W. Curtis Preston: Today I am going to tell you how to stop

most ransomware attacks using three simple but powerful methods.

Just three simple things that will stop over 90% of all ransomware attacks,

patch management, password management, and multi-factor authentication.

That's it.

I'll explain why I make this claim and then we'll give advice on how best

to implement each of those methods in environments of different sizes.

Let's stop ransomware in its tracks.

By the way, if you don't know who I am, maybe this is your first episode.

I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery disaster recovery.

For over 30 years, ever since I had to tell my boss that there

were no backups of the really important database that we just lost.

I don't want that to happen to me.

I don't want that to happen to you.

That's why I do this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

There we go.

Welcome to the show.

Hi, I'm your host, w Curtis Preston, AKA, Mr.

Backup, and I have with me a guy that was completely worthless during my

recent smart device implementation.

You were of no help.

it's not my fault that you happen to buy some random

smart device that was not compatible with modern wifi technologies.

W. Curtis Preston: Yeah, well, you know, where were you?

I'm just saying, I, I count on your, I count on your YouTube knowledge

to pull me out of such things.

I, I depend on you.

I go and I do crazy things and then I'm like, oh crap.

Uh, I wonder what, wonder if persona could get me out of this hole

So, so networking stuff is not YouTube, it's Reddit, but

W. Curtis Preston: oh, really?

yeah.

W. Curtis Preston: Yeah, so it turned out, so I bought a, I bought this,

this thing called a Suvi, S-U-V-I-E.

The, the, the full thing is I accidentally bought a previous generation,

thanks to, in my opinion, uh, pretty crappy advertising on their part.

And as a result, I had a device that when it went to connect to wifi, it was

unable to sense that I have a mesh and it.

Was identifying the two nodes in my mesh as, as two instances of the

wifi, and it didn't hit me at first that that's what was happening.

And so, um, uh, I, I had to troubleshoot all my own persona with no help from you.

Yeah, and then you texted me and you were like,

Hey, so this is what the issue was.

I was like, what were you even talking about?

Oh,

W. Curtis Preston: See, that's how little help you were.

You didn't even remember that you didn't help me.

well, granted, you didn't tell me that you had wifi issues,

W. Curtis Preston: I didn't.

I thought I told you

You.

Nope.

You just told me that you were not able to get the app to work

W. Curtis Preston: Right.

Couldn't get the app to work because of the wifi issues.

That was, that was the problem.

No.

That, that piece you kind of missed.

W. Curtis Preston: Oh, I see, I see.

So it's my fault that you were unable to help me.

because, because we all know how you don't

do so well multitasking, so,

W. Curtis Preston: I dunno what you're talking about.

I'm currently doing seven things right now.

Yeah.

Mm-Hmm.

But how was your meal though

W. Curtis Preston: Uh, the mail turned out fine.

Uh, but they will, we're working out exactly what's gonna happen

regarding the new generation.

Um.

I sent them the, the images that misled me and, and, uh, my dream is that they

do a price match, that I get the new generation for the old generation money.

But you know, between me and you, they, they'll never see this between me and you.

I fully expect them to charge me the difference between the two.

Um, and we'll, we'll swap it and, um, uh, and then we'll see how it goes.

But, uh, but today we are.

You know, we've been talking for the last few weeks about cybersecurity

and we've been sort of leaning up or leading up to, we've been leading

up to this moment where we're going to start to talk about ransomware.

Right.

Um, I think we had, I.

Three great episodes where we had the, you know, the, the red team person.

We had a blue team person, and then we had a red team person that turned into

a blue team software person, uh, des.

Um, and those all give such unique perspectives in terms

of the cybersecurity world and.

Um, you know, how you defend yourself just in general from cybersecurity.

And then we had a couple of episodes where we gave you a lay of the

land from a ransomware perspective.

And also, really importantly, I think our last, uh, episode,

last few episodes, we, we.

The, if, if nothing else, I, I want people to, to understand that their

backup system is 100% under attack.

And, um, you know, if you just wanna listen to the, the Red Team episode,

just the last third of it, if that's all you listen to, listen to Dwayne

talking about how much he loves when there's a backup system, and how much

from a, from a red team perspective, he loves to have access to that and,

and how, uh, you know, just why it's such a, a, a wonderful thing to attack.

So, I don't know if you read today's news, though.

