Security Strong Podcast

Get ready for the Security Strong Podcast. We tackle IT issues, discuss best practices for your technology safety and interview professionals that are on the front lines within their organization's technology infrastructure. And now your host, Owner and Founder of Tobin Solutions, Jeremy Cherny!

Security Awareness Training 05/19/2021

Get To Know Microsoft Teams 04/22/2021

Get To Know Microsoft Teams Host Jeremy Cherny discusses how to use Microsoft Teams as well as best practices. What is Microsoft Teams? If you haven't used it before, Microsoft Teams is a bit like texting or messenger on your phone in that it allows you to send messages to individuals, create group chats, and share files such as PDFs or photos. It’s much more than just that though. You can also create video chats for things such as one on ones, group chats, meetings, or video conferencing and because Teams can access apps such as SharePoint, Planner, and OneNote just to name a few, your team can work collaboratively on whatever they desire. On the whole, Microsoft Teams helps businesses because it helps keep everyone in the know and on the same page which increases communication, collaboration, and productivity. Teams and Channels What is the difference between Teams and Channels? Teams are a collection of people, content, and tools surrounding different projects and outcomes within an organization. Channels are dedicated sections within a team to keep conversations and work organized by specific topics, projects, or disciplines. An easy way to look at it is the Team is the organization as a whole, and each Channel entails a specific department within that organization. Larger businesses may have to create a specific Team for each department and then create Channels for specific topics that are owned by that department. This really allows organizations to organize their work and conversations with ease. Whenever you create a Team, a Channel called General will automatically be created, and it’s up to you to create other channels to fit your organization best. Chatting and Conversations Teams makes it far more efficient to communicate and collaborate due to the fact that traditionally, you would have to be doing all that communication through email. With Teams, those conversations show up as chats which speeds up the communication process tenfold. Within Teams, you have the ability to create chats which Teams calls chat-based collaboration. You have the ability to create one on one chats, group chats, chats within a specific Channel, chats in relation to documents that are being worked on, etc. How does this speed up the collaboration process? With Teams, your conversations and documents all stay in one centralized location so you have the ability to make changes, add comments, and chat with your team all in one place. Your chats within Teams are permanent so even when you exit out of, the chats are still there for you to access when you log back on. Files and Collaboration Within each team and channel, you have the ability to upload new documents, edit documents, or create new documents. You can even add cloud storage by connecting your Teams account with a 3rd party software such as SharePoint, Dropbox, ShareFile, or Google Drive. One of the best features of Microsoft Teams is that when you are uploading documents you have the option to use the “Co-Author” feature. The Co-Author feature allows multiple people to be in the same document at the same time, working simultaneously. This could be beneficial when you have a meeting agenda and multiple people are updating the agenda with their information, or if multiple people are creating a presentation and they can work together at the same time as opposed to emailing the presentation and working on it one at a time. /episode/index/show/securityfirst/id/18826622

Get to know Microsoft Planner 04/01/2021

Get to know Microsoft Planner Host Jeremy Cherny discusses best practices and how to use Microsoft Planner. What is Microsoft Planner? Microsoft Planner does not have a desktop component, it is strictly from the web. It's also from your apps on your phone and tablets. So right now, there is no desktop component. So you go to Office and sign in with your credentials. It's kind of like task management for teams. Some might call it light project management. There are a lot of different ways to look at it depending on how you're going to use it. We've started to use it here at Tobin Solutions for a few small projects. So we understand how these things work so we can support them for you. Create an event We're going to start by creating a new plan. For purposes of this project, we're going to create a customer appreciation event. Now when you create the event or the planner plan, you can select what privacy level. So by default, it's a private meeting - only members that you add can see the contents of it. So that would be great if you have a project or plan that is just meant for a few people. If it's something for your whole company, then you would say it's public and then you'd be able to have that there and everyone in your company would be able to go in and see that plan and have access to it. The permissions are not that granular. So at this point, you either have access to it or you don't. There's not a lot of ways of controlling access to individual tasks and elements within the plan. Down at the options, you can also add some additional information so people know what this is like a party for our favorite customer. Groups One thing I want to point out - and this is an important piece - is Planner works really well hand-in-hand with Microsoft Outlook. So one of the features that you may or may not be aware of with Office 365 is this concept of Groups. Groups are just groups of people in your organization. Those groups get created behind the scenes for your use in different ways. So, since I am part of this customer appreciation party plan, if I open up Outlook, you can now see under Groups, it created this customer appreciation group. When I click on that, it says, “Welcome to the customer appreciation party group.” Groups are a special thing within Outlook. We could do a whole other demonstration and webinar on that. But basically, a group has its own mailbox and its own calendar and stores all the information together. So, if you create a plan, in Planner, it's going to automatically create a group for you. Likewise, if you create a group in Outlook, it's going to automatically create a plan for you that will show up under the plans. So they work hand-in-hand. Tasks This is a customer appreciation event, so what are some things we're going to need to do? First, we want to click on the plus sign. Then, I think the first thing we need to do is we need to select a date for our party. That would be a task that we need to do. We may also need to select a venue that may or may not be at our office. We need to create a team. So I just created a few tasks. Right now this is under what's called a bucket that’s called to-do. We're going to talk a little more about buckets as we go forward. You can rename these buckets, but they are essentially lists of tasks. If I open up this, create the team, you'll see it's in the to-do bucket, but the progress has not started. It doesn't have a start date or a due date. There's also no description. So I could start to put that together and say, “When do I want to get this done?” And I’m going to enter that date. /episode/index/show/securityfirst/id/18573353

