it looks like password managers may no longer be an option.

I hate to say, I told you so, but.

But that's got to the point of this episode.

We look first at the latest ransomware report from Veeam and there's some great

lessons and some scary lessons there.

And then also we talk about what cyber insurance companies are up to and

what that means for password managers.

I know you're going to enjoy this episode.

hi, and welcome to Backup Central's Restore all podcast

Army host w Curtis Preston, a k a, Mr.

Backup.

And I have with me and my heatstroke counselor Prasanna

Malaiyandi how's it going?

Prasanna Malaiyandi?

I'm doing well Curtis, and I'm glad we're able to

record this video instead of you being stuck in a hospital or worse.

So there is that

Yeah.

You know, it's funny.

Um, that was not a smart move on my part, the event to which I'm referring, uh, so

this was, what was this, two days ago?

Sunday.

Yeah, yeah.

Two days ago.

Today I decided to go for a walk.

You know, I'm, I'm, I'm by myself right now.

The, the.

The last batch of the kids have moved out.

My wife's down in San Diego with her mom at the moment, and so I was like,

I'm gonna go for a walk on the beach.

I'm gonna bring a a towel to like lay down on, but I'm not gonna

bring any water and I'm not gonna like plan how far I'm gonna walk.

I'm not gonna bring a hat.

I'm not gonna bring a hat.

With my bald spot back there, not gonna bring a hat and I'm just gonna

walk one direction and I'm gonna keep walking until I feel like turning

around and then I'll walk back.

Uh, it didn't go well and I was, I was, uh, I, you know, depending

on which, which website you looked at, I was somewhere between.

Heat exhaustion and heat stroke.

'cause I did have like, spotted, spotted, that's not worth spotted modeled.

That was a mixture of modeled and spotted skin.

Um, uh, and uh, I wasn't sweating that much.

I was kind of dry.

That's the sign, that's the true sign of, of heatstroke is

if you're no longer sweating.

Oh really?

yeah, yeah.

If you're not, if your, if your skin is dry, um,

That means you have no moisture,

You have no moisture left.

Your body has done everything it could to save you and it's given up.

Um, or it has no, it has no moisture left to use.

Um,

I don't think I was

you should

I was, go ahead.

go ahead.

Well, I was just saying I don't think I was quite

there, but I was, I was definitely approaching that when I approached

the lifeguard tower and I said, I'm gonna borrow some of your shade.

And he's like, what?

And I'm like, I'm gonna lay down right over here.

He's like, are you okay?

And I'm like, I don't think so.

Um, and I'm like, I was like, I think I over exerted myself.

And then I laid down underneath the sun, well, underneath the shade.

And uh, that's when I called you.

'cause I was a little, I was a little freaked out.

I was like,

you were fine though.

Like you weren't super delirious, which is

yeah.

So I wasn't, I think your exact words were, I was no weirder than normal.

Yeah, exactly.

But it also says, right, if that walk sort of you got to the point

of dry skin, you're probably not drinking enough fluids during the day.

Curtis,

Um, you know, is beer a fluid?

Beer is,

no, it wasn't.

It wasn't, it wasn't that.

It wasn't that.

I just, I just, the thing is when I go for walks with my wife, right?

She's the one who's like, make sure you bring your hat.

Let's make sure we get some water.

And, and she wasn't here.

And so I just went out like a, like a

but, but how long have you and your wife been married?

30 coming up on 35 years.

Okay.

And you don't have her voice in your head at this point.

35 years later being

I do, I do, trust me.

But you know, when it came, you know, when it came in, And this

time was when I got, once I got too hot, that's when the voice came in.

It was like, why didn't you bring water?

Why didn't you bring that, why didn't you bring that?

Uh, yeah.

So, well, thanks for being there.

Prasanna.

When I FaceTimed you, did you notice, did you notice that it was,

you were like, why is he FaceTiming

me?

'cause I don't normally FaceTime you.

yeah.

No, that's why I

I was

lying flat on the beach and I was like, Uh,

am I guess where I'm at?

Yeah.

Guess?

That's right.

Guess where I'm at?

Yeah.

I, I, and so here's the other thing I think our listeners

would appreciate or find funny is, so you brought not one towel, but two towels,

and yet you ended up just sitting on the sand without laying out any towels.