So Veeam just recently had their conference beam on, and so they

just announced, uh, that they are offering a cloud vaulting solution

managed by Veeam that provides immutable storage for backups

W. Curtis Preston: Interesting.

So

a as offering.

W. Curtis Preston: as an offering.

Yep.

So you pay per month based on your terabytes.

I think it was like 60 or $80 per terabyte per month.

And you can vault your backups into Veeam's Vault and it'll be immutable.

It'll be stored there.

They'll protect it, all the rest.

So I think it's relevant to what we had been talking about

in the last

couple episodes.

W. Curtis Preston: it's absolutely relevant.

Yeah.

The, um, that's interesting.

I, I think, you know, this is a big step for Veeam because

for a long time they have not.

Really gone down the service line.

Right.

Uh, but I think this is definitely a good step for them.

Um, the, um, but, but that's, you know, that's the big thing, right?

Is that, is that we just want people to understand the degree to which

their backup servers are under attack.

And then I, so I, the, the title that I put up for this one was how to Stop.

Basically 90% of all ransomware attacks or, or how to stop

ransomware the easy way.

Right, because, and, and you just sent me a graphic, which, um, you

know, and why don't, why don't you talk about that graphic or,

or the lesson from that graphic.

Yeah, so it was by, uh, on X or Twitter, formerly known

as Twitter, uh, by Daniel Card, uh, who goes by the Twitter handle, Mr.

Reboot.

And it basically talks about how expensive things get to, uh.

Detect or prevent ransomware or an attack and where it happens.

So for instance, if you were trying to look at the cost of the attack,

when you are at the recovery stage, it's at the highest because you

now have a bunch of infrastructure.

You're trying to recover everything.

It's super expensive.

But then if you go to sort of.

Less costly.

From there, it's like responding, so you don't need to recover, but

you're responding, but it still has a significant cost associated with it.

Next was around the detect side, which isn't as expensive, and then

protect, which is the cheapest of all.

So it's basically significantly cheaper to break a kill chain at the

protect stage than at the recover stage.

So how do you prevent ransomware from even coming in?

Because it gets significantly more expensive if you've already been hit.

W. Curtis Preston: And the thing is, if, if we look at the typical,

uh, attack process, right?

All you have to do is stop one.

You know, you have to stop the kill chain somewhere along the way.

All you have to do is stop one of those.

So if you know, if you have good password management, you know

you can stop them from getting the password in the first place.

But if you've got a good MFA system, you can stop them from using a

password that they're stolen.

So that's kind of what I wanted to talk about is when you look

at all of the stories, all of the ransomware attacks, the ones that

go into how the attack happened in detail almost always come down to.

Uh, you know, when I read it, I say, well, gee, if the customer had

just done A, B or C, they would've stopped this ransomware attack.

So this is what I'm saying.

If you wanna stop ransomware attacks the easy way.

If you wanna stop 90 plus percent of ransomware attacks, stop all of the stupid

ones and then spend your time, effort, and money on stopping the harder ones.

Hard ones.

W. Curtis Preston: There was this great moment.

During Dwayne's, um, recording where he talked about, he had this

analogy and he said it's, it's as if we're in this field and there's

this door in the middle of the field.

And I go, gee, I can't go through this door.

Um.

You know, I guess I can't do anything.

And he's like, or I could just go around the door.

Um, the, the, um, what, what I'm saying is that if you don't do these three

things that we're going to talk about, honestly there's no point because

it's essentially you have, you have, it's like you have this open field.

You're spending your time trying to figure out how to lock this door.

Meanwhile, you have this wide open field.

There's just literally no point in in doing that.

yeah.

Or another thing I would think about similarly is like in a house, right?

You're not going to go spend all this time on cameras and alarms and

everything else when you leave the front door unlocked every day, or you don't

even have a lock on your front door.

W. Curtis Preston: Exactly, exactly.

You know, thi this article that just got sent to me this morning, uh, it, it,

it's an interesting story and I don't want to go too much into the full story.

Why don't, why don't you give a, a, a brief summary of where we

got to this point with this story.

Yeah.

So we.

Somehow, so this all initially started with a Ticketmaster Live Nation breach

and all their users' data was stolen and they kind of pointed the finger

saying Snowflake was the one that was attacked and breached and lost the data.

Snowflake came back and said, Hey, it's not us.

There's other, someone's sort of gotten the customer credentials

and are now using that to then.

Pilfer data from their Snowflake instance.

And so it's not the Snowflake side.