What to expect from the future of Internet security with Steve Moscarelli 01/25/2021

What to expect from the future of Internet security with Steve Moscarelli Host Jeremy Cherny interviews Steve Moscarelli, Regional Sales Manager at Thales Cloud Security “I knew that the internet was going to be the future when I was in college. I had roommates working at the New Media Lab at MIT and they were involved in building a precursor to the internet for DARPA. I also saw very clearly that the internet was built with no security at all - which really propelled me into my career.” What are some of the things you read to stay on top of what's happening in the world of security? So I'd recommend that everybody pay close attention to Dark Reading. In many people's opinion, it is often considered the number one site for keeping up with the constantly changing threat landscape. There's the Phil Venables website, the Bruce Schneier website, Security Current, Security Weekly, Security Week, SANS, Brian Krebs’ website, the MIT Cybersecurity Review. If I was to rank these, I'd have to say, probably Dark Reading, krebsonsecurity, SANS, Security Current. And then there's a lot of specialties, there's Healthcare Information Security, there's Data Breach Today, Payment Security. There's a myriad of places that nobody has enough time to check - Threat Post. Cyber Scoop and HelpNet. However, I think most people look at Dark Reading as often as possible. You work with a lot of Fortune 500 companies. What do they do for security awareness training? They do try to trick their own employees sometimes. Having them open attachments or click on URLs from emails for them to learn from a safe source. They’re also certainly emphasizing multi-factor authentication and two factor authentication. At the end of the day, if you're doing anything financial, you want a phone call. I see people doing more things on Slack and on Teams, which is not going through the traditional mail filters and SMTP gateways. People are also shying away from email. People are getting more into channels that are not monitored as much with everybody working from home, which makes things now the Wild West. What do you see as the future of information security? We have to get away from passwords, and that's going to be very difficult to do. If you talk to some of the leaders out there, Bruce Schneier, and Winn Schwartau and people at SANS like Lance Spitzner, or perhaps Anton Chuvakin I think that they all would like to find a way to get away from passwords. But that's a very, very difficult proposition. To do that third-party risk management is going to keep being a bigger and bigger thing. Every Tom, Dick and Harry is talking about the hack at SolarWinds right now. And SolarWinds is going to wake up a lot of companies to be very, very careful of their third party connections. It's obviously the way that a lot of companies are adversely impacted because they might not be paying attention as much as they should to who they're connected to. Like with the Target breach, that was their HVAC contractor. Starwood Marriott - they had the keys for their Oracle on the Oracle, they had the keys for VMware on their VMware. So the key for your VMware and the key for your Oracle are all on the same machine. So there were two people named in China that not only took the key for the VMware and the key for their Oracle, but they encrypted that data. So in the merger of Starwood and Marriott, there were situations where things fell through the cracks during a merger, and nobody was paying attention to the keys for their VMware and their Oracle. And, you know, obviously, with people going in an often haphazard manner to clouds, things happen, like at Capital One, I think most people know their s3 buckets were very leaky. /episode/index/show/securityfirst/id/17684660

