W. Curtis Preston: Welcome to the backup.

Wrap up your go-to podcast for all things backup recovery and cyber recovery.

I.

In this latest episode of our series on ransomware, we're

tackling a critical aspect of cybersecurity, the IT security audit.

We'll explore why they are essential, what they entail, and the things that

you could implement in your environment to actually do well in such an audit.

We talk about user education, application white listing, a

whole bunch of other things.

Key elements that make up a comprehensive IT security strategy stick around

as we unpack the ins and outs of it, security audits, and equip you

with the knowledge that you need.

If you are not familiar with me, I am w Curtis Preston, AKA, Mr.

Backup.

And I've been doing this for over 30 years.

Well, not the podcast, of course, but backups.

Ever since, I had to tell my boss that we had no backups of a

production database that we had lost.

I got this passion.

I don't want that to happen to you, and that's why I do things like this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up..

To the show.

Before we continue, can I ask you to click to subscribe or follow button so

that you'll always get our great content?

Thanks.

Hi, I'm w Curtis Preston, AKA, Mr.

Backup, and with me as always is my secret assistant conspire persona.

Molly, how's it going?

Persona?

I am doing well, Curtis.

Yeah.

So, uh, what can I assist with?

W. Curtis Preston: No.

No, no.

No, you, you're, you're conspiring with me regarding my secret assistant.

Oh, yes.

Yes.

Your, well, I am assisting with your secret assistant.

Yes.

W. Curtis Preston: Yeah.

Uh, did you know, did you know that he was secret?

Did you know that?

I haven't told my wife.

Oh, geez.

Don't put me in that spot because you know that if,

W. Curtis Preston: I haven't told my wife that I have a.

It, it could just say that it's, uh, the Easter

bunny came over and everything went poof and cleaned itself up,

W. Curtis Preston: somehow magically I got a lot more done around the house

than I, than I would normally get done.

yeah.

Or it could be like those one 800 junk commercials.

You point, we, we take it a bit away.

We make it

W. Curtis Preston: Yeah, it's, it's kind of like that.

Yeah.

I, I've hired a guy who's helping me get some stuff done around the house

because I just can't get it all done.

Um, 'cause you know, me, I'm a, I'm a very, like, I like to do things myself

that's why I was very surprised.

W. Curtis Preston: Um, and, uh, but.

I just, you know, I've been so busy with, you know, with the new job

and the podcast and all the diff all the stuff that I've been doing to

make the podcast, uh, you know, to grow the podcast and all that stuff.

And, um,

Prasanna Malaiyandi: Well, it's just excuses,

W. Curtis Preston: building, building up.

Well, I think it's also excuses because if it

was something you enjoy doing, you know, you would go do it

W. Curtis Preston: I would find time.

yes.

But because this is cleaning stuff up and other tasks which are low on your

priority list and don't bring you joy.

W. Curtis Preston: They don't bring me joy.

The result brings me joy, but the actual activity does not bring me joy.

So I,

me and the last like four weeks I've been weeding outside and

although it's not awful, it's like very

W. Curtis Preston: how weeding can take you four weeks.

Well, I do little bits at a time, like I'm out there for

like, like they're like, I'm sitting there picking each individual weed.

Curtis.

W. Curtis Preston: I, uh, I don't know.

I don't know how that works.

You need to get a guy, you need to get a weed guy.

Yeah.

My wife tells me I need to, we should get a person to clean.

I'm like, uh, it's okay.

It gets me out in the sun and now, like last weekend, we sat outside,

enjoyed the back yard because then you enjoy it even more because you didn't.

W. Curtis Preston: Right, right.

Well.

We're gonna talk about, we're gonna talk about nothing like that.

Uh, this week we're gonna talk about securing your IT environment, and

specifically this is in support of, uh, stopping ransomware.

Uh, and, and, you know, and cyber attacks, right?

This continues on from our previous episode where we talked about the

three things that I think like absolutely everybody has to do.

Um, you know, that, that you just absolutely cannot get by,

would doing or without doing.

And what were those,

Patching password management and MFA.

W. Curtis Preston: yeah, we throw

Woo hoo.