And so they're warning their other customers, Hey, by the way, uh,

make sure that you're looking after things so you don't lose your data.

In fact, uh, just as we're recording this, advanced Auto Supply, which is an

auto parts store, also had their data breach from their Snowflake instance.

W. Curtis Preston: Yeah, so I, I do feel like there's a

piece to that puzzle missing.

Like if it, it, it would, it would.

I, I'm inferring from what I'm reading, that maybe somewhere there is a

list of, of Snowflake accounts and passwords, um, which would suggest some,

uh, fault on the part of Snowflake.

But what they are saying is that Snowflake is definitely saying that

they're seeing a, uh, a surge of attacks on customers of its cloud platform.

But my point of that whole story is that.

All of these attacks would be stopped by one of the three things

that we're gonna talk about today.

They did say that Snowflake was attacked and employees

credentials were used, but it was only used to access a demo account, which

of course did not have one of the three things we're about to talk about.

W. Curtis Preston: Gotcha, gotcha.

it wasn't production customer data, it was just a demo account.

W. Curtis Preston: Hey, you got robbed, but uh, they only took your empty wallet.

Um, you know, something like that.

But, um, all right, so how do we stop basically ransomware the easy way?

How do we stop 90% of ransomware attacks?

And I.

The thing is, frequent listeners to this podcast are going to know immediately

where I'm going, and I apologize for repeating myself, but sometimes you gotta

say things over and over and over again, and the very first thing that I'm gonna

talk about is patch management, right?

Um, when, when we think back on the list of cloud hacks.

We covered a few, uh, weeks ago.

I remember at least one of them.

The Rackspace one was based on a, a patch.

Can you think were, were any of the other ones?

I think that was the only one that I

W. Curtis Preston: Okay.

Um, but just in those 10 stories that we had, one of them and a

really big one that basically took out an entire business line.

Um, what if they had simply followed standard patch management procedures

and put in their patches at a, you know, especially critical

patches.

So I think, I think if you just follow the CVE system and what it suggests, then

I think you'd be in a much better place.

Why don't you talk about what that is?

Yeah, so the CVE is critical vulnerabilities and

exposure, and it's a public database, if you will, where you have vendors

with known issues that then get cataloged and then it can be tracked

and they assign a severity to these.

So if you look at the levels.

There is part of the common vulnerability scoring system that they look at.

So it's how critical is it?

Um, how likely is it, how many people get impacted and all the rest, and it

goes everywhere from low all the way up at the highest level is critical.

And critical is like a nine and a 10 on their scale of zero through 10.

W. Curtis Preston: Right.

And so those ones that are either actively exploited

or very common to access, um, those are the ones that usually get like

a higher critical severity, which pretty much means as a vendor or a

customer using that piece of software.

You wanna fix that pretty quickly.

Like if there was a VMware ESXI bug.

Takeover of the system.

That's probably something you want to patch pretty rapidly.

W. Curtis Preston: Right, right.

Which is what happened with the exchange vulnerability that there wa

there, it, it's a little complicated.

If you want the full story, go listen to that episode about Rackspace.

But there, there were two different vulnerabilities.

There was one that they had made a workaround for that.

Um, which is why I think if I'm guessing what the Rackspace

had done, the workaround.

Um, and because they had done the workaround, maybe they

didn't feel the need to put the patch in as they didn't feel.

Um, you know, it, it, it, it lowered its criticality, but because they

didn't patch the previous, um, vulnerability there turned out to be a

new vulnerability that that patch would've fixed, but they didn't fix it, right?

So I'm just, it's like if you just put in the patches when they become

available, and, um, and of course being a show that we, we are,

what, what do I often say about.

Putting in patches,

. Prasanna Malaiyandi: Don't forget about your backup system for patch management,

because everyone always thinks about production or end user devices, but

they always forget about backup systems.

I.

W. Curtis Preston: Yeah, I, I would actually put that even stronger.

I would put the backup system at the front of the line, um, maybe, um.

Well, you know, it, it, it depends, right?

It depends on the kind of patch, right?

Obviously, if it's a, if it's an exchange vulnerability patch, the, uh,

backup system is gonna be last in line.

But, uh, if, uh, or even not even in the line, but if it's a remote code

execution against windows, um, or, you know, something like that, then

I, I would think that your last line of defense should be your first line

of, of where pat patches should go.

Yeah.

The one thing I do want to talk about Curtis, that I don't think

we've normally talked about is patch management only works if you know

what's running in your environment.

