you know, it's not every day.

You get to talk to a former Green Beret and it's my pleasure to do that today.

We're talking to Zach fuller, a founding partner of silent

sector, a cybersecurity firm.

About our favorite subject and yes, he does happen to be a farmer Green

Beret I hope you enjoy the episode.

Hi, and welcome to Backup Central's Restored All podcast.

I'm your host, w Curtis Preston, a k a, Mr.

Backup, and have with me a guy that is determined to cause me to spend

every last dollar I have on stuff.

Persona Malaiyandi, how's it going?

Prasanna

the I, I'm a little offended by that.

I don't know if I've, I don't know if it's every single dollar, but I would probably

say it's at least 50 cents on the dollar.

You keep sending me cool stuff.

You're like, Hey, have you heard of this thing, this cool thing?

Cuz you did, you did sort of convince me.

I.

Remember there was, uh, you know, I wanted to replace the front door lock, right?

Well, I needed to, and, uh, because the, the key broke off in the, in the

deadbolt, it wouldn't work anymore.

And so my wife was like, you should get one of those smart lock things.

So then I was looking at stuff that costs like, Like a hundred

dollars and you're like, if you looked at this one, that costs $200.

It's much better.

And now you're, and now August, basically you talked me into the August

lock, which by the way has been great.

I bought the August lock for my front door.

Um, and, and it's pretty cool to, you know, the, the coolest feature of

the August lock is that if I have my smartphone with me, It unlocks, uh,

as I'm walking up to the front door.

Right?

Uh, you that's

an

I,

feature.

I, I don't know if that's probably the best feature for you.

I think the best feature for you is Locke, ensuring that the door is locked.

Right?

I

are you saying, are you saying that I'm absent-minded

and that, that, for me personally would be the best feature?

No.

Yeah.

So just so you know, It's just funny that you sent, so what, so what

happened is you sent me today this link of, Hey, did you know sell?

They also sell a key, right?

Because mine is the one, the one that I bought is the one that

goes on the back of the door.

So from the front of the door, it looks just like I have a normal, uh, deadbolt.

Um, and that's the way I like that method versus, you know, it's the whole security

by obscurity, it's something, right?

Um, and so I don't have somebody driving past my house

trying to hack my smart lock.

they listen to this podcast.

Unless I listen to this podcast, all they all they

know, they'll, they'll know all they need to do is steal my smartphone.

Cuz I did turn on that, that feature, which I don't know, at least right

now, I still really enjoy having the door say, hello Curtis, welcome home.

And opening, uh, a So it's just funny that you sent me this, this thing, the, the

keypad as you were sending me that I was in the process of ordering the August,

uh, The lock for my two other doors.

So

telling

I, I, and you know it, you're right, is the feature,

the feature that I enjoy the most and which is what causing me to buy

it, is the fact that I, I turn on the feature that basically says after.

A time period that you determine the longest of which is 30 minutes, is that

it locks the door automatically and the backdoor again, if anyone's listening

to this podcast, the backdoor has a, has a habit of seemingly coming unlocked

and, uh, left unlocked for, and then I'll come down at some random time and

notice that the back door's unlocked.

so, you should be careful though, Curtis, just

given your tendency to sometimes leave your phone elsewhere.

You probably wanna make sure you don't get locked out of the house.

Right.

Especially if all of 'em, like maybe your garage door, you

may not want to have auto lock.

We, we've discussed this, we've discussed this.

Uh, let's just say, given who I am, there are backup systems in place.

Um, and also we've gotten into the habit of locking the front door as

we leave via our smartphone, right?

So since I'm using the phone to.

You always have it with you.

I, I, yeah, I always have it with me.

And also if I can call anyone else who lives here, which there are three other

people who live here, I could call them and I could say, can you unlock the, the,

The door.

Yeah.

Now, here's a question for her.

is pretty cool.

Prasanna Malaiyandi:

Here's a question for you.

Yeah.

Do you remember any of their numbers?

Um,

Because, because

my wife's number, I know my wife's number

and I know my daughter's number.

I do not know my son-in-law's

Okay.

That's okay.

At least you know two outta the three, so that's fine.

Because I was just thinking like a lot of people, like with smartphones these days,

they don't know people's numbers anymore.

Or you just look it up and you're like, Hey, call

so-and-so.

was, if I was at a payphone, like

what, what would that be like?

Uh, is there a payphone anywhere?

Or you just walk over to your neighbors, right?

You're like, Hey, can I borrow your phone?

I don't talk to my neighbors.

Oh

My ne the neighbor on that side would go, bleep, itty bleep.

No, no, not

gonna, yeah.

Neighbor

I'm sorry

They're new.

I don't know.

I don't know what they're,

so I'm sorry for getting you to spend extra money.

But not really.

Yeah.

Yeah.

Especially at a time right now.

Uh, you know, well, we don't know when this episode goes live at a time

right now, when I am currently, as we say, looking for opportunities, uh,

so, you know, need to preserve cash.

Cash is king right now, but, uh, anyway, um, let us get onto our guest

who's

like, what are you guys talking about?

Just blabbering on about smart logs.

I thought this was like something else.

Yeah, exactly.

So we have, uh, I think, um, a very interesting guest today.

He's actually a former member of the Special Forces Turn Cybersecurity Expert.

He's a co-host of the Cyber Rans Podcast and founding partner of Silent Sector.

I like that phrase, A company that builds cybersecurity.

Programs for B2B companies.

I'm pretty sure he's our first former Green Beret on the show.

Welcome to the show, Zach Fuller.

Thank you, Curtis.

Pleasure to be here.

Always nice to have a fellow veteran.

I was, uh, I was not.

In the Special Forces.

I was in the um, uh, I was in the, the phrase we used to say was,

there ain't no sense running around the bushes if there's no war.

I was in the Navy.

Right.

Um, and um, cuz I was in the Navy, technically most of my

time was during peace time.