W. Curtis Preston: there a lot, right?

I go back and think.

I was like, what did we talk about?

W. Curtis Preston: Well, the good news is we talk about those three a lot, right?

Um, and the, I've been, you know, I've been working with my new,

uh, co-author of my upcoming book.

I.

I don't know if we're public about that yet, so I won't use his

name, but I have a coauthor from my upcoming book on ransomware.

I've been talking to him about that.

And we've been talking about a lot of the things that people

need to be do, that people need to do to secure their environments.

And um, so one of the first things that I wanted to talk about is, you know, I

dunno, you've ever heard this thing that this, um, like, we get a lot more done.

You know, if there weren't so many customers, right, and it, we, you

know, it'd be so many, so much fewer.

So, so, uh, how do I put this?

Uh, there'd be so fewer problems.

There'd be fewer problems.

Why?

Why isn't this coming out in English?

There would be,

there would be more time to do stuff with,

less with people doing dumb stuff if people didn't do dumb stuff.

W. Curtis Preston: I was just trying to say something funny.

It's just not coming out right.

Anyway, so what would you say is the number one security

risk in every environment?

Every IT environment.

Oh, this is obvious, Curtis.

W. Curtis Preston: What's that?

It's the users.

People, humans.

The humans.

W. Curtis Preston: is.

It is the human.

It is the human, by the way.

Do you

I do have a question

W. Curtis Preston: sure.

with chat, GPT and hallucinations, do you

think that now becomes an issue?

W. Curtis Preston: I am not prepared to discuss that at this time.

Um, no comment.

So the, the, um,

I was,

So, so I, I, I like your, uh, users being the

problem because I know in backups, right, if we think about that right.

W. Curtis Preston: right?

A lot of your restore scenarios are

because people did dumb stuff.

Right.

I think you've made, you've had the story about someone

accidentally deleting a file server.

W. Curtis Preston: Yeah, absolutely.

And, and the thing is, as we have made it systems more resilient, right?

You have to realize that when I started it, we didn't have raid, right?

So we had mission critical servers running on individual hard drives, right?

We didn't really have highly available systems, et cetera.

Not, at least not in the open systems world, I think they

did in the mainframe side.

But, um, so as we've made, especially storage systems more resilient,

the percentage of time that we have to, you know, that the, that the

problem is the user is like 95%

Yeah,

W. Curtis Preston: right?

That's in backups and is definitely the case in security.

What's that?

With great power comes great responsibility.

W. Curtis Preston: Yeah, absolutely.

Um, by the way, did you ever think about the fact that there's only two

industries in the world of which I'm aware that refer their customers as users?

Um, I'm gonna say the, the IT industry

and also the drug trade.

W. Curtis Preston: Yeah, exactly.

Oh, just, you know, something funny there.

So why are we talking about users?

Because the, I would say one of the best things that you can do to help secure

your environment is to educate your users, your customers, the people inside

your environment that are using your, um, you know, all of your IT systems and

what, what, what does that look like?

So there are different things you could do for.

Training, right?

You could have mandatory training when they join the company, periodic

updates like, Hey, here are security policies, and I'm sure everyone has

like those little cheesy videos that go on on the screen, like with the

little cartoon animations being like, Hey, here's this phishing email.

Please click all the things that rely on phishing and why it's bad, right?

So you have this sort of training that can happen.

You also have the ones.

Which are more testing you.

So some, uh, software packages have the ability to send out phishing emails to

test your users and say, Hey, by the way, are you clicking on something?

And if you did click on an email, maybe you need some additional training.

Right.

W. Curtis Preston: Yeah, exactly.

Uh, so let's talk about those two.

Those are two very different things.

So the first thing I do like, um, what I think you should be doing

is very periodic, obviously some.

New employee training for sure, because you have no idea what they've seen before.

And then I do think that it should be something, uh, I like the idea of

quarterly, um, you know, quarterly, just a little bit, something that's

not gonna take forever, and you're just trying to bubble up into

their minds on a regular basis.

You're trying to remind them of the things that they should be looking for.

Because when we look at the typical attack vector, it's usually something

like phishing, phishing or spear phishing or something like that.

I.

Or clicking open a link.