That again, shows you the level of exhaustion

that I had because I, I had those towel, I had like a big towel.

I.

And then like a regular towel and I just plopped them down on the sand

and then I plopped down on the sand and then I climbed into my brand new

Tesla with sand all over my body.

Needing to,

Did you at least have water in the car or no?

no, I had to drive.

And where I was at, I had to drive away to get to water.

'cause I was at a state park and there weren't any like vending

machines in the state park.

And I had to drive, uh, like I had to drive away.

I did stop at the first rest area that had, that had water, and I

got a water and a, and a Gatorade.

Um, and then I was functional.

I did use the, uh, the Tesla's feature of turning on the air

conditioning before I got to the car.

I was like, I want this to be nice and cool when I get there.

But anyway.

So, thanks for being there for

me,

glad you survived, and I'm glad we're able to continue

bringing awesome content to our listeners.

You're glad that me and the podcast aren't dead.

Um, yeah.

So, um, so we're gonna, we're gonna talk this, I, I called the, you know, when

I, when I, when you, when you, when I said this to you, you were like, what?

But this is, I think this is an I told you so episode.

Because we, you know, we were looking in, um, just looking in cybersecurity

news, backup, security news, and you found a couple of articles.

I found a couple of articles and they kind of all point to the same thing.

And that is that we were right.

We've been trying to tell people to do some stuff, to take care of some things.

You know, once again, um, you know, we have, we have the fo

we have a, a couple things here.

One is this, uh, 2023 Global Report of Ransomware, ransomware Trends.

That's a tongue twister.

Ransomware

Hmm.

trends, um, which comes from the Data Protection

Trends report from 2023 from Veeam.

Um, our friends over there at Veeam.

Then also, um, you know, an interesting story from, uh, where

was that regarding the strengthening passwords from bleeping computer?

Um, about the value, about an interesting, I'm, I'm gonna say

unexpected value of password managers.

Um, yeah.

Uh, which one do you think we should start with?

You wanna start with the ransomware trends?

Let's talk about the ransomware trends.

Yeah.

Um, and you can get this report yourself.

Uh, just Google the data Protection Trends report from Veeam.

Uh, and they have a, they have a lot of, um, it's a lot of

really interesting things here.

Um, the, I, I think the biggest number that pops out here, I mean,

these are always interesting.

I think I know when.

When, uh, when I used to work at Druva, we would do a similar report.

Uh, and I know that a couple years ago the number we used was, it was around 50% of

people that, um, suffered a cybersecurity attack in the previous year, and their

number is significantly higher than that.

By the way, I'll, I'll remind, uh, reminded me to do our disclaimer.

Um, you and I work for different companies.

Uh, and um, although technically at this exact moment you work for company

and I'm waiting to work for a company, um, but, um, and, uh, but we're not

representing the companies you work for.

We we're, we're independent as an in independent podcast and, uh, you

know, the opinions that you here, our ours, And, uh, things like password

managers are good, they may or may, may or may not represent our employers.

And, uh, please rate us.

Also, go to your favorite, uh, pod catcher and, uh, push the rate button.

Give us some stars, give us some comments.

We'd love the comments.

And, uh, also if you'd like to join the conversation, reach out to

me, uh, at WC Preston on Twitter.

I am w Curtis Preston.

On

threads.

Um, I wish them the best.

And, uh, I am w curtisPreston@gmailandlinkedin.com

slash in slash mr.

Backup.

If you can't find me via one of those, I don't know what to

tell you, uh, then reach out.

Uh, then you have to reach out to Prasanna.

So let's go back to this, this report.

So they're saying that that in this survey, that 85% of organizations

suffered at least one cyber attack in the preceding 12 months.

An increase they were saying from 76% in the prior year.

And you know, and we saw, and I think I saw a number of companies that the year

before that the number was closer to 50%.

So they're saying like, 85%.

I mean, that's, that's darn near a hundred.

Uh, what do you think about that?

Yeah, no, it's, I'm, so here's the thing,

I'm not surprised because normally you don't hear about things.

I think it also is, Organizations are always constantly being attacked, right?

And I think it's just the severity of the attack is what could also matter.

