Most people believe that their business could never be the target of a cyberattack, but if you have internet within your environment, then you are a target. In this episode of the podcast, Max Clark talks with Intelisys National Cyber Security Specialist, Ivan Paynter, on how not to be overwhelmed with security.
INTRO: [00:00] Welcome to the Tech in 20 Minutes Podcast, where you’ll meet new tech vendors and learn how they can help your business. At Clarksys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before.
Max: [00:17] I’m Max Clark and I’m joined by Ivan Paynter, our National Cybersecurity Specialist. Hi Ivan.
Ivan: [00:22] Hey Max, how are you?
Max: [00:24] I’m excellent, good to talk to you. So, Ivan, most people think that their business isn’t a target. Is that true?
Ivan: [00:31] Oh Max, I wish that were the case. I’m just thinking about every business that I know of is absolutely a target. If you have internet within your environment, you’re a target, one way or the other. We can go down a myriad of obstacles that are there, from ransomware, you can have nation or state hackers that are going to come at you – all depending upon who you are, but absolutely every business is a target, no matter whom you are.
Max: [00:59] So, beyond a firewall and antivirus software, what do you need for security today?
Ivan: [01:05] Well you know, the hard-crunchy shell is now a fallacy, it’s a myth. We first and foremost have to look at the device itself, right? One of the things that I preach the most is patching. Not necessarily a security-type measure, but I think it’s absolutely imperative that anything that has been discovered: any open port, and open piece of software, malware – no, application, it’s going to require a patch. That’s first and foremost. Beyond that, in the currently environment that we’re in, a great antivirus or – what I’d prefer – an EDR, an endpoint detection and response application. That’s absolutely required. I would like to even go beyond that once we emerge from where we are now, I think that an MSSP, managed security supplier, would be truly the way to go, or even beyond that, an MDR – managed detection and response – would be a necessity. Especially in today’s environment, where you have somebody else looking at your security for you and understanding what is out there already, without you having to go to that effort yourself. When I say you, I mean the customer-base or that environment.
Max: [02:19] How does work from home change the security landscape for companies?
Ivan: [02:24] Well, you know – just kind of discuss that a little bit. The whole ‘work from home’ scenario brings us to that hard-crunchy shell, it isn’t there anymore. Yes, that’s true but now it has expanded to the suburbs, it’s expanded to apartment buildings all throughout, and we have to share that bandwidth as well. So, that massive pipe that we all thought we have is being consumed by our children as well, playing Fortnite or anything else of that nature. So, that firewall isn’t really protecting us anymore – one, right? And we’re being attacked in numerous manners, so not only are we looking at phishing attacks or attempts and things of that nature, but also now what’s hitting your home firewall, right? What are the kids downloading, or what’s in the kid’s machines that could possibly get into another device within your network, and your network now becomes the home network. So, we have to think of all those other devices. Now Max, you know I’m a bit of a nerd, so I’ve got about… just shy of a hundred different devices on my networks. Now, I say networks because I have multiple, but that being the case, any of those can be a possibility for an attack. So, with that thought in mind we have to make sure that all of those things are void of compromise. That’s very difficult to do for an administrator who’s just worried about their particular device. It’s going just from that hard-crunchy shell, that administrator now comes upon that individual to make sure that their systems are not only patched, they’re also somewhat fortified and what else is going on in the home environment is very important as well.
Max: [04:01] I mean, can people do security on their own?
Ivan: [04:03] You know, I’m going to say absolutely yes. Security comes in many different layers and many different depths. When we talk about where we are now in this current environment, we’re going to have to take a step back and slow down a little bit and start looking at some of these things and not feel like you’re being overwhelmed. You know, I don’t want you to go in and reconfigure your router or firewall and all of a sudden you’re down, but what I would like for you to do is pay attention to your devices in your home. I would like for you to maybe, if you can, look at your firewall once in a while and see what’s there. There’s a degree of security that can be done. Now, once we go beyond this I would also like to – every individual I think requires training, and it’s constant. You know, I always like to say the greatest challenge is between the keyboard and the chair. If you get rid of the individual, you shouldn’t have a problem. At the end of the day, if we all remain vigilant there, we can move beyond.