So make sure you have a good inventory of software packages that are used at

your company, including all the random ones that people might install, and

maybe you do have an application process as part of it approved applications,

because that's the only way you're gonna be able to tell what's actually in my

environment and do I have everything patched and updated as needed.

W. Curtis Preston: Yeah.

And there are tools that can help you do that, right?

Um, software, inventory tools, um, for, you know, for a fee, they will go out

and figure out if you, if you have a complete, you know, I was gonna say

Greenfield, but that's not the right,

I complete Wild, wild West.

I remember.

I remember.

Um.

You know, a friend of the pod that, um, he hasn't been on the pod, but

he is definitely a friend of the pod that the first thing I did with

him, we, we were trying to, uh, he was a client and the first thing I

did with him, I was like, well, what do you have in your environment?

He is like, I don't know.

Right.

And uh, here's the crazy part is that I don't know if I've had

this conversation with you before.

What Microsoft.

Tool did I install to inventory this guy's environment in terms of tell me how many

different boxes, what the network topology was, um, you know, the IP addresses

and the switches and all this stuff.

What Microsoft tool did I install to do this discovery?

And by the way, the tool was very expensive at the time.

It was like, it was like $10,000

you did tell me.

W. Curtis Preston: mm-Hmm.

Yeah.

And um,

Yeah.

W. Curtis Preston: and the thing is it more than paid for itself?

People that use Vizio now are, they're like, what?

Vizio was a network discovery tool.

Yes, that's exactly what it was.

And the fact that they just.

I don't know, they just put that part to bed.

Maybe it was just too hard to maintain or something.

But we gave that customer their first networked apology map using Vizio.

Um, was a be, it was a beautiful thing.

So you're right, uh, you've got to have the system inventory, you've got to

have the OS inventory, the application inventory so that you know, and then

there are patch management systems.

That can help you, uh,

navigate this, this

can I, can I go one more step beyond that too?

W. Curtis Preston: Sure.

Uh, in addition to applications, I think you should

also consider things that you are using in your code development.

For instance, what libraries are you pulling from?

What open source packages are you pulling from?

Because even though you may not consider that part of your application,

developers are building and testing.

I don't know if you heard about this issue that, um, someone had done a.

Long con operation on an open source package.

I dunno if you heard about this.

And they basically took over maintaining a very popular compression library that

a ton of software packages use a lot of Linux open distribution software.

And they had put a back door into it because they realized

that library is also used by SSH.

A random developer who works at Microsoft, noticed that the latency had

increased by like 600 millisecond, like milliseconds, and he had traced it back

and found out that someone had backdoored this common open source software.

I will, I think we should attach a link.

I I, there's a podcast that goes over this, which is.

Amazing.

So we will put a link to that, but yeah.

W. Curtis Preston: Yeah.

So all, all software, all tools, all libraries, um, and tools that you're

using to make that software right.

Um, yeah, that would become quite an inventory over time.

But that's your job.

Right?

Um, and, uh, all it, you know, you know, they talk a lot like, like in terrorism.

The, you know, if you're, if you're trying to prevent terrorism, you have to

be right a hundred percent of the time.

They only have to be right once, right?

They only have to get into one of these tools.

And they are well equipped.

You know, we can talk about the dark web.

They're well equipped.

They're well connected.

They're, well, you know, they, they know what they're doing.

Uh, and they share, uh, they share tools.

So you need to do the same thing.

So the first thing is patch management, and the first thing is patch management.

What is going to be the second thing?

Persona?

So it's your favorite topic, Curtis, which is around passwords.

And I know we talked about credential stuffing just recently with the Salesforce

attack, but yeah, passwords are.

It's critical because every system uses a different password.

Even if you use single sign-on and all the rest, right?

You still have a password and it gets worse with single sign-on,

because once you're into one system, you can get into everything else.

So having strong passwords and also using a password manager so

you're not just doing variations of the same password depending on

the system you're logging into.

So password management.

Password management is key.

Making sure that you have a system, and I'm kind of

indifferent if it's a cloud-based system or a local based system.

I know Curtis, you like Cloud-based password managers.

I would say every corporation can decide what makes sense for their environment.

W. Curtis Preston: Yeah, I mean, I, I, I'm not, I, I think I'm

similar to you in that I, uh.

I'm not hard, fast one or the other.

For me, it's cloud-based, because for me, I don't want to maintain

the, the keys to my kingdom.