So I think that's where, although this one is specifically ransomware threat, right?

I.

Yeah.

Yeah.

So, so what I would, I, I'm, I'm having to extrapolate because I remember what we,

the number that we used was that it was 50% of the companies had been successfully

targeted by a ransomware attack.

I, I'm assuming they must mean that here they don't say the successful.

Um, part, but they're saying they suffered at least one ransomware attack.

They must mean successful because if it's, if it's not successful, you

know, it's not, it's not ransomware.

I mean, you know, there, there has to be a ransom demand.

Right.

well, and I also wonder if it's specifically like

they mentioned, sorry, just reading through the words, right, they're

mentioning just an attack, right.

And I don't know if that's like a cybersecurity incident versus

necessarily ransomware itself.

Well, they actually used the word ransomware.

Okay.

It, it said, suffered at least one ransomware attack in 2022.

Okay, well yeah, that's the end.

You're right.

That it could be a matter of yes.

They probably, it may have been thwarted, right, and they were not successful.

But my guess is a good chunk of that is probably successful attacks, right?

Mm-hmm.

Yeah, I, um, that, I mean that, but, but that's, that's huge.

I mean, that's basically almost everybody, right?

85%.

Uh, that's basically like, like I said, it's basically almost everybody.

Which is why I think, you know, there's a second statistic, which,

um, which is also interesting that 60% of organizations felt they need

a significant or complete overhaul between their backup and cyber teams.

Um,

Oh yeah, we've talked about that so many

times on the podcast when we've had guests on the podcast, right?

Where they're like, yeah, these teams just need to talk more to each other

because they are kind of dependent on each other and sort of are what

the organization business relies on when things go up in smoke, right?

Right, right.

Um, this was interesting here.

Um, most common element of an incident response playbook is a good backup.

Well, duh, right.

Um, they put, uh, backup copies, you know, clean backup copies, and also

backup verification, which is something that, um, you know, Veeam is probably

emphasizing because they were one of the first companies to offer that

as a, as a part of their product.

I'm reading an article in Info Security magazine

published back in May by Kevin, I cannot spell your last name, I'm sorry.

It starts with a p, um, that he published called Backup Repositories,

targeted 93% of Ransomware Attacks.

And that was actually the stat I was gonna bring up, which is, yeah,

they are targeting, and we've talked about this, right, Curtis, that.

Threat actors realize that backups contain the ability for

organizations to recover their data.

And so it's a good point to not only destroy those backups, so a

company is more likely to pay the ransomware, but it's also an amazing

place to exfiltrate data from, right?

All, everything in the organization is stored centrally.

You don't need to go attack individual systems with different security levels

and different security mechanisms, right?

If you can attack the backup system and get in, then you now have access

to all the data that's in there.

So one of the things that they also talk about is sort of everyone thinks that, oh,

I'll pay the ransom and that's what the people want, and I'll get my data back.

And I know we've had Tony from Spectra come on, and there's a huge business

around cyber insurance, right?

Where it's like, Hey, we will protect you or help.

You pay off the ransom, right?

Uh, you give us premiums, we'll help you just like any other car

insurance, house insurance, et cetera.

Right?

Um, and so 77% of ransoms were actually paid by insurance, but that it is

becoming harder and more expensive.

Right.

And I know Curtis, I just shared an article with you as well about sort of

how there's potential and bleeding over in the bleeping computer article, right.

About how.

You can try to lower your cyber insurance premiums by having stronger passwords.

Yeah, you're, you're bleeding into our second part, dude.

I know, but this was like a perfect opportunity, right, because

we're talking about cyber insurance.

Yeah, yeah, yeah, yeah.

The, um, yeah, I, you know, they showed, a bunch of people saw increased premiums.

They saw increased deductibles, and they saw benefits being reduced.

Uh, I think the bigger news here was that, um, was that even though

people paid the ransom, they didn't necessarily recover their data.

Right.

Um, they, uh, said one fourth of them.

Of of those that, that couldn't pay, that that paid the ransoms,

still didn't get their data back.

Um, yeah.

You know, they got this phrase in there.

Okay.

This is a big one.

Uh, And this, this is, this is the biggest I told you so of what I was talking about.

Cyber villains were able to affect the backup repositories

in 75% of the attacks, right?