But I did, I was in, during the OG Modern War Operation Desert Storm,

uh, we actually invaded Kuwait.

On my birthday in whatever year that was, two, was that like 2090?

Yeah, you're right.

It was in the nineties, wasn't it?

Yeah.

Yeah.

Nineties, like 91.

Um, and I, I have, I, I, I absolutely credit where I am today with the,

the years that I spent in the Navy, and I'm sure you do as well.

Um, you know, looks like you were in about the same amount of time as I was.

I spent five years in, I was 2004 to 2009.

So it seem seems like a, a long time ago, but at the same time,

it seems that time has flown by.

I don't know where it went, but, um, but uh, yeah, here, here we are.

And I wouldn't trade it for the world, but, uh, it's a rougher lifestyle

than being, than doing what I do now.

I'll tell you that my, I've soft keyboard hands now, um, and a, and a sore back.

Yeah, I, I, um, I, you know, I, I went in the

Navy, you know, for, for those that you know, for whatever.

It's a podcast.

You don't wanna listen to me, you're on the wrong podcast.

Um, but back in the day, so I went in the Navy for a very specific reason.

I was working real jobs, right?

Like, like, you know, for, for companies with Paychex from the time I was 15.

And when I, uh, like I worked part-time as a, as a phone salesman.

Um, I was selling carpet cleaning and police benevolent association stuff.

I sold cars, I worked at McDonald's.

By the time I turned 21 in bootcamp, I had had 19 jobs.

Wow.

Right.

And, and I, I went into the Navy, uh, specifically with the goal of having a job

that I couldn't quit because I had, I know this is gonna come as a great surprise.

I had an issue with authority and, um, I was like, yeah, yeah.

And I, you know, so I went in the Navy to have a job that I couldn't quit.

And I remember, I, I still remember the moment.

My first, you know, we'll call it f you moment, right?

The moment where typically when I was a civilian, I would've said, f

you and I would've walked out, and that would've, and then I would've,

would've gotten another job, right?

And that was the moment that, uh, an E nine, so that's a senior chief, an E nine.

In my mind, an E nine asked me to move this thing.

You know, it was something simpler, like move this chair from there to there.

And I said something along the lines of, at the time I didn't think I was arguing.

I didn't think I was dis disobeying an order I.

I just was like, well, I think it makes more sense for the

chair to be over there, whatever.

Whatever it was.

Right?

And and he immediately just went to to 11, right?

And he just was like, let me explain to you the E nine E four relationship.

I say, you do thinking is beyond your bleeping pay grade.

Right?

And I remember thinking at that exact moment.

Okay, Curtis, this is, this is what you, this is that moment that you,

this is what you signed up for.

And I did not say those magic words.

I did not get booted outta the Navy.

And uh, and here I am.

How about you?

Um, well, I, I definitely have.

Have been tuned up by higher enlisted before, so you're not alone there.

Um, that's, uh, that, yeah.

Saying that to an E nine s, never, never a good idea.

It's basically whatever they say you do, if jump off that cliff, better jump

off that cliff, cuz the ramifications are gonna be less than if you don't.

But um, yeah.

That being said, I mean, I was, I.

I was just felt drawn to the, the military.

Um, and nine 11 happened when I was in high school.

And I, you know, and then I went on to, on to college and was at University of

Colorado and I was kind of, I kind of felt I was doing fine in school, but

I didn't feel that challenge that I was looking for at that point in life.

And I had, I just felt this calling to go join the military and then, and then, um,

in the, The, there was an opportunity if you could go through all the assessment

and selection process and all that, you could go from civilian to becoming a Green

Beret, um, rather than prior, they, you had to be in the army for a handful of

years and like an infantry or something.

So, Having that opportunity, passing all the tests, going through selection,

getting selected, going through the, um, qualification course for about

two years, um, was just a, that was the challenge I was looking for,

you know, and that, that was a game changer for me and just was the.

You know, brought, brought me to that next notch of maturity that I really

needed at that, that point in life.

And, and so I, I wouldn't trade it for the world.

You know, I got to work with guys that, you know, small team of guys that are

the best in the world at what they do.

They there's, and there's no place else they would've rather been, you

know, so it's kind of funny because.

It was just an incredible environment to work in.

Incredible people.

We went out, we did our operations overseas, global war on terror,

um, and did some amazing things.

Now, when my enlistment came to an end being naive, 20

something, mid, mid twenties.

At the time, I thought that that's how the rest of the world operated.

You know, where you, you could ask, you could tell somebody to do something,

and it was basically already done, even if time hadn't caught up yet,

there was no checking in to see if it had happened or anything like that.

And so going from that environment into the business world was an eyeopener.

And it, it, it took a lot of adjustment and expectations and, and how things

work and operate, but, I love it.

I wouldn't trade it for the world.

I, we learned a lot during that time that I wouldn't have picked up anywhere else.

And, and I try to, uh, share those, those, those concepts and those

methodologies and ideas that we ran by in the unconventional warfare world

and share those with business leaders, with technical, technical leaders

and, and, um, people just getting started in their careers as well.

Um, so lots.

Yeah, I could, I could talk all day about that stuff.

It's a fun.

Um, group to be around because there's, they don't, they don't

accept anything but the best, the very best performance all the time.

But they also have fun doing it.

And there's lots of jokes, there's lots of laughs.

It's where they want to be.

So, um, yeah, I, I just, um, got so much out of that.

People as a veteran people will come up and say, thank you for your service.

I say, well, thank you for your tax dollars, first of all, cuz

I probably wasted a lot of them.

thank you for the paycheck.

Yeah.

And, and also it's, you know, really it's the, the, the, the

pleasure is mine to be able to, to do that in, in that environment.

So,

So what made you go from that into cybersecurity?

Like how, why choose this area?

so I was always a, I was always kind of a, a, well, not kind of,

it was definitely an a, you know, Tech nerd growing up, I spent lots of time

on computers, grew up in tech, family.