Using common sense to stay secure with Joe Dietrich 01/11/2021

Using common sense to stay secure with Joe Dietrich Host Jeremy Cherny interviews Joe Dietrich, Manager of Hosting and Storage for Dover Corporation “Dover Corporation is a diversified global manufacturer. We've got about 325 global locations with about 23,000 employees worldwide. What I do for Dover is lead teams that provide server and storage support, as well as Active Directory support and what we call data protection, which for us means backup and disaster recovery.” Why is security important? The systems and applications that run on the servers and storage that my team supports are things like Oracle, our payroll, our accounting software. Those programs are used to not only produce drawings for parts but actually deliver those drawings and blueprints to the shop floor so that they can do what we call cut chips. This means they can actually make parts. This means that security is a key infrastructure. When these programs go down or are unavailable the company stands to lose significant amounts of money. I know you don't always work directly with the end-users, you've got the teams you manage, how do you guys stay on top of security threats? This is going to sound very rudimentary but every place that I've worked, this has been a bit of a struggle. The first thing you need to do is understand what you have. You need to have a very solid list of the systems that you support. We start with that list because you can't secure what you don't know. For example, you don't know how big to build your fence if you don't know what you're trying to build it around. So it's extremely rudimentary, but it's just looking at what is the list of things that I'm responsible for? So you can then take that list and you can say, “Okay, I see I've got 1000 servers. Okay. Do I have an antivirus on all those servers? Do I have them reporting to things like OpenDNS? Or are they sending their logs to Splunk?”. So you can't really understand or you can't really secure things until you know how many things you have. Do you ever find that people have blind spots? Like something where someone says, "Oh, where'd this asset come from?" Absolutely. I know you've been in the business long enough to remember when, if you wanted a server, you bought a physical server. I remember when I came in, servers were monsters, you could not really lose that because they weighed 150 pounds. Now, especially with the proliferation of cloud technologies like Azure, AWS and Google Cloud, it is so easy to spin up new environments. It really just takes a credit card and a few mouse clicks and you can have a 1000 server farm sitting in Azure. So what we see sometimes is what we consider shadow IT. Shadow IT is where somebody in the engineering department wants to test something out, and they go to aws.com, and they spin up an environment for themselves. They've made it so simple, which is great. It doesn't take the same level of knowledge that it used to actually put in those floppy disks to install. We absolutely see that sometimes and the key then is to make sure that you educate people as to why even though it's so convenient and so easy, it might not be a good idea for the business. How do you educate them? How do you keep your team informed on those kinds of things on security awareness? It's hard because as you know, new technologies are being spawned daily, which makes knowing everything impossible. What we try to do is make sure that as things come up from the various thought leaders throughout our department and some of our trusted partners, that we're getting that knowledge out there either via email, meetings, maybe pieces of training, that kind of thing. We really try to get as much information to the folks on the frontline as we possibly can. What are some of the things you see that people can do to protect their data online? Communication is always key. What I mean by that is if you're a small shop, and you've got maybe one IT person, making sure that that person is well-known throughout the company and is seen as someone that's a trusted resource so that somebody won't just go to AWS or Azure and spin stuff up. They'll stop by that person’s desk or they'll ping them on Teams, Skype or whatever, and just say, "Hey, I've got this idea," or "What do you think about this?" That communication is so important so that people don't feel like IT is a roadblock. People understand that IT is really a business accelerator so I think that that's really important. You talk about staying secure online, and a lot of it is just common sense stuff. A lot of people can't even understand what IT professionals do. Well, a lot of it is just extremely common sense. Take the time to read something, take the time to look at links, look at what it’s asking you to do. If you're getting emails and they’re supposedly coming from your boss, read them with a critical eye. If they're using phrases that your boss doesn’t normally use, and they're trying to get you to go around a process and just wire money somewhere that’s probably not your boss. I think part of our problem now is that we always have so much information coming at us that we just zip through things so quickly. We're scrolling through our feed of whatever it might be. It's emails that we don't sit there and read and say, hold on, you know, "Jeremy's emailing me now, and he just used a phrase I've never heard him use." Or it could be something as simple as you know, he spelled "color", but he spelled it "colour," and I've never seen him do that before, is this really him? So I think that time to maybe just slow down for a second and be critical, read things critically is so key. It's not a technology, it's just more common sense stuff. Do you have any war stories you can share or anything where you guys had an issue or something you maybe even heard of from one of your partners that our listeners would benefit from? Yeah, absolutely. Unfortunately, it kind of follows the theme of my last answer. We had somebody in a payroll department that saw one of these emails that were supposedly coming from a customer saying, "Hey, we've changed our banking information, now we want our payments to be sent here." Unfortunately, the person I think was trying to just rush through things and they updated that information into the system. This was something where they sent payments of a pretty substantial amount that just got sent into the ether and then they were gone. There was no recourse. If I remember correctly, it was sent outside the US and the laws and the ability of the US to reach out and reclaim this money is limited. So it was, somebody just rushing through things and not reading it with a critical eye. That's actually where I got that example of “color” vs “colour,” it was actually from that. It was supposed to come from somebody that they had been speaking to, and they just didn't read it critically, and unfortunately, it was a substantial monetary problem. /episode/index/show/securityfirst/id/17463155