So yeah.

So bad actors targeted the backup repositories at 93% of

the attacks, nearly identical.

94% of the repositories that were targeted in 2021.

Um, They said that some, most, or all of the repositories were affected.

Um, the, I mean, this is the most, this is the thing I've been, you know,

trying to warn people about, right.

Um, that you need to put different, uh, layers of protection

on your backup repository.

And, and this'll, this'll sound, you know, however it sounds, I, I

think this is even more so true.

I.

If you are running a Windows based, uh, backup product, right?

Um, yeah, that's my Linux bigotry showing through.

But it's, it is just a matter of statistics, right?

Uh, and by the way, they are now going after VMware.

They're going after Linux.

It's not pure, but Windows is still the, the number one target for, for ransomware.

And, uh, I think that the, the best solution this for the Veeam

customers, um, you know, and this will be a straight up plug.

But I, I do believe this strongly, this new product called Blocky for

Veeam, um, to me it's a silver bullet.

You know, we don't often see a silver bullet in the, the backup world.

Um, and, uh, but basically what it is, is the file system driver, uh, That

won't allow anything but Veeam itself to read and write from the backups.

And so, um, this would significantly hard, I think it would make the, the,

the Windows Veeam repository as hard, if not harder, than the Linux-based

hardened repository that they offer.

And I think that the advantage that this has is, I think a lot of, would you agree?

Well, I'm, I dunno if we have data to back this up, but I, but I, it's

one of those things of like, I don't know this for a fact, but I'm pretty

sure that the majority of Veeam customers are very Windows centric.

Would you think that that's,

if not

probab,

only away?

yeah, I would probably agree with that.

it's just an additional hurdle you're putting for the threat actors.

Right.

And so if it becomes more difficult, they're just gonna skip it and

move on to something else, right?

So it's additional protection.

Yeah, the, the thing I think, um, the, the big thing I, the

reason why I was asking about the Windows based, um, the, uh, the Windows based

question is that if you are a Windows centric shop and you don't really have

any Linux systems at, you know, creating a Linux hardened repository as your

only, uh, Linux system, I don't think is a good idea that, uh, Um, because

it will get, it will not be properly administered from a security perspective.

What were you

I was, I I was just thinking in my head, it's like asking,

uh, uh, a receptionist to do heart surgery on a patient at a hospital.

Yeah, uh,

Right?

It's it going back to the skillset, right?

Someone who's an expert at administering windows, when you're like, Hey,

I need to deploy a Linux system, or pick whatever other oss right?

There is some level of proficiency required in order

to secure it in the proper ways.

Yes, you could read best practices, but it's not the same

as doing it day in, day out.

Well, yeah.

And, and Veeam does a good job of giving you instructions to, to

create the Linux repository, but that's not the end of the story.

Right?

You need, there's patch management.

Patch management.

Patch management.

Right.

So this is why I think if, if you're a Windows only shop if you don't have very

many Linux servers, then I think it's a bad idea to add one for security reasons.

I think it's actually.

A good reason not to add one.

And so that's why this gives you that immutability aspect

on your Windows server.

Um, and, um, and yeah, they, we, you know, they, they are, they are a partner.

If you go over there and go to blockyforveeam.com/mrbackup for Mr.

Backup, um, they do have a discount.

I think you get like, um, half off the first server or something.

I don't remember exactly what the discount is.

Um, and yes, we would help support the show.

Um, but anyway, yeah, I, I think that's a really good idea to do.

And, but this idea of it just kills me that, that the cyber villains are

able to affect the backups, right?

and they've gotten smart, right?

They realize that's where a bunch of data sits.

That's how people recover.

So why not take it out first?

Yeah, exactly.

You wanna talk about the next, uh, This

Yeah.

So the next one is, Yeah, the time to recover.

I think most people think, oh, by the way, I know how long it takes me to recover.

Say when an application fails.

But to recover from these attacks, you're not just recovering like it actually

says it takes at least three weeks to recover from each attack after the triage.

Right.

And that's the hard part.

It's you need to figure out what happened when it happened,

what servers were impacted.

You might need to set up an isolated environment.

Right then you need to potentially bring in new servers or re uh, re-image them.

Start doing your restores, make sure everything's back up and running.

