’re sending out these emails with attachments and wording to psychologically manipulate you to open the file attachment and fire off the attack. In most cases it’s going to be a ransomware attack. All they’re interested in out of those 1 million or 10,000 or 10 million emails that they send out is someone to pay the ransom. They don’t know, nor do they care, who you are.

Now that’s not true for all criminal hacking specialties. Those that engage in spear phishing do research the company, like IronTech, and we are targeted directly. They’ve heard of us. They target because if they can get into our stuff, then they might potentially be able to get into our clients. Now, it just so happens that that’s hard to do. Even if we get compromised, it’s very, very unlikely that our clients in turn will be compromised.

But we do get spear phishing attacks. A spear phish as opposed to a regular phish is where the email is carefully crafted using company knowledge. Invariably, when we hire someone new, about 30 days later they will get an email from their boss or from me or from the president to con them into doing something, whether it’s “go buy 10 $100 Apple gift cards and send me the numbers off of them” or whatever it may be. They are directly targeted to be attacked. So even though the vast likelihood is they don’t know and don’t care who you are, depending on what your industry is – if you’re in critical infrastructure like water utilities, electric, gas, yes, you could potentially be a known target, a named target, kind of like me being on the ISIS kill list. I am a named target. It’s not just “Go kill everybody in Fort Smith,” it’s Go kill Tom Kirkham. He’s an enemy of ISIS.”

That’s the things we discover in the security assessment. Before we do anything, before you buy anything, we start looking at what you’re trying to protect, what type of industry you’re in, what your security maturity is, and then who are the hackers that are most likely to attack you and what their tools, techniques, and objectives are. Once we understand that and a few other things, we know what types of technical, administrative, and physical controls we need to put in.

In water utilities, we have to carefully consider physical controls. If you’re in the utility business, you know this already. You know you’ve got to lock up the yard, your water treatment facility, your front office. You know you’ve got to lock those doors at 5:00 or whatever it is. You know you’ve got to limit who has access, who has a key. You know you’ve got to put an alarm on it. But there’s other things we have to know as well. We need to know, do we need to lock the terminals down after hours? So even if somebody physically breaks in, let’s kill off the terminals. No access. There’s a lot of different things that go into that.

So you can’t be too small even as a water utility. Say you’ve only got 500 customers. You still have to take these threats seriously.

This one frustrates me to no end. You know what, Kindsey? A better image here would’ve been the one with security budget before…

KINDSEY: Oh yes.

TOM: Security budget before breach versus a budget afterwards. There’s two photos. The first one says “Security budget before a breach” and the guy is counting pennies, and then the second photo is “Security budget after a breach” and there’s stacks of banded $100 bills. That’s sad but true. It happens day in and day out. It’s penny wise and pound foolish, because if you do have a successful breach, it’s going to cost you thousands, tens of thousands, hundreds of thousands, and you may not be able to survive.

Over 40% of the small- to medium-size businesses that suffer a major breach go out of business in 6 months or less. If you had the ability to go back in time after a very nasty breach that’s embarrassing – customer/client/patient data is released for sale on the Dark Web, you’ve got to answer to the 5 o’clock news, newspaper reporters, Wall Street Journal – if you’re in critical infrastructure, yes, you might get a call from the Wall Street Journal because we know, and cybersecurity journalists know, that that is super serious. And they also know that the security maturity level of the water utility industry as a whole is very, very bad. So they monitor for that kind of stuff.

So you’re about to go out of business and you go, “Oh man, I wish I had spent that couple of thousand dollars with IronTech Security. I thought it was too much money, we didn’t have the budget. Our gross revenue is only a million dollars a year.” If your gross revenue is a million dollars a year and you’re not spending $2,000 or $3,000 a year on cybersecurity, you’re not a good manager. You’re not. It’s that simple. Your board would fire you, the mayor would fire you. Everybody’s accountable to somebody.