Both my parents worked in Silicon Valley and, and, um, so I was on computers

since I was as young as I could remember, you know, starting with the Apple

two E and, uh, going up from there.

But I got started getting kicked outta computer classes for hacking

the networks and locking the teachers outta their own systems and stuff.

And in, uh, that was in middle school.

Um, so

Thank you for your service.

Oh yeah.

So, um, I, I had fun, you know, breaking stuff and putting it back together,

and I think that's the root of a lot of people in cybersecurity now.

Um, I took a different path though.

I realized that, uh, when it, when it came down to really, as I realized that,

and, uh, later on in middle school and high school, I realized girls weren't

super interested in my tech skills.

So now, now it's a cooler thing, you know, but now, but back then, you, you

know, They weren't very interested in that stuff, but, um, I actually took

a path of more the entrepreneurial realm and so started building

websites for companies when that was a cutting edge thing to have a website.

I started outsourcing work to Russia that I didn't know how to do at the

time before outsourcing was really.

A known thing.

I found developers that could do work that I didn't know how to do for much cheaper

than it could be done here in the us.

And so, um, did that and, and really took an interest in the entrepreneurial side,

the business, um, development and so on.

And so I did, did different ventures, um, throughout my career.

E even in a college and exterior painting company door.

I've done everything from door to door sales to.

Implement Salesforce for, or, you know, mid-market companies.

So, um, had a lot of, lot of crossover between that tech and then

that business development world.

Um, after the Army I went into, uh, the real estate private equity world.

Well, real estate investment world.

Because it was 2009 and everybody said how terrible real estate

was and stay away from it.

So being the hardheaded person that I tend to be, sometimes that's exactly where

I went, is where I was told not to go.

So, um, that was fun.

Learned a lot, um, helped a private equity company build and grow and, and,

and just build a tremendous organization.

But, but, um, I realized that what I got to do in the Army, I.

Was, I, I got to protect great people in our nation from kind of

behind the scenes doing things that people never really hear about.

I mean, some of the stuff made the news, but it, it, who was behind

it never, never came out, right?

And so I thought that was a really awesome thing and I, I

really felt called to be able to.

Protect our nation again in some way.

Um, I wasn't necessarily gonna do it by slinging lead and high explosives.

Again, that, that was, you know, my, my prior life.

Um, but I recognize there's a need in the cybersecurity realm.

Um, when we started Silent Sector in 2016, we're starting to see our

uptick in, um, breaches on the news, and it was becoming more and more.

Uh, these, these activities of cyber criminals were becoming

more prevalent and the, the public was becoming more aware of 'em.

So I said, well, you know, there's probably something that needs to be done

here, something that we can do different.

And, um, that's, that's really, I.

How I entered into this industry, um, you, you know, and, and have two incredible

partners that both have 25 years as, um, you know, both in, in technical

and leadership roles in cybersecurity.

So, um, the three of us came together, brought different skillsets, and we

said, Hey, let's build this thing.

Let's do something different.

And that's what we've been doing and it's been, it's been great.

Yeah.

That's pretty cool.

I, I like that.

You know, I, I liked hearing, I.

Sort of applying the stuff that you learned in the military.

I, I think there's things that I learned in the military that have stuck with me,

but for me it was longer ago than you.

So I think I learned things and then forgot that that's where I learned them

one, one of, one of the thing that, um, When I think back on things is one

thing that I learned in, at least in my military or my part in the military, was

the value of well tested documentation.

Um, because, which, which I'm thinking do, which not a, was not

a situation in your, in your field.

But, uh, I mean, you've

got

be surprised.

I'm sure.

Okay.

Uh, yeah, probably explosives are probably very well documented.

We had this, um, uh, this system for doing preventative maintenance on the equipment.

I was in, electronics, I was in.

Um, uh, I operated and maintained the video system for the flight deck of an

aircraft carrier and then also the, the lighting system that allowed the planes

to land in the same spot every time.

And, uh, we had a system for, um, doing preventative maintenance

on these, uh, on these systems.

And they had those procedures had to be vetted and vetted and vetted and

tested, and then put onto a card.

Those procedures you, you lived and died by, you had this card and you followed it.

Even if you were trained in that piece of equipment, you followed that card.

I.

Step by step by step, and, and that's the way when I think about like cyber

recovery, disaster recovery, that's the way the procedure should be.

It should be fully tested and vetted to the point that you should be able,

you should be able to hand it to a.

Um, a, a technically proficient person who isn't familiar with the process and they

should be able to execute the plan, um, what, what, what do you think about that?

yeah, absolutely.

Well, I was, I was, I was kind of laughing over here when you're saying

the system, cuz I was thinking, well, in the army they're saying is if

it ain't broke, fix it until it is.

And so, so that, that's their version but no, um, seriously,

it, no, that's exactly it.

Um, I, I think of it in terms of airborne operations, right?

And jumping out of airplanes.

Um, the riggers have a tremendous job in getting the shoots packed the

same exact way every single time.

And it is me meticulously done.

There's no room for variants.

There's not any, any there.

So I think regardless of all joking aside, regardless of where you.

You are in the military and those listening with military backgrounds,

I think that's a tremendous asset to bring into your security program,

especially when you're talking about incident response, disaster recovery.

We, we find a lot of organizations in the mid-market and emerging size company

space will have, and I'm sure this is true in, you know, large enterprise

in a lot of cases too, but there's a lot of times the I R D R plans are.

Uh, very loosely put together, if at all, oftentimes off a template that

has been downloaded from somewhere.

Um, and they're not necessarily kept up and maintained.

So one best practice is that, um, if you can, I mean, I,

I'd say everybody can do this.

It's whether they'll make time or not, but do tabletop exercises once a quarter, dust

off that I R D R plan and work through it.

Um, even if you're not doing.

A, a actual full blown exercise.

Just a, a tabletop will tell you a lot about where things are and we'll, we'll

bring up a lot of, um, considerations and, and not enough companies do that.