You have to worry about the order in which you do it, because remember,

they're not just affecting a single application where you're like,

oh, my Oracle application failed.

Let me figure out how to bring it back up.

This is across your entire environment.

So even things that you would've assumed, like.

Active directory being available or other things like that, just

even get started, don't exist.

And so you're basically bootstrapping your company from scratch.

And so I would say three weeks, it might be a conservative estimate

for some companies, depending on if they've done this exercise before.

Yeah, they, they make a point of saying that this is

three weeks to recover after triage.

Right?

And, and triage is gonna be that phase that, uh, again, remember Tony said that

he told, he said that it took them two to three weeks to, to triage, just to figure

out, um, you know, which servers have been affected, which backup policies are good.

Uh, you know, et cetera.

And then, and then it takes three weeks to recover.

So, uh, to me, that, that whole thing that pushes you to the front end of the

problem, right, of, of doing what you can to avoid the attack in the first place.

Because if you do get the attack, you know, even if you have a decent backup

system, it's going to take you quite a long time to, um, you know, to recover.

Yeah.

Yeah.

And I, I don't know if they would talk about this, I don't think that they

talk about this in the, uh, report.

But one of the things also that I know some of the other cybersecurity experts

we've had, guests we've had on the podcast that they mention is, once you've

been hit right, people are gonna try hitting you again and again and again.

Right?

So, It's then, this is not even just about like while you're in the process,

I know they talk later about risks of reinfection and other things like that,

but this is just once you're a known target and people are out there who know

about it, they're gonna try to exploit you again and again and again, right?

Which isn't even covered in this.

Like, so each time you get this attack, right, it's three weeks plus triage time.

Just imagine constantly, it's like, Hey, open season, come attack me.

Right?

Yeah.

Um.

The, uh, I like, I like the, you know, the, the numbers they had about using,

you know, that 80, they're saying 82% used, uh, some sort of immutable cloud

offering either a service or using, uh, cloud storage in a hyperscaler, uh,

which I think, um, and they also put that 14%, uh, that tape still mattered.

Does that warm your heart, Curtis?

it warms my, warms my little tape heart.

Um, You know, I mean, tape, tape has a lot of things going against it, but, um,

immutability isn't one of them, right?

The, the, the, the, the ability to take that tape out and set it on a

shelf and make it making it immune to any kind of cyber attack, um, until we

get to robot managed tape libraries.

And by that I mean like, like ai, like actual robots, right?

Not, you know, not, not a tape robot.

This would be a tape robot.

but you know what I'm trying to say.

Right?

Like,

and then at some point someone's gonna be,

tapes around.

yeah.

And then at some point someone is probably gonna be a prompt, a

malicious, prompt engineer who injects bad data into the model such that now

even that's not safe, just saying.

can only, we can only, we can only, um, um,

Do so

only do so much.

Um.

This, this, this last one or this stat?

I, I I was confused.

Um,

The 56% run.

No, this was 71% would recover to a cloud.

81% would use the data center.

I'm very confused by that headline.

Um, the, it, it must be one of these where obviously it's more

than more than a hundred percent.

Well, you're asking two separate questions

rather than an this or that.

Oh, is that what it is?

Okay.

so.

Um, so 19% only plan to recover to a cloud.

29% only plan to recover to on-prem servers.

And 52% have plans that include both cloud and on-prem recovery.

I think they added those two numbers together or something

to, uh, to come up with that.

Um,

I think that makes sense, right?

I think you need to have options because you don't know what this blast radius is.

For some of, like for the attack, and it might be better, right?

Rather than trying to move an entire workload to the cloud to recover, right?

Maybe you do have the gear to just spin it up locally and

that just makes life easier.

Versus maybe it's a full data center outage caused by ransomware attack where

no, you have no other choice because you can't get the equipment in time, right?

So spin it up wherever you can.

yeah.

That's why I'm such a fan of the cloud for DR.

And Cyber Recoveries, right?

Is that, you know, when you, when you do a, a, a disaster recovery or you do a, a

cyber recovery, What you need is a whole bunch of hardware right now, and you don't

want to pay it until you need it, right?

Um, and, and I, the only way I know to do that is the cloud, right?