W. Curtis Preston: a user, uh, to, yeah, to get them to open a

link, um, to, um, you know, to get them to, to do whatever right.

To, to get them to do something that, that opens up that initial door.

And so the idea of repeated, uh, security training just bubbles that stuff up

and yes, also helps to educate them on the current state of the art in

I was gonna ask.

W. Curtis Preston: Yeah.

I was gonna make that point.

Yeah.

I think it's important because you don't wanna have security training,

which is like three years old talking about the issues from three years ago.

Right.

An example would be, it may not make sense.

During the pandemic when no one was going into an office to have

a security training, talking about people tailgating through an office,

through an access control door.

Because people, so why waste people's cycles?

Because users aren't gonna remember things.

Right?

That's the other problem.

So how do you make it relevant for what is common and what is current

in terms of the attack surfaces?

W. Curtis Preston: Yeah, absolutely.

And the one that I know that, uh, you know, my previous employer used, uh, know

before you're, I'm sure you're familiar

the Kevin Nick one, right?

W. Curtis Preston: Yeah.

Um, and so basically it, it just, it's constantly, you know, doing all of

that, you know, the, the, the security training with little, little bits and

bites, little videos, little little quizzes, all of that kind of stuff.

And I'm sure there are plenty of other, uh, companies that are like

that, that are constantly trying to, um, you know, provide security

training for your end users.

And by the way, I would say additional security training for people with,

uh, privileged accounts, right?

Yeah.

W. Curtis Preston: Uh, and that, you know, that goes back to your quote too.

Too much is given, much is expected, right?

Uh, or great power comes great responsibility, right?

Um, so then let's talk about this idea of, um, testing those users.

When you're going to test your users, there is sort of the punishment, you know,

the, the stick versus the carrot, right?

That's one of the big things.

And one of the things that um, that, you know, I don't remember which one

of the previous experts that we had on that talked about this, but what

they really liked is they much more appreciated the carrot than the stick.

What, what do I mean by that?

Basically don't shame and punish users who fail a test,

but give them additional training, be supportive, make sure that they

understand why they sort of failed and sort of do positive reinforcement, right?

Which is kind of, I'm looking at my dog right now, who's sleeping

right next to me, but literally, that's how you train dogs, right?

It's positive reinforcement rather than the stick.

And

W. Curtis Preston: so well, positive reinforcement when

they do something right.

What would be an example of that?

They did something right.

Um, so that they identified a phishing email correctly,

W. Curtis Preston: Exactly

right.

Protected the

W. Curtis Preston: them a fake phishing email.

They identified it and they did what you trained them to

do, which is report it to it.

They should definitely get some brownie points if they do that.

I.

Right.

Um, and then if they get, if they get caught, if you will, this isn't like put

them up on a d board, you know, the, you know, announce the list of people that

are messing up the world, or, or, you know, here's, you know, you've got three

strikes this month, you're gonna be fired.

What?

I, I, I don't like any of the, now, um, we, we can talk about the extreme person.

If there is someone who just doesn't seem to be able to get the concept of

cybersecurity, you have two choices.

You either build a wall around them, which is increasingly difficult to

do, or you decide to terminate them.

Right?

But the person who makes the occasional mistake should just be reminded,

you know, in a, in a pleasant way that you know, Hey, you know what?

However, however you want to do that.

Yeah.

and don't feel bad if you.

Failed that test because I was actually just browsing Twitter earlier this

morning, and there was a security person who was going through training because

they got caught by a phishing attack.

Right.

Or by the phishing training test.

Right.

And so it can happen to any of us because some of those are hard, and that's really

what the bad guys are looking at as well.

Right.

These aren't gonna be obvious that it, this is a phishing attack, so it's okay.

W. Curtis Preston: Yeah, I, I can remember one that I fell

for a couple of years ago, and

Prasanna Malaiyandi: drained your bank account.

W. Curtis Preston: no, look, I got, I got, uh, not, no, no, ill effects happened as

a result of it, but it was the, it was, I think it was spear phishing because

they specifically said your, um, the, the, the, the employer that I worked for.

Had paid for like Norton or something?

Uh, they had, they had paid, not Norton, they had paid for.