A lot of times it's, yeah, we, you know, we built out our plan and it, we

haven't looked at it in three years, so.

You know, right out of the military, I went into a bank, I.

That's where I got my start in it.

And we were required by the occ, right?

That's the office of controller of currency.

We were required by the OCC to do a DR test twice a year.

And so, you know that comment that you made when you got outta the

military, you were surprised that.

Um, that people, you know, that when people are told to do something, they

don't just, they just don't do it.

Right.

Um, I was surprised when I left the bank to find out that everybody didn't do that.

Right.

Uh, so to me, this idea of a having a well-documented, uh, dr plan that you

then test it, uh, at, at least once a year, uh, you know, we did it every six

months and, um, That the, the way we did it was we would take the plan and

we would hand it to someone else, right?

Zach, you seem like you know what you're doing.

You're the new guy.

Here's the documentation.

Follow it while I stand in the background and figure out what I missed.

Right?

That, that's, that's the real way to do a test and I am, I am.

I, I don't know.

I'm continually surprised.

I know persona, or

No, I'm.

surprised that the people that don't do the basics, let alone

Yeah.

Well, yeah, and y no, and I agree with that.

And as I was actually gonna ask Zach, I'm like, for customers

you've been talking to, how many of them actually have a IR or DR.

Plan documented?

Forget about actually testing it or verifying it, but even actually

having a plan that seems feasible for recovering their environment.

Yeah, it's, it's more, more rare than it should be.

We, we work.

Because we work with a lot of mid-market and, and smaller organizations.

These aren't startups and stuff, but these are, you know, established companies.

They're in compliance regulated industries, healthcare,

financial services, uh, defense contractors, all that.

And, and the ones that tend to be a little more on top of it are the ones that are,

uh, that their hands are forced, right?

They have an audit, um, on a annual basis or every three years even.

And, and so they, they kind of have to do something about it.

Um, so.

It's, it's, it's much more prevalent than it should be to

not have any type of, of DR plan.

I mean, even, even just lack of independent backup solutions.

You know, companies, Hey, we're, well, we're in aws.

Okay, well, where, where else?

No.

Well, you know, aws, Amazon's

don't need anything

It's like, no, that's not how it works.

So, um, so yeah, it's, it's not, um, as prevalent as it should be.

The other thing too is the, the quality and then making assumptions

that people actually know what to do.

So I like Curtis, your, your methodology, hand it to somebody else.

What we do is we've created a gamified approach that actually

involves dice and everything.

So think of like a Dungeons and Dragons type type situation.

We're rolling dice, and then we're figuring out, well,

what's the scenario that's next?

Is the next scenario is, hey, John is, um, head of it and is the one that

usually runs all this for us, but he's out in the mountains for a week and we

can't get ahold of him, so who's next?

And then, and then on down the line.

And then another thing that can be done is oftentimes these

exercises are in, uh, group format, whether it be remote or actually

sitting around a conference table.

Well, instead of that, maybe we kick it off.

We let everybody know, Hey, this is going to happen at some point this week.

Be expecting a phone call.

So they know this is part of the exercise, but we actually

kick it off in a live chain.

Like it actually would go down in real life.

Hey, somebody you know is getting, um, bug pulled, you know, pulled

outta their meeting or whatever, and we're going through this sequence of

events in order to follow their plan.

So, um, a lot of ways you could go about it, but I think just.

Making the time to do it is, is something that should be on the

calendar, um, minimum once a year, but we, you know, two to four is ideal.

Yeah.

Yeah.

I, I think I like that idea of, of gamifying it, right?

I, I, I just see, I mean, just in general, the idea of gamifying it, I like that,

uh, you know, I like, I've got this idea, you know, you got this dice, you're

like, and what, and what do we win?

You get a zero a day exploit, let's go.

Right.

I like it.

I like it.

Um, yeah, I, I, I think maybe I.

Because when I think back to those, uh, those DR tests that we did, and

this is way before anyone said the word ransomware, um, although as I've

been studying up, uh, on ransomware, it turns out ransomware has actually

been around longer than I thought.

I first started hearing about it in 2014, but it's actually goes all the way back

to, believe it or not, the eighties.

There was a ransomware case in the eighties, but it

wasn't really a, a, a thing.

Uh, and I, I think it's been, um, It's been Bitcoin and things like that, that

have really, I think, enabled it right in the, in the, in the recent era.

So when I think back to those days, I remember those being

high stress events, right?

We only did it once every six months.

We wanted it to be successful.

Successful was defined as the recovery worked.

And Curtis didn't have to get involved, right?

So y you know, I handed it to Zack.

Zack followed the procedures and the recovery was a hundred percent successful

and I didn't have to do anything.

We were never successful by that, by that standard, but we

learned a lot along the way.

And so the point was that it was an incredibly stressful situation.

So I think this idea of gamifying it and doing it more often and having it,

you know, just something that we do.

As a way of both, um, creating the esprit core as well as, um, increasing

knowledge and doing it more often.

Um, that's actually a, I think, a fascinating idea, um, versus

what, what we used to do.

Um, what do you think persona.

Yeah, no, I think doing things more often, like

practice makes perfect, you know, and you can't predict each and every

single one of these events, right?

Like you were saying, Zach, you rolled the dice and it might be this scenario

or that scenario, but at least you're going through and getting used to the.

Process and what things look like and dealing with that.

Because when it really happened, it's gonna be a very high

stress environment, right?

But if you know how people are gonna react, how they behave, you've

gone through these exercises, it builds up the confidence that you

can handle whatever comes your way.

So I just realized I haven't thrown out our disclaimer,

uh, persona and I work for different companies and, uh, we're not representing

either of them on this podcast.

This is an independent podcast and the opinions that you hear

are ours, not necessarily theirs.

And, uh, be sure to rate us, uh, by going to your favorite pod catcher.

Scroll down to the stars and give us all the, all the stars.