Best practices for keeping your business’ information secure 12/28/2020

Best practices for keeping your business’ information secure This week, we're doing something a little different on the Security Strong Podcast. It's just me, we're doing kind of a fireside chat mode here. I'm sitting in a rocking chair near the fire and I am thinking about the various awesome guests we've had since we started the podcast, I'm thinking about what we do as a security company, and I thought why don't we share some of the best practices and go through a top list of things that you can do to stay secure. Security as a Process, Not a Product A lot of times when people think about security, they're thinking about buying the basics, they're thinking about buying a firewall or antivirus software. Those are products you buy and those are critical because we want to make sure we're getting those. But really those things are obvious, but if those things are not configured properly if they're not used properly, you still have a security hole and so that's what we refer to it more as a process, not a product. You might think about it like for your home where you have a lock on your front door to keep you secure, but it's engaging the lock when you’re walking out of the house by locking it that's really what has to be secure. The other thing we talked about is you've got all these different things for security. You've got the antivirus, you've got the firewall, you've got the processes down, but security is really only as good as its weakest link. So as we're talking about these different things you want to think if any of these weak links for me because that's where the breach is likely to happen. Why Security? Security is really about the confidentiality of your systems, the integrity of your system, and the availability of your systems. So confidentiality of your internal-external data, making sure that only authorized users are seeing that information, the integrity of your data, making sure it's not changing so people don't mess with your payroll, and no one's messing with your contracts that isn’t supposed to be messing with your contracts. Lastly is the availability of your systems because if you can't get access to your data, you can't get access to the business programs you use. User Accounts User accounts are those IDs that you use on your computer that you log in with. That user that you're logging in with, is assigned various permissions and rights, and there are 2 basic categories of users: administrative users and standard users. Administrators can install software, modify software, change the configuration of software, whereas standard users typically can't. One study determined that running as a standard user would prevent attackers from exploiting 94% of the critical vulnerabilities that Microsoft patched in that same year. It used to be a very common practice for everyone to be an administrator because it was the easiest, but it's less common now. The action for this is to make sure you create a separate log-on ID with administrator privileges and only use that administrator account when you have to administer the system, like when you're patching and modifying software, otherwise, run as a standard user. That way, if you happen to catch some malware, it's less likely to impact you and your system because it can't do anything because it's not an administrator. Password Policies Strong passwords mean that they're hard to guess or hack. So when we’re thinking about passwords, I like to think of one of my favorite sci-fi movies, Wargames, when he was sent to the principal's office, and he wanted to, and he wanted to get the password to the computers for the school, so we could change his grades, he opened up a drawer, and on there was a piece of paper and it wrote current password was “pencil.” So you want to make sure you're not using any single words, anything that's found in a dictionary, and no common phrases. It is better to use special characters, numbers, upper and lowercase, and spaces even. All of that makes for a good, complex password and if you need to just pad it with something, add some characters or add even a common phrase to the end of a complex password because length when it comes to a password is critical. The longer the password, the more complex it is, and the longer it takes to try to have a computer brute force or guess what that password is. Also do not reuse passwords across systems, especially websites, cloud services, because if one password gets out of your control they're going to go try that password on all the different systems that are out there. You also want to use a password manager. That way you can go into the password manager at the database. It's a secure, strong database that can't be hacked for your passwords. So the action for today is to verify that your passwords are strong. Visit to learn more! Join us for our next episode by connecting with us at /episode/index/show/securityfirst/id/17308976