I don't wanna maintain the system that is, you know, to

you it's the other way around.

You're like, oh, I want maintain the keys to my, yeah, it's

a personal preference thing.

I don't think there's, um, again, as long as you do your

due diligence and you don't use.

A password service that has been hacked multiple times.

As long as you don't do that.

Um, and you look at, you look at the design of the password, you look at

how they're storing the passwords.

Are passwords ever stored in clear text?

You know, where are the passwords encrypted?

Where are they decrypted?

Uh, you look at all those things.

And it's not just the password, it's even URLs.

W. Curtis Preston: Right, right.

Are they storing?

Yeah.

'cause that was, um, that was something that came out in one

of the recent hacks, right?

That, that one of the things that they were able to

Which they fixed now.

W. Curtis Preston: which they have fixed.

Yeah.

Yep.

W. Curtis Preston: I'm still not gonna use them.

Um, but,

But, but, but, but,

W. Curtis Preston: go ahead.

but I think when you are using a password manager,

and I know we've talked about this also on the podcast with Sue, um, is

make sure you have a backup of your password manager as well, right?

Going back and talking about the inventory, right?

Your password manager is your keys to your kingdom.

If you don't have access to your password manager, you're a little screwed.

W. Curtis Preston: Yeah.

Yeah.

You need, yeah, there, there's a great episode.

Like how do you, how do you.

Um, w what happens when you lose everything, right, when you lose

all the keys to the kingdom?

Uh, and, and by the way, uh, the one that I happen to use, which is

Dashlane, they recently, uh, created a, an additional like doomsday key.

That you can use in addition to all of the others.

And the, the doomsday key, my problem, same, same as her problem, my problem

has always been okay, if I create the doomsday key, where do I put that?

Right?

Um, and, you know, this is where friends and family, I think come into play.

Right.

Um, but I, I was really happy to see when we had, um, you know what, what

now?

I was thinking friends and family who can make

sure they know they can keep that safely and know where it exists.

W. Curtis Preston: Yes.

Yes.

Uh, agreed.

Um, yeah.

Um, choose, choose Wisely.

The, you know, the other part about Dwayne's interview that I really liked

was when we got to the part about password management, and he was Oh, yeah, yeah.

He's like, yes, I'm, I'm a hundred percent on.

I was really worried that he'd be like.

Okay.

No people that know what they're doing, don't wanna use password management.

I was really ready for that.

But no,

Dwayne was on board.

but I think there are two things that you should be careful of

though, even with the password manager.

W. Curtis Preston: Talk to me.

so.

The first is if you are storing it in like a web browser or other

things that auto fills your password,

W. Curtis Preston: Mm-Hmm.

be a little careful of that because if someone compromises

your device and they have access to your web browser, it could now automatically

start filling in your passwords to things like your backup system

W. Curtis Preston: Yeah.

active directory and other things like that.

So be careful.

W. Curtis Preston: Yeah, which is, and thanks for bringing it up, which

is why, you know, good, better, best.

A browser-based password manager is better than no password manager,

but I am not a fan of browser based.

Um, meaning the, the password manager built into Chrome or.

Firefox or, um, you know, what's the other one?

What's the,

Safari.

W. Curtis Preston: no, no, no.

Well, there's Safari, but what's the Microsoft one?

edge.

W. Curtis Preston: Edge?

Yeah.

Literally, by the way, edge just passed some milestone of where

like it's now 15% or something.

I dunno.

They're very excited about that.

Anyway, I'm not a fan of password managers built into the thing because

of exactly what you talked about.

Right.

Um, it's really easy, for example, to, if I've got physical access to

your device, it's really easy for me to hack into it and to, to eventually

get to log in as you, and now I can open up your browser and then poof.

I'm, I'm everywhere.

Yeah, which is why your password manager should

either require biometric authentication or a password, a master password

in order to open it to use it.

W. Curtis Preston: Exactly.

By the way, when we say password management, we mean, I.

The overall system of, of, of making sure that passwords have a sufficient

length, making sure that you separate, we, we believe strongly in separating

the backup system, passwords, usernames, and passwords from the

production, usernames and passwords.

We do not believe in separate or, or sharing this with

something like active directory.

Um, you know, or, or even Okta, right?

Between, uh, the two systems.

I believe that they should be 100% separate and, uh, that there should be a

separate sort of doomsday based password management system for the backup system.

I.