What's that service that, um, the one that the guy puts his

social security number online?

LifeLock,

W. Curtis Preston: Yeah.

What was it?

What is it?

LifeLock.

W. Curtis Preston: LifeLock?

Yeah.

Well, they had paid for LifeLock because we had had a breach.

So they paid for LifeLock for like a year and then.

I got this notice it said, your LifeLock thing is expiring.

Do you want to Right.

And it f it, it came at just the right time and it was like, and it's quite

possibly that the, that the attacker knew that there had been a breach.

They had waited the right amount of time and then they went and just sent

an email to everybody and I fell for it.

I went right in there.

And, um, the.

I remember at the time I was really not happy with LifeLock's response.

Like I felt I had, I'd done something and, uh, but anyway.

Yeah, you, you can, you can, can fall for it.

Um, and so don't feel horrible about

yeah, and the one thing I want to add, I know

we're talking about sort of training and testing, but also when a user

accidentally gets caught with actual phishing, make it such that it's okay

for them to come forward and be proactive because that's the best thing to do.

Is you want them to be like, Hey, tell us when something goes wrong so

we can start locking down systems and dealing with this, rather than, Hey,

I'm just going to pretend this never happened and go along on my merry way.

W. Curtis Preston: Agreed.

And, and you know, that goes, you know, you've heard the phrase before that

you train people how to treat you.

You train your users on how they're going to respond if they actually

get, you know, uh, they get.

They respond to an actual, uh, phishing attack.

So if you're big, you're, if you're a big stick environment, right?

And, and they get beat a little head with a real stick, imagine what

they're, what they think is going to happen if they actually get hit with a

real, um, you know, a real ransomware.

So, yeah.

Um, this is back to that positive reinforcement.

Um, and I, and I'll give you an example of something that, that

was just a little while ago.

There was a.

I think we talked about it on the podcast where the guy said that everyone,

that on Valentine's Day, that everyone received a notice that they had flowers

down at the front desk or something and they just needed to respond to,

to get the flowers or something.

And, and it was, it was all fishing related.

And, uh, he said his wife didn't fall for it.

So he was, you know, because of.

You know, he had trained her right, but, but he's like, for, for a few minutes

everyone in that building fell loved.

Prasanna Malaiyandi: Oh yeah, I do remember

W. Curtis Preston: a, that's an example of the, of the wrong

kind of thing to do for sure.

Um, so the next thing, and, and, and I think I wanted, I, I really want,

this is something that I don't think very many people do, but, but I'd

like you to at least consider that, and that's application white listing.

What is that and why would that be such a big deal?

So this is basically saying only certain

applications are allowed to be installed, are able to run on your devices.

Um.

In order to sort of lock down the scope and prevent people from

going and downloading arbitrary packages which might have issues.

Um, while I agree in principle with the purpose and probably locks down a lot

of things, uh, I have two concerns with application white listing, maybe three.

So the first concern is.

By putting a white list, you sort of restrict like a user's

ability to get work done.

For instance, Curtis, I'm sure if there was a software package that

you needed in order to be able to get your work done and you couldn't get

access to it because it wasn't part of the white list, now there's probably

W. Curtis Preston: Absolutely a downside of it.

Yeah.

Yeah, there's a giant process in order to get that going.

The second thing, and I know we had talked about this the other day, um,

is it doesn't necessarily protect you from supply chain attacks.

So if someone had compromised that application that you are, that you have

on the white list, it's not gonna protect you because it's still on your white list.

You're still able to run it, and the fact that the application itself

is compromised doesn't help you.

W. Curtis Preston: Yeah.

So,

W. Curtis Preston: you, I thought you thought, I thought,

I thought you said you had three.

And then the third one is, um.

When you're writing code, sometimes you do need access to libraries and other pieces

of software to download install packages.

Right.

I think it would be a big burden and also a big compliance and governance thing.

Like how do you make sure, like what's the process for adding a software, how long

does it take to go through that process?

In order to add something to the application white list to make sure

everything's signed off, how long does it stay there as software packages are

changing, when do things get dropped?

Like it's so much of a program that sometimes it may be difficult for

both small and large organizations to implement something like this.