Even if you’re the 100% shareholder in the company and whatever you say, “It’s my way or the highway, I can fire customers if I want, you’re going to do it my way and we’re going to do all of this and do that” – ultimately, if your organization suffers a breach and you fail to protect it adequately, your customers are going to vote with their dollars and you’re going to be out of business. Do not be penny wise and pound foolish. Stop it before it happens.

This one is more of – lack of a better term, it’s more of a touchy-feeling thing. I think it’s a magnificent leadership quality. And what a good leader does – first of all, a good leader treats everyone as a colleague because they are. It takes a team. As an owner or a CEO, a director, a manager, whatever your head honcho title is, you can’t do everything yourself, right? There are other people. So you all have to work together.

Now, this may seem obvious, but where I see it break down, especially in our business, is establishing that security-first culture. That means everybody on your staff understands how important it is to secure your financial data, your banking access, your customer data, maybe your intellectual property. Everybody knows and understands and they have a good idea of not only what the threat vectors are, like a phishing email, but they also have a good understanding of who the attacker might be.

So you build into this organization this culture to where Bill doesn’t share his credentials to log into a website that the company uses with Susie. If Susie needs access to that website, set her own account up because once you start sharing credentials, you’ve increased your attack surface. It’s not because you don’t trust Susie or you don’t trust Bill; we’re all about securing the organization.

So open up your network, go to “My network neighborhood” or browse to a share and then go to everybody else’s computer. Let’s say it’s a QuickBooks share. You’ve got 2 people that use QuickBooks, you’ve got 5 people in the office. Go to one of those people that do not use QuickBooks, go to their network, and see if they can see that shared directory that has the QuickBooks files in it. They shouldn’t be able to see it. That’s called “least privileged access.” It’s not that you don’t want Tony to have access to the QuickBooks files. Maybe you share all the financials and everybody knows what everybody makes and all these different things, and Tony’s the most trustworthy person in the world. That’s not what this is about.

What it’s about is cutting back on the number of points in the network, or the human beings that can be manipulated to inadvertently unleash a ransomware attack. So even though Tony may never use QuickBooks, it’s not installed on his computer, but if he opens up an email that has a ransomware attack in an Excel spreadsheet, guess what? It’s going to find that share on the network and encrypt all the QuickBooks files. If he didn’t have access to that share, you’ve dramatically lowered your attack surface. If Tony only does things on Tony’s computer and he shares very little on the network, or anything on the network, then it’s only limited to his computer and it’s not going to be a catastrophic security event.

That’s all built into being a security-first culture. Everyone’s on the same page, and no one is exempt. I don’t care who you are. You may think you’re a genius, that it will never happen to you. You don’t do things in the company like everybody us because you’re special. The simple fact of the matter is, if you’re on that company network, you have to be security-first cognizant and get continuous cybersecurity awareness training.

And it has to be continuous. It’s not “one and done.” Technology changes. These cons and scams continuously get updated for the times we live in. A tsunami hits Southeast Asia, all of a sudden there’s a bunch of emails coming in for people to give and donate to the tsunami relief fund. COVID hits, all of a sudden there’s a bunch of hackers trying to get into remote access terminals, trying to log into Windows Remote Desktop. It changes constantly.

A few years ago, gas pump scammers were widely – well, they still are. They became widely available. You have to educate your people. How do you prevent that corporate AmEx card from being compromised at a gas pump? Got to train your people on how to identify that. And it’s got to be ingrained. That’s part of your leadership management job. If you’re not creating that culture, you may have to answer to the board or to the mayor or to the governor or somebody someday for it.

Not monitoring backups. This comes up a lot, even with an internal IT staff, but especially if you outsource your IT to what is known in the business as a break/fix company as opposed to a managed services provider. A break/fix company is somebody that, when something’s broke, you call them, they come in and fix it, and they send you a bill for 2-½ hours or 20 hours or whatever it took to fix the problem. And then maybe you paid them to set up a backup routine.