Because of exactly what we're talking about, right?

If your active directory or Okta or whatever you're using is compromised,

you are locked out of your backup system.

And more importantly, they have access to your backup system.

So, uh, that's why I think it should be a separate system.

Any final thoughts on password management before we move on to the

one that, I don't know why everybody doesn't have it on everything, but

Yeah.

No, I'm ready.

What's the next one, Curtis?

W. Curtis Preston: Multifactor authentication.

How do d does not everybody have multifactor authentication on everything,

including Ticketmaster, right?

The Live Nation thing that we, the, the story that we talked about in

the beginning, if you read that full story, you get down to the

part where basically Snowflake says, Hey, we're seeing a significant

increase in attacks on our accounts.

Please enable multifactor authentication to which I want to say what.

Right.

Uh, you know, I a I asked two questions and, and we're gonna, we

gotta define it and everything, right?

But.

Question number one, a company like LiveNation, how do they not already

have MFA turned on on anything that matters, number one and number two.

How service providers don't enforce MFAI, you're see, you are seeing this, right?

Can you think of a, of.

Of a servers that you've used where they've come on and

they say You have to use MFA.

Well, I think the one I could think of is, and I don't

know if it's a systems configurations, but typically if you use an SSO,

single sign-on provider, right?

Normally they do require, uh, MFA.

W. Curtis Preston: Right in that same line, uh, the first thing that came to

my mind was my password manager, right?

You, you, any decent password manager is going to require MFA, right?

Um, I'm pretty sure actually Gmail logging into Google now requires MFA.

Right.

Um, and

so.

Yeah.

Yeah, I think it does now.

W. Curtis Preston: Yeah, and, and I like the way theirs is.

It's, it's very emphasis on the m right?

It's like we know that you're logged into YouTube on.

Your phone.

So we're gonna send you a, you know, a, this like thing that you have to

respond to in the YouTube app, right?

Or sometimes they'll do it through Gmail, right?

They, they emphasis on the multi.

So we, we've been talking about multifactor authentication

now for a couple minutes just in case there's somebody that

doesn't actually know what it is.

Do you, do you wanna like, give an overview?

Yeah.

Yeah.

So multifactor authentication is basically saying that in order for you to gain

access to an account or to log in, it's not just good enough to have a single

factor, which is usually your password.

You need to have multiple factors.

Usually that other factor could.

Vary depending on company.

Sometimes it could be I receive a text message and I now need

to enter a code into the system.

It could be I need to enter a code that is part of an authentication

app that generates one time codes.

It could be I need to use my face and my biometrics as a sort

of second way to authenticate.

Um.

I guess technically you could receive postal mail with a code, which I

W. Curtis Preston: IRS does MFA with postal.

If you've never set up the, the way you get set up, the first

time, they use the mail system as a, as you say, it's a little slow.

yeah.

Sometimes you might get a voice call, right?

Where they're like, Hey, here's your code.

W. Curtis Preston: Right, right.

I think those are the main ways.

Oh, the other way is sometimes you might get a code texted

to like a recovery account

W. Curtis Preston: Yeah,

there's

that.

have to use.

W. Curtis Preston: Also there are, I don't think, did you mention tokens?

Like physical tokens?

Oh no, I didn't mention the physical tokens.

W. Curtis Preston: So there are also physical devices that are available.

Um, you know, they're much more affordable than they used to be, right?

And basically they are one time password generated.

They just constantly generating a, a, a little, you know,

six or eight digit number.

I think the popular one is are called

W. Curtis Preston: Yeah.

UBK is a, is a very popular one.

There is definitely the good, better, best.

Um, what, what I'm saying is please, please, for anything that matters, I'm not

gonna push you to do it for everything.

Um, you know, like if someone.

Hacks my Spotify account.

I, I, I don't know what damage they could possibly do, right?

But if someone hacks my, um, my Verizon account, they could buy

new phones on my behalf, right?

They, you know, a bank account, um, you know, an email account, you know,

especially email account, because email accounts are often used as

a multifactor for other accounts.

I don't like that, but.

Convenient.

W. Curtis Preston: only way that's offered by some accounts, um,

please enable MFA on anything that matters in your organization.

Think about your, and the thing is, it's just, we've gone

so long without this, right?

We've gone so long where all you need is the password to log into SSH.

You can enable.

Uh, both on Windows and on Linux or or other Unix platforms, you can enable

MFA to be able to log into the system.