You know, unless you hate us, then don't bother rating us.

If, if you hate us, don't rate us.

I like that.

I've never said that before.

Um, you know, it helps other people find the, the episode and, and share it

with your friends, um, assuming that you have friends that care about their data.

And, uh, also, uh, if you'd like to be part of the conversation,

just reach out to me.

I'm easy to find.

I'm at WC Preston on Twitter.

W Curtis Preston gmail.

Uh, and you can also find me at linkedin.com/in/mr backup.

And, uh, you know, we'll get you on the show.

We love talking to other people that care about data.

So, so, uh, Zach, let's talk about some of the things that have been

happening, uh, in the news lately.

And I'm gonna start with this, um, the Veeam story, and

this one frustrates me a lot.

And by the way, I'm just gonna right up front.

Say, I am not upset with Veeam.

Right?

This is not an issue with Veeam.

Um, because there was a vulnerability announced in March, which as of

this recording is two months ago, they patched the vulnerability days.

Uh, I don't know exact the exact number of days, but it was very shortly after the

announcement, uh, of the vulnerability, and then you would think that.

Every Veeam customer would then immediately apply the patch.

But I'm pretty sure you saw this same news article that came out a couple of days

ago, and it was, I forgot which federal agency, but it was some federal agency

basically saying, Hey, uh, we've been looking out there and this Veeam exploit

that happened two months ago is still in the wild, meaning that there are still

attacks that are happening because of it.

There are still, there was some company or some entity, I don't

remember if it was an agency or some like threat hunter out there.

They went out and just scanned for vulnerable Veeam servers and the

number was in the, like the five digits and that just, I don't know what to

think about that, Zach, cuz because, you know, I mean, tell, tell me.

Well, first off, tell me if you agree with me.

Like if you do nothing else, right?

Good passwords, MFA pass or, and patch management.

Like if you, if you do nothing else from a cybersecurity perspective,

those three will go a long way.

Right?

Um, but, but here we have.

Like this is, this is, you know, the backup system is, I like to

say it, it's, it's Helms deep.

I don't know if you get the Lord of the Reference, reference or Lord,

Lord of the Rings reference there.

But, um, you know, it's, it's the final line of defense

and you're not patching it.

I, I, how, how do you deal with that out there?

yeah, so that's, and that's not patching with, you know, the, the

Veeam, uh, the Veeam vulnerability aside.

That's, I mean, that's prevalent throughout.

Everything right.

The CVE comes out and, and, um, there's, there's a known vulnerability.

The vendors are generally very good about patching 'em quickly

and getting notice out to their customers and everything else.

So, and so that's,

want, uh, Zach, you wanna define, uh, CVE for those

that aren't familiar with the term?

C CVEs, your, your, essentially your vulnerability database.

So every vulnerability that's identified by researchers out there has a number

associated with it and the year and such.

And so you can basically pull up a, a, a list, um, and look at all the.

You know, vulnerabilities for a certain, uh, type of environment

or, um, scanners run off of these.

So if you're running a vulnerability scanner, it'll match up a known

vulnerability with a potentially exploitable, um, uh, device.

Now, it doesn't mean that device is actually exploitable.

There are false positives, there are deeper layers of control and so on.

But, um, it's a, it's a methodology of marking a, um, a vulnerability.

With a, a specific number so you can go back and, and look it up.

Right.

And, and identify what's there.

Yeah.

I think it's critical.

Vulnerabilities and exploits, I think.

But it, it, yeah.

This database where, and it's like CVE dash.

0 9, 7, 5.

Um, and, and that tells you like in case the Veeam vulnerability,

there is a CVE number, uh, so that everybody knows the same, so that

we're all, we're all on the same page,

Yeah, exactly.

And then, and then your scanning tools will mark it.

You know, you generally like one through five rating or one through 10, and, um,

so you'll have a different severity level, um, depending on what it is and so on.

Now, again, that doesn't.

Tell you the true exploitable nature of that.

But, um, it's, it gives you an idea of where to look when something's wrong.

So one of the things companies need to be doing is continuous

vulnerability scanning.

So the whole vulner, oh, we scan once a quarter for PCI compliance.

That just doesn't, doesn't cut it.

They should be running continuous scans because it's simple to do.

The tools are out there, especially externally, I mean internally too,

ideally, but, um, at, at a minimum.

Do continuous external scanning.

So these vulnerabilities are popping up, um, and you're seeing them, and

that way you're not trying to keep up with the articles and such that are

coming out or the, the notifications from the vendors, those scanning tools

that you're paying for whatever, whether it's Qualys or Nessus, rapid seven,

whatever, whatever tool you're using.

There's a bunch of 'em out there, but they're, they're constantly

loading their databases with these new vulnerability signatures.

And so if you're running this continuously, you're, you're.

You have a third party, um, provider of the scanner platform that's, that's

loading these signatures in, so they're on the ball cuz that's their business.

They're, you know, very, very quick with this stuff.

So you should be getting red flags and getting, getting notifications when

a new vulnerability is identified.

So the problem is, Mo a lot of organizations in the mid-market

and emerging space are, it's been often a year more since they've done

a vulnerability scan if, if ever.

Um, and so it's, it, they, a lot of the, you know, it like MSPs and things, they're

focused more on the day-to-day operational things and running, running tools like

antivirus, managing firewalls and such.

But this, this proactive activity of vulnerability scans v vulnerability scans,

the first thing that's gonna tell you.

Um, you know, whether it's Veeam or anything else, if you have something

to look at, look deeper into.

So, and then you get into the patch management whole discussion

and that's a thorn in the side for lots of organizations.

But, um, you can't look to go, you know, jump on a patch out of your

normal schedule if you don't even know that that vulnerability is there.

So,

So two questions for you, Zach.

I think that all makes sense.

Uh, the first is, What is the category like if someone wanted to

look up a category for what these vulnerability scanning tools are

called, what would they go search for?