If you’re not paying them to manage and monitor that backup – you should have multiple backups, actually, backup plans – if you’re not paying them to monitor it and manage it and fix the inevitable issues that come from having backup plans, then you don’t have a backup plan. You’re running on a wing and a prayer. You’re praying that that backup is going to be there when you need it to recover from a ransomware attack or a tornado. You’ve got to pay for monitoring and management, mitigation, and remediation of problems on a continuous basis.

A good company is going to put human beings on it each and every single day, and they’re going to put automated monitoring tools on the backup. And not just what comes with the backup software. They’re going to put other tools on there that are designed specifically to monitor for backups.

You may be saying, “Oh, we pay the guy by the hour and he just throws that in.” Well, you’ve got another problem you have to worry about. How is he able to stay in business monitoring your backups all month long without him getting a dime? It’s a poor business model. I don’t see it as much as I used to, but you either have to do it yourself or pay somebody to do it, and typically it’s a lot cheaper and easier just to outsource the backup monitoring and fixing of a backup problem. Because they happen. Lots and lots of reasons.

Sometimes you just fill up the storage destination and nobody’s checking it. You get hit with ransomware and you find out you haven’t had a backup for 3 months. You just lost 3 months’ worth of work. Some backups can back up every 15 minutes. Let’s say you’re working on a real serious research paper, or a whitepaper, or you’re working with some big Excel spreadsheets, and you need a backup from 20 minutes ago because your computer crashed. A good backup – they can actually do real-time backups.

And that’s part of the assessment that we go through. In the case of water utilities, that’s usually not required, but we do want yesterday’s. So we build backup plans and the monitoring around it. It even goes into deciding what technical tools, what software we’re going to use, and in almost all instances we use multiple software packages in the same client network.

Don’t be a cheapskate because this is just a sample price, and in fact it could be even cheaper than this. You can get a good EDR that’s monitored by humans, you can get a backup that’s monitored by humans, that’s disaster recovery, business resilience, and ransomware proof, monitored by humans, and continuous cybersecurity awareness training for 3 users in your office for $99 a month. This stuff is Fortune 100 enterprise grade tools that are not available off the shelf. It’s not available from Best Buy. It’s not available even from Amazon. You have to get these from security specialists.

$1,200 a year for 3 computers – maybe you’ve got 5 and maybe you need something else, or you want to do this or do that, and it’s $2,000 or $3,000 a year to protect a small network. That is nothing. It’s really cheap insurance.

And something else that’s not very expensive is a security assessment. This is more of an executive assessment, so we’re not doing vulnerability where we actually go in and probe ports. It’s not a penetration test. We don’t even do penetration testing. If you want to know the differences, that’s a topic for another Deeper Dive. But we can’t do – well, we should not do, and we don’t do, penetration testing because it’s a conflict of interest. We use penetration testers.

But at any rate, you get a high-level security assessment that’s very, very valuable. You can hand it to your IT guy, and maybe he’s got access to some of these technical controls. Maybe he even monitors things and charges for it. I don’t care. But invest $500 with us and we’ll walk you through it. We’ll get a good high-level view of not only what you need to put in place, but how much it’s going to cost.

You can also get a free trial of our security awareness training. 30 days is plenty of time. You get into it deep, and we actually coach you through it so you understand what you’re looking at. It doesn’t take long, and it really goes a long ways. I tell people all the time, and no one ever does it – if you can only afford one thing for your company, get security awareness training. It will cut in half your risk of getting attacked with just ransomware, not to mention you’ll learn what gas pump skimmers do and how they work, you’ll learn about things that don’t even apply to the office. You get to get inside the criminal’s mind. You get educated on the latest threats that are out there and how to identify different types of threats. Like pop-ups, “Your computer is infected.” You identify that and you understand how they work, what their revenue model is. That’s what good security awareness training does.

That $500 is simple and it’s easy, and we do them all the time. Oh, I went over time, Kindsey.

KINDSEY: Only 2 minutes.

TOM: Okay. We got any questions? Anybody want to chime in? We can turn the microphones on if you’d like.

KINDSEY: We do have one question. What are your thoughts on the government hack, and are we all at risk?