And all I'm saying is please do that and go through, go through that, that,

that inventory that you talked about.

Look at.

The criticality look at the amount of damage.

Right.

Um, you know, like, uh, if, if I, if I, you know, looking at,

at, you know, at a house, right?

I don't have a password for my refrigerator, but I do for my gun locker.

Right.

You know, look at the things that you have in your environment where

they could do the most damage.

Uh, a backup system, a a file system, an email system.

An email system, really right.

If you know, are there, are there people that are using Exchange?

Microsoft 365?

I I think you're in, I think you're required to do it with, with Gmail.

Um,

but maybe

W. Curtis Preston: does Microsoft 365 require it?

I don't know.

am not sure.

Yeah.

W. Curtis Preston: I don't know.

Um, may maybe.

Maybe they do,

maybe they

don't.

or if it is, maybe it's just sending a

code to the same email account.

So if you've compromised the email account,

W. Curtis Preston: Yeah, I

dunno.

itself, then

W. Curtis Preston: Yeah.

Um, so

The one thing,

W. Curtis Preston: go.

so I totally agree MFA is important, but

you should also think about the situations you could end up with.

If you lose the device or the ability to generate the second factor.

So I know Curtis, you had that issue with your phone when you upgraded.

W. Curtis Preston: I did, I did.

And, um, all of the cloud accounts that I had were able to help me.

Um, it was definitely painful to, to reboot, but a little

bit, not painful enough for, for something in terms of regenerating.

Right.

Um, the, I was a little worried, uh, and luckily it, it wasn't that bad, but the.

Um, yeah, definitely make sure that when you're implementing

this for your organization, make sure you have a failback, right?

Uh, make sure you have a system by which if somebody does lose their, their key

fob, if they lose their, the app, if they, if they can no longer log into their app,

you've got a way to, to get around that.

But that's something that needs to be done by an administrator.

Well, do you have a way to get around that?

And you also have a way to verify that the person who's asking to go around

it is a person who says they're.

W. Curtis Preston: and, and that is getting harder and harder these days.

A simple voice verification isn't enough anymore, unfortunately.

Um, uh, that that's, you know, we're starting to get to the

edge of my, of, of my knowledge.

I mean, when I look at that, I would say that you would want to have a very

unnatural conversation with a person.

You would have a, you would wanna be asking questions that would not

be possible for an AI to answer.

Right.

Um, and, um, I mean unfortunately we get back to sort of the, possibly

the, uh, the shared, shared secrets, which is always a vulnerability in

any, um, uh, sort of crypto system.

But, you know, you, you've got to do something right, um, to ensure

that the person that you're.

Resetting the, the MFA four is indeed the person, right?

Because we have had that story as well.

I believe that was, which story was that?

Where they.

I think it was the Okta thing where they, where basically they were able to get 'em

to reset the MFA, which is just wrong.

So yeah, you need a system for resetting the MFA, but you need a system to

make sure that you're only doing that for the, for the authorized people.

But I, I, I.

Uh, just number one thing again, good, better, best.

Make sure you've got a system.

And then as you have a system, make sure you implement or you,

you, you, um, enhance that system to deal with the, um, an advanced

persistent threat where they're, uh, going and, um, and attacking you.

The, um, in terms of.

MA system, by the way, it used to be called two FA two-factor authentication.

We now call it MFA, multi-factor.

Authentication.

In terms of the, in order of good, better, best, would we say email.

Then SMS, then OTB.

Right.

All right.

So and then sort of physical token.

Why are email and SMS on the lowest of the good, better, best list?

Well, if you think about SMS right now, there's a lot

of sim hijacking that goes on, right?

You've, I've heard countless cases about people going to a cell phone

provider sim hijacking and stealing someone's phone number and then

draining their crypto wallet.

That's the way that they had used for the multifactor authentication.

W. Curtis Preston: So we would, would we actually put SMS under

email then, or is email less or

I think they're about the, I

W. Curtis Preston: about

the same.

Yeah, yeah, you're probably right.

Yeah.

So email, SMS and, and the problem is this is what's used by probably the

majority of people that are doing, uh, in the consumer world, because

the next requires a significant change for the typical consumer.

But when we're talking about corporate world, we've got sort of, um, free OTP.

And that OTP just stands for one-Time password.

We got free OTP implementations like Google Authenticator,

um, and uh, I use Authe.

There are others.