Max: [05:08] So, from an industry standpoint, we hear things like negative employment rates, and we see massive financial institutions that are going and outsourcing their security posture. From an industry standpoint, we look at a corporation, is it reasonable for a company to go about this and to do this by themselves?
Ivan: [05:24] I think you hit on the main one. I’ve been in cybersecurity for longer than I’d like to admit and there’s quite a few quotes that are out there. The one thing that people are looking for more than technology, or any type of application, is simply people. People want to tell you, “well we have AI, or ML”… Machine learning is great and I have issues with AI because it’s machine learning at the end of the day, but it’s very difficult to find a seasoned security professional, and once you do find them, to hold on to them. So, that in itself is one measure. And then the other side of that is the level of exposure that that person has to have to see everything that’s current that’s in the environment, right? When I say environment: on the internet, in the wild, wherever it might be. Personally, I’ve got to study after my work day is over just to catch up on everything that might be going on in the environment, and that takes hours of reading and focus and concentration just on my craft, because I’m not exposed to everything that goes on. So, that’s what brings us back right to a security operations centre, or SOC, or whichever you like to call it. They’re going to see, or they have a great deal more exposure – one, and then two, they’re able to keep and maintain their employee base because it’s a focus, it’s a concentration. That’s where you want to put them. So, you know – it’s just logical to have that type of environment. You have the correct people there and the correct technologies, and that all brings it together. Plus, they have that level of exposure to everything else that’s going on in the environment, which is the internet – we call that the environment.
Max: [07:05] I mean, in numbers, how big of a problem is security for companies today?
Ivan: [07:13] I don’t do numbers Max… I can guess things. You know, if you’re going to ask me that kind of question, I’m going to say it’s one hundred percent! Everybody is coming at you – look, let me tell you something. I don’t care who you are, somebody is knocking on your door, right? If it’s your firewall, your router, I don’t care what you have – somebody is attempting to get at it. Look, we’re all sitting at home right now and we’re watching our kids and schooling from home. Some of those kids somewhere are bored, and you know what they’re doing? They’ll stop playing Fortnite or whatever that game is, and they’ll say “hey, let’s see if I can get into this device,” and “let’s see if I can get into that one,” and these are little kids that are learning – or older kids that are learning – how to “discover” what’s going on around them. I think that’s phenomenal, it’s a great way to start, however it’s also a great way to create a hacker, because we have the time now to do that. So, we are all vulnerable and that’s why we have to be very diligent about what we do.
Max: [08:08] So, people think about security – banks, banks have money they have to protect. For a business that’s not a bank, what do they have that a hacker would want?
Ivan: [08:18] You know, the most important thing that’s out there is information. If you think about the information that we currently have stored, a large percentage of that data has been gleaned over the past two or three years. We just don’t delete anything, I look at my DAS, I look at my hardware space and it just keeps growing and growing and now I have farms of data and I move from one location to another because it’s cheap to store that information, and we’re not deleting it, right? Companies store information on us and we become trackable. It’s very easy to identify who we are, our fingerprint – or what I like to call ‘data hygiene’ is quite obvious over a period of time. It’s just a matter of where we go or what we do, it’s a routine. That information, we all have somewhere. There’s a great deal of it on Facebook, you see it out there, or people are posting things and using applications. So, we all have that level of information – that places us right back to HIPAA or some other compliance; CCPA, New York NYDFS, these are things that are very important, that we focus upon and companies must be aware that if they are compromised there are massive fines that they might have to pay for this. So, we want to make sure that – number one – they are secure, and number two, that they follow these compliances that are required by different legislations. If they don’t, it’s going to be a massive fine and there’s going to be a lot of companies that won’t be able to emerge from that type of fine.
Max: [09:50] So, besides not going out of business, how does security make your life better? Let’s phrase this two ways, right? How is security better for the company, and how is security better for its employees, and its customers?