Why are you, why are you nodding, nodding your head back and forth?

So while I agree with that, I think when you

get to a certain scale, remember the cloud isn't something magical.

It is still someone

magic Prasanna.

I know, I know.

But I'm just caveating it.

That says, even though the cloud allows you to spin up those resources

quickly, you, depending on how large environment is, it may not actually

be feasible to spin it up in a cloud.

Right?

They just may not have the free capacity.

I think that the number of companies that cannot

do that are relatively small.

I agree, but I'm just saying

are correct.

I.

Um, if any of those companies are listening to this podcast,

we would love to hear from you.

I would love to hear how you are doing Dr.

Uh, without the cloud.

And, and it's probably the answer is, you know, it's a warm site or a hot site or

a significantly long r t o, um, and um, They have more money than than Amazon.

We used to say more money than God.

Now I just say more money than Amazon, um, or Apple.

More money than Apple.

Um, so let's move on to the, to this, this the password manager thing.

This I think was the coolest headline ever.

And, you know, and, and honestly they, the headline actually downplays it somewhat.

Strengthening password security may lower cyber insurance premiums.

I would put it like this, want lower cyber insurance premiums,

get a damn password manager.

That's the, that's the way I would put it.

They put in here, um, I.

So this was the, this was the, the, the biggest thing here.

Spec ops research shows that an analysis of 800 million breach passwords,

that's a lot of breach passwords.

83% of compromised passwords satisfied the password length and

complexity requirements of regulatory password standard standards.

Still not good

So yeah, not good enough, right?

Um, And that that's both length and, um,

complexity.

Right,

Yep.

right.

All that stuff.

Right.

So, um, the, uh, but what they're saying is that if, if you can prove

that you have a password manager and m f a, you get a significant reduction

in your cyber insurance coverage.

Yeah, and I think this goes back to right,

cyber insurers aren't idiots, right?

They're there to make money.

They're not gonna insure someone, right?

Unless they meet a certain bar where they know, yes, things are good.

You're doing all the right precautions, right?

That it's not highly likely that some idiotic situation is

gonna cause you to be preached,

Right.

Yeah.

Yeah.

I, I think, I think that when we go back to the beginning of the,

Of the cyber insurance world.

The, the insurers were definitely caught flatfooted with, um, with

the explosion of ransomware.

And they are now triaging that.

And they're basically saying, Hey, when, when you renew, uh, one of

the first things they're saying is we're excluding ransomware.

Um, and, but now what they're saying, uh, this is, this is what

I'm hearing, an all too common.

Statement.

And this is just another article that's backing that up.

And that is that if you don't, if you can't prove to your insurance company that

you don't have good password management and M f A, uh, basically that's not

the only things, but those are the, I'd say that's the one and the two.

Uh, the other one being patch management.

If you don't, uh, if you can't prove that you have, that, you might not be

able to get cyber insurance, period.

Uh, and then number two, that if you can prove it and you can prove that

not only do you have, let's say, a good password management policy, you

have an automated password management system, and you have a way to ensure

that people don't use old passwords and people don't repeat passwords.

'cause by the way, a password manager won't necessarily do that.

Right?

It, it will, it will.

I know this for a fact 'cause I've put Right, I, you know, because

every once in a while I'll be like, I don't have time for this right now.

I'm gonna, I'm just gonna do a quick password.

Um, and um, uh, and I store that on my password manager.

And my password manager will tell me later, Hey, you shouldn't have done

that, but it's not gonna enforce that.

Now, that may be the case in a corporate password manager.

They may be able, they may be able to, may able to put policies in place that don't

allow you to repeat passwords, because that's one of the things that I saw,

ah, in one of the articles we looked at.

Yeah.

Was that the hackers are increasingly becoming more interested

in, they, they don't need to hack your passwords when they know that one of the

passwords has already been compromised.

And so the, the really common thing to do is to reuse that

password in a bunch of places.

And, um, They don't have to hack your password, they just have to steal it

from some other place and then try that password, uh, and then poof they're in.

Especially if you don't have what Prasanna

M F A.

M f a Exactly.

M f a is your friend, man.

I dunno why I started sound like the dude from the Big, big Lebowski there.

Yes.

Um, yeah.

I mean, again, I will, I will put, I will.