W. Curtis Preston: So those are all valid concerns.

Um, I want to counter counter them.

Prasanna Malaiyandi: I'm not saying it's bad.

I'm not.

W. Curtis Preston: no, no, no.

Yeah.

You did what?

So what are the three what?

Remind me the three.

It was, um, so you were worried about the.

You're worried about the, uh, the difficulty on the user, right?

You're worried about supply chain hacks and then sort of the, the burden

on it, developing third party apps.

Yeah, so what I would say is, you know, I agree with all of those and I

think that especially with the first one, I think with the first one, I

think you're focused a little bit too much on people like you and me.

Yeah, I agree.

Yeah.

That

W. Curtis Preston: right.

Uh, and I'm focusing at least with this on, on servers, right.

And especially servers, number one.

And especially like the laptops for the masses.

Right.

Um,

Prasanna Malaiyandi: Don't also forget phones.

W. Curtis Preston: well, yeah.

Okay.

I'll, I'll, I'll agree to that.

It's just most environments.

That's a whole other discussion.

That's a whole other can of worms.

Agreed.

Um, but what, what do you think the percentage of the people that have

actual company phones these days?

Well, or they're using their phones with

access to company resources.

It's all the same, right?

W. Curtis Preston: Yes, that's a whole other, that's a whole other can of worms.

But because, because pushing application, white listing on somebody

else's phone, that's not gonna work.

Right.

Um, so I, I guess what I'm saying is, what I am saying is if you can

do it, I think you should do it

Yeah.

W. Curtis Preston: right?

Yes.

Um, it's gonna be difficult for it people and like power users,

and perhaps you have exceptions.

This is what we talk about, like block all outgoing traffic except

for, you know, the ones that you need.

Restrict as many laptops as you can, except for the ones that

you can't restrict servers.

Uh, really think about that, right?

You know, if you're, if you're, if it's just a server that does one job, perhaps

you, you make, you know, exchange.

It's the only thing that's allowed to run on that box or whatever else it needs,

you know, active directory, et cetera.

Um, and.

The, uh, regarding your second one, I would say I'm gonna,

but I'm gonna do a Yeah.

But, okay.

Yes.

It doesn't stop you from supply chain attacks, but supply

chain attacks are really rare.

Right.

I'm not saying they don't happen, but they are really rare.

And just because it doesn't stop you from everything doesn't

mean you shouldn't do it.

Right.

Um, and then the third, I would say, um, this, this just

goes back to the first one.

It's like.

Yes.

But again, I think maybe you're, I think there's a lot of companies that don't do

their own in-house development, right?

And they're just using, um, you know, their own, they're using, they're

using Microsoft Word, et cetera.

Right?

They're using 15 applications and everybody's using the same 15

applications, and you could whitelist those applications and nothing else,

yeah.

And I agree for most users, they probably don't need access beyond

those specific apps like your 15 or whatever the number is.

And then I think also for, um.

The servers.

I think that, like you said, you should be probably be going through an IT

process anyway to onboard an application, including looking at the resources,

making sure you're including backup and DR as part of the deployment process.

So I, I think that is also a good point.

W. Curtis Preston: Agreed.

Agreed.

Agreed.

I know you talked about application whitelisting.

W. Curtis Preston: Yeah.

What are your thoughts on extending that to

browser whitelisting like website?

W. Curtis Preston: Um, that.

That it's a very similar concept, right?

Um, where you allow, I, I'll just say this, um, it doesn't, it doesn't

work because all it takes is, um, all it takes is someone using A-C-T-P-S

and the right tool to go around your, um, to go around your tool, right?

All they need is something as simple as hide my ass.com.

Have, have you seen hide my ass.com?

No, I have

W. Curtis Preston: Um, there's literally a website called hide my ass.com, and

you can go there and put the website you actually want to go to and they'll take

you there and encrypt the whole thing so that your security software won't find it.

So it's only gonna stop like the dumbest people.

Yeah.

But hey, if that's common.

W. Curtis Preston: Yeah.

Yeah.

Um, the, that is the, I, I think that's something you should discuss

as to whether or not you should block.