Security in the world of HR with Amy Fallucca 12/14/2020

Security in the world of HR with Amy Fallucca Host: Jeremy Cherny interviews Amy Fallucca, CEO of Bravent “Bravent has been around for about four years. We are an HR consulting and recruiting company. On the HR side, we help with anything from handbooks, to advising on terminations, or employee performance. Then on the recruiting side, we work on a range of positions; professional, technical, and executive. We leverage technology to be really efficient in our process, and by doing that, we're able to save our clients money. We're typically about half the cost of contingent placement firms.” Can you speak a little about security around your process in HR, and why security is important around that? HR is not typically known as being the most tech-savvy group of people, I would say. Things are advancing and I'm fortunate to have worked for over 10 years within information technology companies so I think I'm a little unique from that standpoint. Security and human resources, it's so important because it's our biggest asset within our businesses. As HR professionals or business owners, it's so critical that we securely store that sensitive information we collect from employees, because, if we don't do that, we're really breaching trust. How do you stay on top of the security threats and issues that are out there in the HR world? One major thing that I would advise people is just don't collect sensitive information you don't need. Minimize the amount of information that you even have. For example, I saw an application that had a social security number on it- that really doesn't need to be on the job application. You can collect that at a later point in time. So, number one is don't collect sensitive information that you don't need. Number two would be to leverage digital collection. If there is that type of information - social security numbers, dates of birth, medical information - leverage self-service entry as much as possible. So for example, if you're running a background check, many of the services give the candidate a link where they can go and enter things like their social security number - I recommend that as much as possible. The same thing goes for your employees or the people who are on your team. As much as possible, have your digital records and an HRIS system that's secure, versus physical files. Then the third. If you use physical storage, really make sure that it's secured. This is something that we see frequently when we go and do audits of companies. The employee files might be in a file cabinet, but it's in an office where the door is open and the cabinet isn’t locked. So really, fundamental physical storage best practices, like keeping it in a locked file cabinet, having designated key holders to prevent any unauthorized access, and then knowing your record retention standards and purging things regularly. You talk about the storage, the physical versus the digital. Are there rules for how long they have to keep any copies of any of that specific information, either paper or digital? There are federal and state standards for how long to retain certain types of documents. It depends on the document and where you're located. I would say typically, it's between five and seven years. Again, one thing I commonly see is either they haven't stored it for long enough or they store it forever. So we've gone into companies that have been in business for 30 years, and they literally have all their paperwork for employees with social security numbers, going back that whole length of time. I think it's always great every few years to take a look at what records you have, and purge those old records according to those standards. You can do a quick Google search to find human resources record retention regulations. Are there any best practices for HRIS systems for protecting important data? Having proper permissions set up is a major thing. Ensuring that the human resources department vs. the managers vs. the employees all have the proper permissions - that’s one thing that can go wrong. Other than that, making sure that you do good research on the tool and understanding what their approach or level of sophistication related to security is. At this point in the game, there are tons of great HRIS systems out there that are affordable and secure. I think it's always nice to go that route, especially in a situation like COVID where you can access your data wherever you're at as opposed to having them look in those physical file folders. So I love digital. What do you see as the future of HR information security? As we look at the technology, I think automation of low value, repetitive tasks is really going to continue to increase. We're seeing it now, but it's just going to expand as technology advances and becomes more sophisticated. When I first started my career, I remember using a recruiting system that was so basic, it was basically an access database. It was really difficult to search, difficult to track people through a workflow. Now, we have really great recruiting systems that can post jobs automatically. I can remember going on Dice or Milwaukee Jobs and having to manually post in each of those places and now with just the click of a button that can be done. Also with things like workflow automation. If we have 50 applicants for a position, we can do Boolean search strings to find the people that are the closest match. This helps us with reviewing. Maybe in the future that happens in a more automatic way, as opposed to having to build those strings. We also have an AI sourcing tool, which is really neat. It pulls the job descriptions that we have and uses the language to go out on the web on a huge number of different sources to find people that are fit for the job. They also have some indicators in terms of who they think is more active vs. passive. It's good now, but I think in the future it's going to be great if it can do some things in terms of automating outreach in a more personalized way rather than just sending out generic emails. I think that's coming, it's just only a matter of time until it starts happening. /episode/index/show/securityfirst/id/17147453