I know you gave a couple of vendors, but what's that

general category of tool called?

Yeah, I, I just look up network vulnerability scanners.

Um, you can, yeah, there's, there's, um, there's a hand.

The big names really are, are Qualys, um, Nessus.

You got, um, tenable.

There's a couple others, but you, but they're all gonna

accomplish really similar things.

It just depends on your, your budget and

And, and then the other question I had also is, especially

since you've been talking a lot about sort of small and medium businesses,

do you find though that these tools are practical for these organizations,

either from a budget cost perspective or even from a skillset perspective?

Because some of these organizations are very strapped when it comes

to IT personnel especially.

And in addition to that, you're looking at someone who's like cybersecurity

focused and so, Is this something that they can easily pick up and start to use?

Or is this such a burden for the organization that they're like, Hey,

we have 50 other things to deal with.

I can't worry about this.

Yeah, they can easily hire a third party provider, uh,

to, to run continuous scanning.

We're talking.

Couple hundred bucks a month, depending on the size of their, their environment.

Um, it can larger, it, it is of course, the more time it takes

to actually look at those skins.

So you wanna, you can, you can always hire a third party and it's, it's

pretty simple, pretty inexpensive, um, for a lot of companies.

Some of the tools can be pretty costly.

So for a lot of the companies, it's much more cost effective.

If you have, you know, five or 10 external ips, you might as well just

have a service provider do that for you.

And then, um, hopefully that service provider also has an actual human

looking at the scan results, right?

So not just kicking you a scan report, but even if they kick you

a scan report, um, you, you can.

Teach somebody pretty quickly how to look through those.

And most of 'em are just Excel exports, so you can just sort 'em however you'd like.

Uh, if there's specific ips, things that you wanna focus on, or say you

wanna only look at severity four and five, then we, you could, you could

do that, um, really simply with Excel.

So it's not, um, it doesn't get too technical.

And I think the time it takes, even if you're looking at those.

Yourself.

Um, it's, it's well worth it compared to the

Cost of not doing it.

Yeah, exactly.

Yeah, absolutely.

and where do those, because I know I've also seen

a number of um, uh, sort of automated.

PIN test, pin testing as a service.

So this is like vulnerability scanning as a service.

What about PIN testing as a service?

So, yeah, there's the, the pen testing market's been interesting.

It's been, be, become a bit commoditized.

Um, and so it's hard for consumers.

That are not in this business every day to kind of decipher what's, what.

Mostly what we've seen out of automated pen testing is it's

good for certain scenarios.

There are some companies that all they wanna do is check a block and

they say, we got a pen test done.

Um, and, and it can be good for.

Ongoing, um, continuous automated pen testing where you actually do, maybe you

do a, a, a human driven pen test twice a year or, or once a quarter or something

like that, or on every major release of your software, whatever the case may be.

But then you have automation going in in the meantime.

That can be a good use for it.

The problem that we see is that, um, we'll have, we'll have, you know, potential

clients come to us and say, Hey, we just got this, we got this pen test.

We don't really know what to do.

A lot of times there's a lot of fluff in there.

The, the idea of saving money from an automated, a approach, we haven't

really seen that be effective because, The companies that, that don't have

the, the resources to, to decipher this stuff, they, they take this huge data

dump from the automated tools and they go start trying to ta trying to tackle

every vulnerability that's identified.

So a good pen tester will show you.

Really the, the areas that are truly exploitable in your environment, right?

Just because a web application, you know, a tool says, Hey, there's

potential for a sequel injection here.

Doesn't mean you need to rebuild the app.

It's okay maybe that, maybe there's a form field that lets arbitrary characters

go through, but that doesn't mean.

That the database is gonna spit out a bunch of information

based, you know, based on attack.

There are various layers of protection between them.

So it, so as long as a company has, you know, a defense in

depth approach, um, a lot of the automation stuff is, is limited.

Um, I, again, I think it's, I think it's evolving.

I think they're, it's getting better, but we have a ways to go.

There are also.

Uh, issues within environments that take, um, kind of human logic to identify

still that, uh, tools won't pick up.

So, for instance, we had a client, uh, who, who came to us for a pen test.

They had a, uh, web application that when every, every time a user would sign up as

financially based organization and they.

They, every time a user would sign up, their data would go off to

a third party that would charge 'em 10 cents, uh, a submission to

validate that this is indeed a fact.

Indeed a real person, and the financial information is valid and so on.

So, third party service, 10 cents a shot.

Well, the scanners and tools and stuff didn't.

Pick up anything.

There's nothing wrong with that per se, but our team found that, oh, hey, we can

write a quick Python script here that can inject 5 million, uh, new users into this

platform within a matter of hours or less.

Right?

And so at 10 cents a piece that can start to get costly.

So we did proof of concept, you know, run 10 users through kind of thing, um,

Only 10.

Right.

Yeah.

But here, you know, here's what could happen.

So we need to stop, you know, so, so that kind of stuff sometimes, um, won't be,

won't be flagged and we just need to look at, we need to look at it objectively.

Um, you know, from the, from the business logic perspective.

So earlier I was mentioning, um, that my top three

are a good password system, um, and, uh, MFA and patch management.

So, Past that.

What, what, what would you, you know, cuz we talked about like, these are

the things you need to do first, right?

If, if, if you're concerned about the security of your environment, that

these are the things you need to do first, what would you do after that?

Mm.

Well, most breaches occur because of well-meaning, but unaware individuals.

So this, and this is a tough one cuz if I, if I could give a condensed

list of top 10, that would be ideal.

But the, the reality is there's a lot that goes into policy and, and process

around how we use our computing devices.

So thinking through that.

A lot of times it's, um, the, uh, old user accounts aren't deprovisioned, right?

Somebody leaves the company and HR isn't communicating with it,

and, and then those accounts get compromised and nobody knows about it.

So it's stuff like that.