Um, you know, access to, well, well, let's just move on into the next thing,

which, talking about, so disabled different attack vectors, right?

So the, the, the first thing I, I do think you should be looking at when

you're, when you're inventorying your environment and you're looking for

things to lock down, is you really need to look at service accounts.

This really came up when we had Dwayne on here and he was talking about that,

and that freaked me out when he was talking about the backup service account,

how that allows you to do whatever you want without auditing at all.

Yeah.

W. Curtis Preston: Uh, and, and there are many, many service accounts.

So the first thing I think, or one of the things that you should do as

you're inventorying your environment and you're trying to secure your

environment, is to go through your environment and look for service accounts.

What are they being used for?

Do they have a, I'm, I'm gonna say the most common thing with these is

that they have a very basic password.

Um, or they have a default password or they have no password and they're being

used by something really important.

Um, and.

The result is that it becomes a really easily, um, hackable account.

Yeah.

Yeah, no, and also turning off things that you don't need a service, that

particular service account for.

W. Curtis Preston: exactly.

Exactly.

Um, and, and on that end, um, let's talk about services that typically run.

I.

That maybe shouldn't.

Let's talk about what I like to call the ransomware deployment

protocol, otherwise known as RDP.

Yes.

RDP or Remote Desktop Protocol.

W. Curtis Preston: Yeah.

Uh, it, it, uh, I'm trying to get the world to change.

It's the ransomware deployment protocol, disabled, RDP disable, RDP, disable RDP.

Can I correct that?

W. Curtis Preston: it sure.

So, or slightly mod tweak your statement.

I think it's disable RDP, unless you really need a

machine that needs RDP running.

W. Curtis Preston: that, I mean, that's the way I am with everything.

Right.

Disable it wherever you can.

I think the other thing is also disable RDP

leaving your network unless you need access outside of your intranet.

W. Curtis Preston: Well, I, I would say that you, you absolutely cannot

allow direct RDP access to the internet 100% there is in, in my opinion,

there is no reason to ever do that.

If you need, if, if you need something like that, then you

should, you should require VPN.

In fact, what I would suggest is that if you're going to do RDP, you put

those interfaces on a separate network.

And then you must be on that network, either physically or via VPN in

order to access those, those, um,

Those hosts.

Yeah.

W. Curtis Preston: yeah.

Yeah.

W. Curtis Preston: Um, because already you, you just need to understand, just

like we talk a lot about with backups, you need to understand the degree to

which your backup server is under attack.

You need to understand just how bad RDP is from a ransomware deployment perspective.

Right.

And I know we harp on RDP, but the same is

true for any other service, which you don't need to be running.

W. Curtis Preston: S-M-B-N-F-S-A Fs, PFTP, right?

Um, all of these services need to be turned off.

And this is why, by the way, this is why Windows got, I think, a,

a, a big knock for, you know, being insecure, mainly because it

turned everything on by default.

Whereas Unix and Linux turned everything off by default.

Um, and so just go and look at these services, all of the services

that are running and ask you do you absolutely have to, to, to run them.

or the other thing is just do a port scan on your

servers that'll tell you if this, like what ports are being listened to on,

and you could map those back to figure out, okay, what services is that?

And it's all pretty standard, right?

I think RDP is 3 9 2 2.

W. Curtis Preston: Right.

And, and I would say if you, let's go back to RDP for a minute and

then, and this is just remote.

If you need remote access and in today's world, you probably do need remote access.

Don't use RDP.

Use a service that gives remote access, right.

Like ConnectWise, which is a service that is properly securing and probably,

uh, you know, properly doing things in a way that doesn't, it, it's a

service Where the way ConnectWise works is it, is it reaches out, right?

And you, you, you've gotta first connect to them and then

it will connect to you, right?

And so you can add things like.

A and all of that extra protection on, um, and so I, if you need

remote access and you need remote access, use a service to do it.

Please don't allow something like RDP or SSH or any of that stuff

directly accessible via the internet.

Yeah, those are

W. Curtis Preston: Yeah.

Very, very bad.

W. Curtis Preston: Um, and then, uh, also let's talk about, um, you know.

Again, I, I can't believe I have to say this, but you need to look at some type

of, um, uh, malware scanning, right?