Ivan: [10:05] A lot of people will tell you security is awful, and they don’t want to be bothered with it because they have to remember passwords, or they have to go to a VPN tunnel… At the end of the day, if we all look at security as something that we have to endure because everybody is connected now, let’s look at where we’re headed beyond this. We’re going to have – we have connected cities. We have connected cars, there are people driving down the highway right now that are doing crossword puzzles or reading the comics and not really paying attention to where they’re going. Yes, we’ve seen a few of them crash but at the end of the day all this is interconnected. So, we have to make sure that whatever environment we’re in is secure enough that any malware or malfeasance doesn’t occur there within and we continue to be able to use all these devices. Look, I’ve got some vacuums in my house that are Wi-Fi connected. Why? My wife has a pot – an instant pot – I’m trying not to make you laugh! She has an instant pot that’s Wi-Fi connected! My dog! You’ve got me started… My dog has a dog bowl that’s Wi-Fi connected! I travel a lot, so I need to make sure he’s fed. At the end of the day, all these things are access points. They’re great to have, but unless they’re secure they’re not going to be used correctly. What a great DDOS tool – I’ve got a Wi-Fi pot that’s sending a DDOS to some corporation somewhere! We really have to think about what we’re putting online, but I think it’s too late for that now. So, what we have to do is to make sure that we secure to the best of our abilities these devices. If we can’t do that, then we have to put it inside an environment that is secure for that. I don’t know if I answered your question, I kind of just went off there! All the connected devices I have in my house is ridiculous.
Max: [11:52] I mean, how much does this cost? Is security affordable for a business to have a reasonable posture?
Ivan: [11:58] That’s a great question Max. Security, I’d love to say it’s just expensive as hell, but it’s not! It all depends on the level that you have. Security has many layers; security is not just one thing that you put down. Oh, I’ve got antivirus, it should be a layered approach. We want to see what you have and make sure that you understand where the family tools are. Where is my secret sauce? Make sure that’s covered, right? Then, where are the access points to that? Is security expensive, it’s going to be very expensive if you don’t have it, right? So, let’s look at insurance. You can’t drive your car – or maybe now you can – without insurance, you’ll be pulled over. But shortly, when we come out of this event that we’re in right now, we’re going to go back to, “you don’t have insurance on your car, you can’t drive.” Well, I’ve never had an accident! “Doesn’t matter, you’re not getting on the road without it.” Security should be viewed in the same exact manner. It is absolutely insurance, and I know you’re probably going to go, “well, there’s cybersecurity insurance out.” But you know what that is? That’s an after the fact type scenario. We’re really trying to be as proactive as possible, because the bad guys are out there, and they want your information. They also want to make money, and that’s going to lead us into ransomware.
Max: [13:16] So, let’s talk about ransomware. What is ransomware and what happens?
Ivan: [13:20] Ransomware is how hackers finally went from “look how good I am on the internet, I can do a DDOS attack or break-in to somebody’s server,” to “hey, show me the money,” right? And when you put funds behind anything it becomes something that is very easy to do. So, my focus is security as a service, right? Managed security services. Well, now you can do hacking as a service. So, at the end of the day, ransomware is just a matter of monetization of malware, right? The hackers are getting paid and if you want access to your devices, you’re going to have to pay them. Now, there are two types of ransomware. Ransomware is just a matter of your device or the data contained within your device has been locked down or you have been locked out. In order to get back in, please pay me in bitcoins, whatever the x amount is. Unfortunately, some of us or some people have been paying this – I would highly suggest that we don’t pay the ‘fine’, you contact the FBI. There are ways around it, but prior to that we need to have that mentality that this is a possibility that can occur. Let’s make sure we have a great back-up plan, right? So, you want to get the BCDR in there. Let’s make sure that – what we call business continuity, or however you want to lay it out, but that’s part of what I consider a willful destruction. You’ve got to be prepared for the inevitable, because it’s going to happen. It’s not a matter of if but when.
Max: [14:57] Ivan, thank you very much. Always a pleasure.
Ivan: [15:02] Thank you Max, that’s a pleasure as well, and most importantly, stay secure!
OUTRO: [15:09] Thanks for joining the Tech in 20 Minutes podcast. At Clarksys we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before. We can help you buy the right tech for your business, visit us at Clarksys.com to schedule an intro call.