Improve security through Mobile Device Management with Max Palzewicz 11/30/2020

Improve security through Mobile Device Management with Max Palzewicz Host Jeremy Cherny interviews Max Palzewicz, Director of Operations at Rocketman Tech “I started out my career in public accounting, primarily working and advising small business owners. I got my CPA and I was able to join my dad and uncle's business coaching firm, Action Coach of Southeastern Wisconsin, where I worked for a few years. I carved out a niche for myself focusing on the financials for business owners, teaching business owners, how to be financially literate, how to read and analyze their financial statements, also how to process good numbers so they could make sound decisions with them. After that chapter, I realized I wanted to actually do it myself and I wanted to go out and prove that I could build a business on my own. A friend tossed out the idea to me in late 2018, that I should learn how to implement a software called Jamf Pro. What they do is they have a mobile device management software that specializes in Apple devices, so macOS, and iOS. So that's what we started doing and I got certified to implement the software. But something happened in early 2019, where Jamf Pro stopped requiring the onboarding engagement for clients to use the software. So our whole business model of doing these one-off software implementations had been turned on its head. What we did instead was we turned his Rolodex of 200 or so companies and we turned it into a CRM, and we started email marketing. From that, I realized that not only was his skill set highly sought after, but these system administrators that are macOS specific also make upwards of six figures or more in a lot of businesses that they work in. So it's a sought after skill and position, but it's also highly transferable where people are frequently job-hopping in this space and they tend to leave in that wake of procedures that were poorly documented because it was in their job security, it was in their best interest to do everything themselves in the macOS management space and not really document well. We realized there was a great need for a service IT company to specialize in this. A lot of IT companies try to be all things to all people so they'll do an entire vertical of services for their clients. We decided to just focus on this one thing, and that was managing Apple devices for enterprise companies.” I don't know if all our listeners know exactly what mobile device management is nor where it fits in with security. Can you say a bit more about that? MDM (Mobile Device Management) is kind of one of those pillars that you look for when you do a SOC 2 to a compliance test or any of those security benchmarks or standards, whether you're getting a SOC 2 to audit, or an ISO 27001 audit, or if you're just trying to follow the CIS benchmarks. Generally, you need mobile device management software to meet that compliance framework. So where MDM comes in, and Jamf Pro specifically is it's a software that's designed to interact with the management framework on iOS and macOS devices. So it allows IT to remotely interact and provision these devices so you can push down things like configuration profiles, where you might interact with System Preferences. You can also push out policies where you're deploying software or deploying different objects to the computers. But the whole idea is to allow IT to remotely interact at scale, with hundreds of thousands of devices so they don't have to do the old sneakernet of going around and troubleshooting each device individually. What about mobile device management has improved security for people? Security is always evolving, how does Rockinman Tech stay on top of those security threats? What we've noticed is the modern standard for enterprise, especially in this remote work environment, is to move towards something called zero-touch deployment with a cloud identity provider through your MDM. So what most of these enterprise companies are doing and I mean, the market share tends to lean heavily towards Microsoft Azure AD for Cloud Identity. There are probably five or six other major players in there, Google has one, Ping has one, OKTA is a great one for startups and smaller companies. But Azure AD seems to be the gold standard for the fortune 500. Conversely, for Apple device management, Jamf Pro seems to be the best in class for managing macOS. So all these companies are striving towards this goal that's just barely out of reach, called zero-touch deployment. The reason it's out of reach is that they have security teams that were initially developed to manage a primarily Windows environment. But what we've seen over the last couple of decades, with executives, marketing teams, design teams, and then different developers, you start to have an influx of macOS, computers in the enterprise space, and you still need to have those computers be in compliance and be secure when they're connecting to the local area network or VPN, or just using sensitive information. But what we've seen is as we onboard those first few hundred computers that are Macs and not Windows PCs, it creates kind of a wild west environment. So the security team that was used to managing the Windows environment is trying to extrapolate or apply those windows requirements for the Apple devices or macOS computers. We find that in some cases that isn't quite appropriate, and it can cause some snags and that goal of getting to zero-touch. What's an example of something that gets in the way of that, which would be a Windows thing that doesn't apply to the world of Mac? I think that's a good segue into what are the differences