Some type of antivirus, anti malware.

Um, and this is not just on Windows, this is also on Mac,

Which is surprising that how many people say,

I don't need anything on my Mac.

It's like, no, you really do.

W. Curtis Preston: Yeah.

Yeah.

And the same thing on Linux, right?

And the same thing on like, they're, they're targeting, they're directly

targeting VMware and other, other, uh, uh, uh, virtualization solutions.

So, um, you need to, uh, put that in.

And then finally, let's just talk a little bit about, um.

Proactive.

Uh, what, what was the term that, that he used?

He didn't like the term ethical hacking.

He didn't like the term, what did he call the red team concept?

What did he call it?

I don't remember.

W. Curtis Preston: um,

the,

well, let's just say this.

You need a red team,

Yeah,

W. Curtis Preston: right?

What is a red te What is a red team persona?

this is basically a.

Team who works for you, who thinks like the bad guy.

So they are there attacking your systems just the same way a bad guy would, but

unlike a bad guy, they work for you.

So then hopefully once they've identified the issues, you can go fix 'em.

W. Curtis Preston: Yeah.

And I, and I really liked, um, you know, you know, when we had Dwayne

on here, I really liked the way he talked about the way they did it,

where they work with the blue team.

Uh, the blue team of course is the defensive side.

I.

And you need a red team, you need a blue team.

You need both of these.

And, and I do believe that you should hire experts to do this.

Um, and, um, I can put links to the two episodes that we just played,

if you miss them, um, uh, that, that show you what a red team does, what

a blue team does, and why you need a relationship with them now versus, you

know, waiting to call, you know, waiting until after attack to call a blue team.

Right.

Um, so the, the, basically what they'll do, and this is more than

just port scanning, this is more than just a basic penetration test.

This is, this is a, a group, this is a company with a group of people

that are actively going to try and attack your company, uh, and

Yep.

Expose any weaknesses.

Yeah.

W. Curtis Preston: Yeah, absolutely.

Which may include.

Depending on, you know, what level of service you're gonna buy, which

may include physical penetration testing, which may include things like

trying to figure out how to scan your security badges and things like that.

Right.

yep.

Or even probably working with third party vendors who might be connected

with you to try to get access to your accounts through those other ways.

W. Curtis Preston: Right.

So these are other things, um, you know.

When you're going to do some to type of security audit, these are things

that you might want to take a look at, uh, in order to, uh, ensure,

you know, to further ensure that you're securing your environment.

Uh, be, go ahead.

Yeah.

Well, I like the term doing a security audit.

I do wonder if many of these things that we are looking at get sort of baked into

when an application gets deployed, right?

Here are the things that you should be taking into consideration,

W. Curtis Preston: Mm-Hmm.

right?

As part of that questionnaire to identify, okay, are they really

following the best practices?

Because if you get to the point where you're doing a security

audit and you found things, that means that it failed upfront.

Right.

So it's not a bad idea to do a security audit at the end, right?

Or at some point, but

W. Curtis Preston: I would say on a regular basis.

Right.

Yeah.

But also, remember doing a security audit is time consuming

across an organization, right?

And so baking it into the process, so everyone's thinking about this

day in and day out will make it more scalable and achievable.

W. Curtis Preston: Yeah, I, I think the idea is like, you've

gotta start somewhere, right?

So you go through, you, you, you know, you get a list of, I, you get a list of

applications, you get a list of things.

You, you train your users, you do all the things that you, maybe you

haven't been doing up to this point, and then we can start talking about.

Things that we should be doing on a regular basis, which is a list of

things from a security perspective that you should be looking at

when you deploy a new application.

Exactly.

Um, so, uh, all right, persona.

Well thanks for good discussion as always.

Oh, thank you Curtis.

And, uh, yeah, I'm excited to hear what your, uh, secret assistant does next.

W. Curtis Preston: Me too.

Uh, all right.

Uh, listeners, uh, we love you.

You're, you're why we're here.

Uh, we're trying to turn you into a, a cybersecurity hero.

So, uh, be sure to subscribe.

Uh, and, uh, that is a wrap.