So I, I'd say, um, if, if this is a big category, but your policies and

procedures and standards, documentation for the organization, Is, is so critical

because that's going to encompass a lot.

Um, I If you're referring more to technical controls

specifically, then absolutely.

You know, your backups and such.

Um, I think that, that there's, um, Another.

Well, and all the major frameworks call for this is the, one of the first

things they're gonna say to do is inventory and control of your assets.

Whether that's hard hardware and software, both.

Um, a lot of organizations struggle with knowing exactly what

they have in their environment.

And so if a rogue device is coming in there, or it, and it could just be.

You know, somebody's tired of working through the controls that

are set up on their work computer.

So they bring their laptop and plug it in, and, um, and now they're on the

network and, and who knows what their kids were doing on social media with

that, you know, a couple hours ago.

So those types of things need to be thought through.

Um, but I, I would say that, um, the, the, the human element,

um, is the biggest thing.

If, yeah, if I had to pick one piece, it'd be staff awareness training,

Yeah, I, I, I think that's, I think I

would completely agree with you.

Um, I, you know, I, I am a, like if my choice is off, Are.

Build really good defenses against mistakes versus train everybody

which mistakes not to make.

I'm gonna go with the first, not the second, but you.

But you have to do it, right?

You have to train the users.

The problem with people, it's that, where do I start?

Right?

Well, first off, there's always new people.

Second, we are incredibly, we're just, we're just flawed.

So, so really if we could just get rid of all the people, um, you

know, You're good to go.

Um, I mean, we all know that AI doesn't make mistakes.

So once we replace everyone on the planet with some sort of piece of

Right.

uh, there will be no more hacking.

This podcast brought to you by ai.

Absolutely no, I, I remember that, I remember, uh, back

again, that, that bank that I, that I, um, worked at, we were constantly,

we constantly did user training.

And one of the things that I remember that, that, that you were

always told in the regular training that we went to was no one in

the, you know, the IT department.

No one will ever call you and ask you for your password ever.

Right.

And then the next day we would always call them and ask them for their password

and like 20% of them would give it to us.

It was like,

Oh yeah,

it was just like, oh, it's, it's, it's,

We've been led in, we've been led into, uh, we do physical

intrusion testing from time to time, from a data security perspective though.

So we've been led into buildings, you know, tailgating and that sort of thing

during business hours, just looking like supposed to be there kind of thing.

And, and, you know, throw that thumb drive in a, in a.

Computer, um, even led into, um, you know, network rooms and, and server rooms.

I mean, it's, it's, um, pretty amazing.

But yeah, the, the unaware is generally well-meaning, but, you know,

unaware individual is, is always.

Going to be the biggest risk.

And that's, that's where we see most, most attacks come through.

Um, especially those companies that are on.

Um, and well, I want to put this out there because you're on cloud

services that does not make you secure.

Right?

Um, so those, those companies that, those companies that, um,

Think that, hey, we're on Google Workspace or we're on Office 365.

So, you know, Google or Microsoft is taking care of our security.

Um, that if we're, if we're, you know, talking about a list of things to do,

um, another critical mistake is that a lot of these mid-market and smaller

companies are on these environments and it's, it's crazy things like they

set up the, you know, the person that started the company 15 years ago.

Um, you know, ha has their, their normal email account is also the

administrator to that company's account.

And, um, that when once that gets breached, of course

all kinds of things happen.

We've seen cryptocurrency accounts stolen, um, uh, domain names hijacked, uh, from

the registrars and moved to, um, moved to overseas registrars and ha getting a

ransom to get it, you know, demanding a ransom to get it back, that kind of thing.

Um, We, we've seen, you know, and from there pivoting to other cloud

services like Dropbox and such.

So that's more toward the very small company side.

Um, u usually they're, they're more sophisticated in that, but

I wanted to dispel that myth.

I'd say that make sure that your cloud.

Service environments, they, they can be set up to be very well secured.

Most organizations are not leveraging the, the full potential

of their security, and they're not provisioning accounts properly.

So if we think about principle, uh, of least privilege, we want to give

people only what they need to do their job day to day, and then have a.

Methodology in place so they can escalate their access if they

need it in unique circumstances.

Um, but a lot of times companies are just giving everybody the

kind of the keys to the kingdom.

So once their account gets breached, now the attacker can get to a lot more,

uh, than they could have otherwise.

And the, the damage goes further that way.

Yeah, but it's so much easier, Zach, if you

give access to everyone you know.

Right?

Yeah.

Yep.

Just, uh, open up your firewalls to any, any, just let all the traffic through.

there was a famous GDPR case in, uh, Spain, I think it was

maybe Portugal, and it was a hospital.

And, um, the, it, it was one of the first big G D P R fines and

what they had done in the hospital was to make administration easy.

They made everybody a doctor.

So everybody that worked at the hospital had doctor level access so they could

see any record of any patient any time.

Uh, and they were like, basically the gdpr, you know, the commission basically

said you clearly didn't even try.

Right?

You clearly.

You, you never even heard of the concept of lease privilege.

Uh, we, you know, we find you guilty and, and, and find them.

I dunno, it's a couple hundred million dollars or something.

Uh, persona, can you think of, um, a another, so Zach was

saying that, uh, make sure to.

Uh, make sure that your cloud services are secured or properly

configured for security.

Prasanna Malaiyandi:

Make sure to back it up.

add to that?

Yeah,

Make sure to back it up exactly because like Microsoft

365 or Google workspaces, right?

They don't care about restoring and recovering your environment

to a well-known point.

All they care about is making sure their service is up to date, keeping recovery

copies to make sure that, but they don't have those copies for your benefit,

Yeah, this Zack, the, the, the thing of, you know, and

I think in the security world, we're like, uh, you know, MFA is like, man,

if you don't have MFA at this point, I, I don't even know what to tell you.

Right.

Uh, in, in the backup world, this is one of those things where it's

like, I, I, I don't know what to tell you if you think that Microsoft

is backing up your data, right?