TOM: “The” government hack. Which one is that? Let me pull up my chat box here.

KINDSEY: It’s on the Q&A. She might be referring to Liongard. This past weekend.

TOM: Oh, the SolarWinds deal. We don’t use SolarWinds products, and even when we did we didn’t use that particular product. That was a direct target to a company that provides tools to companies like us. Like I said, we’re a target, so the tool providers are actually targets too. My thoughts are, everyone is a target. There are multiple paths of entry. If I decide I want to make SolarWinds a mark because I want to scam them and attack them to get a hold of their tools, these types of things are inevitable. Nothing is bulletproof. We may wake up tomorrow and SentinelOne has been hacked, and their intellectual property has been stolen, their artificial intelligence coding and everything like that has been stolen.

No one is impervious to attack, and I can say that with complete and utter confidence. World War II, the Germans’ Enigma machine was cracked by the Poles. A lot of people think it was done by Alan Turing and the Brits, but they actually used work that the Poles had done a few years earlier to continue and go on. But the Poles were able to read the Enigma messages before the British really got serious about it.

An even better example is our National Security Administration, our nation’s premiere cyber warfare cryptology agency. These are the guys that build the tools that the CIA – and they do their own stuff too, and Edward Snowden revealed a bunch of this stuff, how they go about spying internationally and on U.S. citizens and things. They themselves were hacked.

I would say the fact that they were hacked was much, much more serious than SolarWinds being hacked simply because those tools that the NSA developed to hack Iran’s plutonium enrichment centrifuges are now available for sale on the Dark Web to use against us. The NSA tools are literally causing billions of dollars worldwide in damage by nation-states, by criminal syndicates, by hacktivist and terrorist groups. They are all using our own tools against us and against others as well.

Which goes to another point I’d like to bring up about – I get on a soapbox about Apple sometimes. They’re the only major tech company that has told the FBI, Department of Justice, the NSA, and many, many other agencies, “No. Not only do we not have a tool to hack our customers’ equipment, we won’t build one.” Because they understand that once it’s released, no matter how tight they try to control it, it’s going to end up being used against us. It’s going to end up in the wild.

So for everyone’s safety, the safety of society as a whole, it’s better not to make it in the first place. Like the San Bernadino shootings a few years ago, they wanted Apple to crack the phone open. Apple said no. And on its surface that just sounds horrible, but in reality they are making all of us safer companies, individuals, and everything by not doing it. There’s a firm or two in Israel that can hack certain things on iPhones, and Apple doesn’t know how they do it, but believe me, Apple’s trying to plug all those holes.

Encryption is a very, very good thing for all of us. Anyway, by not creating that tool, it’s protecting everybody. Much more than just catching a couple of killers. And I know they killed 10 or 15 people. I understand that and I have no less sympathy for them and their families. But in the big grand scheme of things – just like Britain did not always warn of an imminent attack by the Germans because by doing so, they would divulge the fact that they could break the codes. They had to make a very heart-wrenching decision to lose men in order to win the overall war. I don’t want to get into ideology, but if you look at it from a pure logical perspective, that is so important.

Now, the unemployment fraud that is going on – I don’t know what that is, Mary. You want to open her mic up? You want to just ask?

KINDSEY: Yeah, let me find the participants box.

TOM: I’ll get it. Allow to talk. Here you go, Mary. You should be able to turn your mic on now.

MARY: You get a notice – your employer gets a notice from unemployment that an unemployment claim has been made, and you’re still employed. So obviously you didn’t do that. In this case, the employer sent this huge list of things that we’re supposed to do, and it’s quite the mess. From what I’ve read, it’s very prevalent. So I just was curious if you had any insights about where this is all coming from or how they’re getting that information. Because obviously to file an unemployment claim, you need a lot of personal information. Are they hacking the employers’ systems? Or what do you think?

TOM: Oh gosh, that could come from so many different angles. I mean, that could be done with just credit records. Equifax was breached, what, 3 or 4 years ago.