Um, and then you have software based OTP, such as Symantec, the VIP program.

The big difference between these two.

An RSA.

Right, thank you.

The, the big difference between those two categories generally in, in my experience,

the, um, the free OTPs, they're doing it based on an atomic clock, and so it,

it just resets at the top of the minute.

So you just, if, if you get to the end of the 60 seconds, you just

have to like try the next password.

Whereas with the, the commercial ones, the, the 60 seconds or 30 seconds starts

with the moment that you open the app.

Right.

Um, and I'm sure there's probably additional security

provided by them as well.

But that's the big, uh, from a usability perspective, that's a

big difference between those two.

And then we've

got the, the key fob.

Go ahead.

Oh, and also between the free and the commercial.

The other thing is probably from an admin management perspective, the commercial

ones are probably easier to manage a large number of users than free Solutions

W. Curtis Preston: exactly.

Um, the, um, and then we have the, the, the key fob, right?

The, the, the physical ones, which are also offered by

UB Key and also also by RSA.

Right?

They also offer the physical

key fob.

The one that we didn't talk about that we

probably should include, and it's kind of lumped under the hardware.

One, is also like key cards.

So if you work in the government, your ID has a certain key on it.

And for instance, even if you enter your password, it won't unlock without

actually having the card as well.

W. Curtis Preston: So you'll need somewhere to basically tap that card.

Well, it did laptops.

As an example, you insert, there's a slot in laptops

that are

W. Curtis Preston: So yeah, so that's another, that's a physical, uh, thing.

And by the way, the most of the stuff is available as an app on the

computer or an app on your smartphone.

The, the, the software solutions that we were talking about.

Um, I do prefer authe over Google Authenticator mainly because of the

problem that I, the fact that I could back up my, my, uh, password system.

Um, and then there, you know, do you want to talk a little bit about

the, sort of the, the ultimate, which is biometric detection?

So the last one is really biometrics.

So I'm sure everyone on your phone these days, you use a face ID or your

thumbprint to unlock your phone, right?

Um, and so a lot of apps that are installed on your phone can also

say, Hey, enter your password and now give me a biometric as well

to make sure it's really you.

W. Curtis Preston: Right, right.

Um, and there's also like built into laptops.

You have, uh, fingerprint detection on your laptops.

Um, and there's face detection built into, you know, a lot of apps.

I guess what I'm just saying is username and password is not enough anymore,

and it just continues to amaze me that.

Uh, when I read a story like the one that I read this morning that it's like,

here it is a major corporation that was attacked simply because they didn't have

MFA enabled on an app that allows MFA.

Yeah.

W. Curtis Preston: I, I, I just don't understand that.

So if that's you, please Now, like immediately, especially again,

you're, you're a backup person.

If you're listening to me, you're a backup person.

Go to your backup system.

Have I enabled MFA on net backup?

Have I enabled MFA on, you know, uh, Veeam Druva, uh, Rubrik, Cohesity?

Have I enabled that?

Did they force me to enable, I, I, I wish they would, if they

haven't forced you to enable it.

Do it now.

Do it now before you finish this podcast.

Now I would say.

That for many of these systems, because they do support single sign-on,

it's usually up to those single sign-on providers to do the MFA.

For instance, if you are able to log into, say, Rubrik using Okta as your

single sign-on provider, as long as Okta has MFA enabled, Rubrik necessarily

doesn't need explicitly to support it because it's already supported

by the single sign-on provider.

W. Curtis Preston: So I'm gonna agree and disagree with you, right?

Is there a way to log into Rubrik without that, that system needs

MFA, that's all I'm saying.

Um, if there's like a back door, a back way, I.

If Okta is down, there's another way for you to log into

your favorite backup system.

That system needs to mf have MFA, and it's the back doors that often

get compromised because they're ignored and not maintained.

So,

And change your default password.

W. Curtis Preston: and change your default password.

Again, we keep reading these things right.

Yeah.

W. Curtis Preston: Uh, anyway, this will stop 90 plus percent of

ransomware attacks out there, and all of this stuff is relatively easy

and there's no point in doing the fancier stuff until you've done this.

So anyway, thanks for, you know, helping me work through that persona.

Uh, no worries, Curtis, and I'm glad your

wifi is up and running and, uh.

W. Curtis Preston: that's what I was about to say.

Even though you were completely worthless yesterday, right around this time.

Um, and thanks again to our listeners.

We'd be nothing without you.

That is a wrap.