Um, and I, I don't care what your, your Tam said to you, your,

your technical account manager.

I don't care what you read on some blog somewhere.

Please go grab your service agreement.

And find the word backup and and recovery in there anywhere.

Cuz it, cuz it isn't there.

Right.

Uh, and also look up, uh, Microsoft has what they call the shared

responsibility model and persona.

They're not the only ones with that are they?

Or is that just, that's not just their term,

that's not just

So basically they show that they're responsible

for the infrastructure and the availability of the service.

And they're like data.

You right?

100% the customer.

And still I have people that go, I don't think I need to back

up these important services.

I think that's gonna be, um, uh, the next sort of frontier.

It already is starting to be, they're starting to go after her services like

365 from a ransomware perspective.

And I think at some point, hopefully in the next.

Few years, people will start realizing once enough companies lose everything,

uh, or are forced to pay a ransom to get their, um, important communi, you

know, company communications back from their SaaS provider, uh, once somebody

loses, you know, everything they've ever put into Salesforce, right.

Um, and, and they're, they're forced to pay a ransom to get it back.

Um, maybe this will get better.

Yeah.

What?

What do you think Zach?

yeah, well, yeah, absolutely.

I think, I think there's more and more enforcement of that as well.

So you look at just, um, getting.

In a cyber insurance policy these days, for example, they're, they're

putting you through the ringer, and that's one of the key factors that

you're gonna need to have, right.

Is, is a backup system that's separate from your production environment

where everybody's working now?

Uh, yeah.

I, I think we're gonna see that.

We're also gonna see.

Um, these different regulations that are coming at, it's a compliance requirement

of the week coming up at this point, but, um, yeah, they're, they are absolutely

enforcing more and more of these controls with that being one of them, because,

I mean, I think especially because of ransomware, that's what everybody I.

Thinks about, but I mean, there's just a, there's a common everyday

business use case for it.

You know, it could be the malicious employee that wipes a

bunch of stuff before they leave.

It could be somebody just unknowingly overwrites a bunch of files with

old data and, and just having quick access to get that back.

So it, it's not, it doesn't take a ransomware attack to

have a reason to have a backup.

It's, um, there, there are lots and lots of use cases, or we talked a little

bit about das Disaster recovery before.

Um, that, you know, there's obvious implications there.

So, um, I, I think, I think that's a big piece of it for sure.

Preach it, Zach.

Um, I could, I could think, uh, so I used to administer, um, a

pretty large Salesforce environment and I remember one time I.

Uh, where what I was trying to do was I was trying to format, so I'm pretty

good with like text manipulation.

Being an old Unix guy, I was pretty good at that.

And I downloaded, um, the entire database, which was like, I don't know, a couple

million records and I went and did my Unix magic on the, uh, phone field.

I was good at text manipulation, I was bad at Excel, and so I sorted, I.

The spreadsheet, but I didn't sort the whole spreadsheet.

I just sorted like the phone numbers and I, which meant that I just

scrambled all the phone numbers to.

So, and then I uploaded that, uh, and basically in, in, in a matter of a

few minutes, I managed to give every contact in our, uh, database, the

wrong phone number, some other random person's phone number, and luckily,

Uh, I had, uh, this was before I had tried, this is a couple of years ago,

I had tried unsuccessfully to find a decent backup service for Salesforce,

and so the only thing I could do was like a, you know, an export of that.

Um, table.

It was the, the, um, the leads table.

And so luckily I had, I had saved the download that I had made before I mucked

it all up and then I was able to fix it.

But that's the kind of thing, like you said, it doesn't take a ransomware case.

It could just be a, we'll call it a Curtis.

Um,

Well, we, we were talking about humans being the,

the, the weakest link, right?

It's, it's, it's all of us.

You know, it's, it's not, um, it, it's not just, Uh, it's not just people that

ha that are, you know, not technically inclined or, or, or anything like that.

It, it's anybody and everybody.

I mean, we, there's lots of cybersecurity professionals still fall for scams

and different things out there.

I mean, they've, you know, given out data on forums and things like that

on the dark web, you know, it's, it's just, it's crazy what goes on.

But yeah, you're not alone there.

Yeah.

Or in the case of cur Curtis, instead of calling it the Curtis, maybe we'll

call it the overconfident person.

you know, it's funny, uh, it's funny, earlier when, when, when

Zach was talking about, um, you know, it's, it's the well-meaning person,

uh, that just makes a, a, a mistake.

I was gonna float the idea of calling that a persona.

And see, seeing if we can, you know how like, like nowadays we, we have the term

Karen, and that means a specific thing.

If we could, I just, it would be really cool if, like, the well-meaning person

that manages to screw up everything, if we could just call out a persona.

we'll call him Steve.

Call him Steve.

Is that a Sorry for their, if there's any, Steve's listening.

Yeah, there, there's one or two.

I know for a fact.

Um, well, Zach, it's been, it's been great having you on.

Um, and, um, I wanted to, uh, uh, you know, thanks for the insight

hey, my pleasure.

Great, great chatting with you both and, um, yeah, looking forward

to doing this again sometime.

and persona, uh, great as always.

Thank you Curtis and Zach, it was nice to meet you by the way.

Uh, if people wanted to sort of get more insights into, or figure

out what they should do around cybersecurity, how do they get in

touch with you and your company?

Yeah, they can, they can check out.

Silent sector.com is our website.

And then we have our book, cyber Rans available on Amazon

and the Cyber Rans podcast.

Um, information across all those, uh, places and, um, you know,

feel free to reach out anytime and uh, on LinkedIn as well.

I'll put a link to, I'll put a link to my

episode in the, uh, cuz I know I was a guest there at one point.

I'll put a link to my episode in our, in our show notes cuz, cuz our

people, they just want to hear me talk.

All right.

Well, you know, speaking of people that just want to hear me talk, uh,

I want to thank you to our listeners.

Uh, you are why we do this, and remember to subscribe so