MARY: So it could go back that far to when Equifax’s records were compromised?

TOM: Yeah, absolutely it could. Honestly, I haven’t looked into any research on that, but it could just be credit agencies.

MARY: In our case, Steve got the notice from his employer, and his sister got the notice from her employer. And from what I’ve read in the Wall Street Journal and in the Chicago Tribune, it’s like mammoth proportions of this fraud.

TOM: So they’re claiming unemployment benefits in your name?

MARY: Yeah. With Steve’s sister, they actually sent her the debit card that had money on it, and now the government’s coming back to her and saying, “You owe us this money back,” because they’re saying that she used like $1,400. She’s like, “I didn’t do anything with it.” It’s a huge spiderweb that you have to navigate when it happens. I was just curious what your insights were.

TOM: I can think of a few places to obtain that information besides Equifax. Hospitals are going to have all that information. Any medical doctor is going to have all that. They’re going to know who you work for. Probably have your title and everything like that. Let’s see, I had two or three others. What were they?

Oh, the government sites themselves. Maybe Illinois got hacked. The SolarWinds attack was to get into government agencies, so if anybody’s collecting state or federal unemployment, all that information is there. CPA, accounting firms would have all that information. If the company that Steve works for has been hacked or breached in any way, that could be it. It’s a big company. If you can get into a company like General Electric or Boeing or whatever it is and you get employee records, you’ve got tens of thousands of potential unemployment claims right there. A lot of different ways to get it, and it doesn’t mean the company itself got breached, but that is a potential source for it. But it could be the accounting firm. All it takes is one person in that accounting firm to be breached and that’s where the information is.

Now, the FBI should be looking into that. They could probably give you a lot more information about where the potential attackers are, and they can look at – they might be able to at least detect what country it’s coming from. They can probably have profiles of the syndicates and what their style, techniques, and objectives are and their specialty. We’ve got this list of 700 difficult criminal syndicates; let’s leave the nation-states out of it, but they could do it too. Iran and North Korea. Let’s look at all these potential hackers out there, because that’s their MO.

There’s probably other sources for the data that I’m not thinking about, but state governments are notorious for not having adequate security. Until after they suffer a severe breach. I’ll look into that and see if I can dig up some more stuff on it. Anyone else have any questions?

KINDSEY: Doesn’t look like it.

TOM: Does everybody like my Deep Dive background? Fish everywhere. There’s a diver right here in the middle behind my head. Staring at the back of my head. All right, thanks for joining us. What’s the topic next week, Kindsey?

KINDSEY: Antivirus – I have it right here, let me pull it up. “The Scary Truth About Antivirus and Why It Leaves You Vulnerable.” That was one we had to reschedule.

TOM: Okay, so join us next week. We do these every Tuesday, 2 p.m. Central Time. We take topics. If you’ve got something like Mary brought up and you want me to discuss it on a Deeper Dive, send me or Kindsey and I’d be happy to research it so I can speak intelligently about it. We get flooded with – we get alerts from CISA. You know the guy that said the election was probably the most honest and transparent and accurate one we had that got fired? That organization sends out alerts to people like me, Kindsey, FBI.

All of us are members of the InfraGard chapter in Arkansas, so we get alerts from them and alerts from others like WaterISAC and things like that. So we get these breach alerts all the time. We don’t do a post mortem on every one of them. Our vendor partners research them pretty heavily, especially the ones like SentinelOne and a few others. Perch does a lot of that. Perch does a lot in the water utility industry and with WaterISAC too. But we don’t. We rely on our vendors to really do it.

But when one of our customers suffers a breach, then we engage. We do the post mortem and we do the research because we have to understand why the breach occurred, who did it, what was the objective, what was the result, and how we recover from it. We do that any time we have an anomaly, even if the breach wasn’t successful. And that happens quite often. We can generally look at it and say, “That was because of this and these guys are known for doing this.” But yeah, we spend a lot of time on that.

I think that’s it. Taken enough of your time. We will see you next week.

KINDSEY: Bye, guys.