I will stand here and say, stand here.

Sit here.

I will sit here and say I was a late comer to M f A.

Right?

I, but I eventually said, I'm gonna do this for anything that matters, right?

Um, I'm gonna have a unique password and I'm gonna use m f A.

And then I, and now I get upset when something that matters

doesn't have real M f a.

Yeah.

what was I logging into?

Where real is defined as non email non S M S M F A.

exactly, exactly.

Uh, I was logging into a financial thing.

I won't say what, what it was for obvious reasons, but I was logging into

a financial organization and the only M f A they offer is SS m s, and I was

like, That just makes me angry, right.

So, yeah, so I've gone, I've gone from being, um, you know, uh, a latecomer

to being a staunch proponent, so password managers and M F a password

managers and M f A and um, pass or, uh, patch management, right?

Um, for all the things including your backup server.

Including your backup server?

I don't know.

I don't know how, how many times.

I gotta say, put your backup server.

I, I think it should be at the front of the line.

Um, because it's your last line of defense.

Right.

But it's never there.

But it's just never there.

Just, just make sure it's in the line and make sure that the

line doesn't take three months.

Right.

The line's, the line to line, you know, uh, a, a big critical, like

all patches are not created equal.

Right.

yeah,

You have an

example of a patch that like matters more?

uh, Like, uh, like uh, remote code execution

Yeah.

Like

for a system that's on the internet, facing is

probably a lot more important than say something for a small that is sort of

a potential exploit that can only be uncovered if you have physical access

to a system with the memory dump.

Right.

Yeah.

I, I, um, I, I would, yeah, I, you know, it's like here, you know,

here are the top 10 things, right?

One of the, one of the top 10 things I think would be review those

systems that are directly accessibly.

Via the internet and ask yourself, do they need to be right?

Uh, number one.

And then number two is, um, block outgoing internet access except on required

ports, uh, one of which will be port 80.

And then go and block, um, the, um, the, the known like data sharing sites.

Um, you know, like the, the obvious one is like, like Dropbox and things

like that, but there are other more nefarious sites that literally just

share all sorts of malware and whatnot.

Yeah.

Yeah.

That stuff, yeah.

Block all those sites on port 80.

Uh, and then, and then anything else, uh, should be like outgoing from your

server to the wild, wild internet.

Should be blocked until you'd ha have a reason otherwise.

Right.

Backup ports might be an example of something that you open

up, but only like explicitly.

Right.

Uh, to certain places, not to every place.

'cause that also could be used for data exfiltration.

Data exfiltration.

Anyway.

Yeah, we told you so.

Right?

All these reports are just confirming the stuff that we've been saying,

and so we hope that you're listening.

Uh, if this is your first time listening to the show, we've got

other episodes, don't we, Prasanna

Oh yeah, just a quite a, just a couple.

Not many.

just a couple, uh, just a few hundred out there.

Uh, be sure to, um, check out the, you know, the back catalog.

Uh, just listen to us, uh, you know, on Apple Podcasts or whatever, you know,

whatever podcast, uh, podcaster you happen to listen to or go to Backup Central and

you can watch video versions and you can

You could see us,

Yeah.

Um, and, um,

you could see my beard grow in

You can see, you can see the beard grow

in real time if you go back.

So it's what, three years now, right?

It's been over three years.

over three years.

Yeah.

Did we have video that whole time though?

I'm not sure if we have it for that whole time.

oh.

I don't know how long.

Back goes.

Yeah.

Yeah.

You could go back to when Prasanna had a normal sized beard and hair.

Um, yeah.

They don't, they can't quite see the length of your ponytail though,

Yeah, they

it's, yeah,

It's it's way down there.

Yeah.

Um, and you wear a black shirt and that can, that concealing it today, but,

um, you're gonna have to, you're gonna have to start switching

to a gray shirt, but I'm

Thanks Curtis.

You're welcome.

there.

Yeah.

Hey, you know what?

I owned, I owned up to it a long time ago.

Yeah.

I remember it was a few years ago when my daughter looked at my license and

she's like, what did we say Brown?

Because the license has Brown on there and she's like, really?

Really?

I'm like, ouch.

Anyway, well, uh, thanks for listening folks, and be sure to subscribe