between macOS and Windows when you talk about security because a lot of antivirus and malware and firewall stuff has been created for the Windows environment. Whereas macOS has a number of built-in security features that are unique to them which are built-in, meaning they don't need third party software to operate effectively. So for firewalls, Windows will use McAfee, you'll use the web proxy and the agent. But macOS has a built-in network firewall. On the windows side, you might use something called a KasperSky to scan applications you download from the internet. macOS has something called Gatekeeper that checks for a developer certificate and then checks now for a notarisation from Apple too. You might have malware removal and protection. So something like Symantec for Windows, Apple has XProtect that's already built into the framework and that will detect and download files and scan for malware as it comes in. BitDefender is a market leader on the Windows side too for interacting with the management framework of Windows. Apple has system integrity protection so that third-party software can't really modify or overwrite any system files. That's where we saw kernel extensions with High Sierra 10.13 and system extensions now with Catalina. What are you seeing as the future of information security? That's a great question that can go in a number of directions. At least for the Apple side, I see that Apple devices will continue to gain market share, and prevalence in enterprise environments because generally, our workforce is growing for the millennial cohort and that cohort tends to lean more heavily to wanting to use a Mac versus a PC. That's basically what we've done for a lot of these enterprise companies is we've created that proof of concept for the first 50 to 200, or 300 Macs to say, "Hey, these can work in your environment, and they can work securely, and they're going to improve productivity in the long run, because you're going to have fewer helpdesk tickets, and your users are going to be more satisfied." So number one, I see that trend is going to Apple is going to continue to gain market share in the enterprise space, because they've probably tapped out the consumer in terms of what they can sell to them. I'm sure they've got a few more tricks up their sleeve, but I think this is really the next frontier for them. That's also what we see in the MDM landscape because Jamf Pro seized that monopolistic market share at first. But now we see these other companies like Addigy and Kandji, starting to get funding and create MDMs that are similar, if not better than Jamf Pro and start to chip away at that market share. So those are a couple of trends I see continuing, more globally. This might be a hot take, based on what we've seen with the congressional hearings and big tech, but I can see AWS and Azure, potentially being split off from Amazon and Microsoft respectively, being separate companies. The same Telecom and Internet. Those companies have been trying to merge for years because they want to gain those efficiencies. I think it's very possible that Telecom, Internet, 5g and cloud hosting all that storage becomes more closely resembled a public utility. Because it might just be in the public's best interest to allow those to operate as monopolies. But they would have to more closely resemble public utility then. Do you have any other side projects or fun activities besides Rocketman Tech you would like to share? I've always been kind of enamored with creating something that can work without you. For the most part, I've done that with my role at Rockman by handing over the business development and sales to someone else, recruiting and onboarding another engineer to help with the project management, and the execution of projects. So for about the last 10 months, I've been kind of acting as a scrum master on a startup that has been making a mobile app for the music industry. It's an app that functions similar to Google Calendar, but it allows users to be on the same calendar domain so different users can see each other's availability, and then create events and schedule with each other. I'm a musician on the side too, I play saxophone and keys. So I wanted to create something that would make our lives a lot easier for networking. So I've been acting as a scrum master, where I kind of lead the designer and developer and product owner to get the app, stable, free of bugs, develop new features, consider the user design, and the feedback there. Now we're looking at releasing it on the App Store and Google Play probably in quarter 2 of 2021 right around when the weather starts turning again, and we see music happening outside again in the Midwest. /episode/index/show/securityfirst/id/16955606

Know your data with Jason Claycomb 11/16/2020

Know your data with Jason Claycomb Host: Jeremy Cherny interviews Jason Claycomb, Founder of INARMA “INARMA is a professional services firm. The short tagline is ‘We assess controls.’ So I really like how you think of security as a process and not a product - that’s exactly what we do. We help people with the process around security. Yes, there are products involved, but those are types of solutions and we help people pick the right solutions.” Why is security so important to you and your clients? We've all got sensitive data. There isn’t any business that does not have sensitive data in it or where the data isn't critical to the running of the business. So we want to protect that data because, at a minimum, we've got to protect our reputation. But in some regulated industries, you have to protect data even more because of the various laws and regulations. At a minimum, hackers are going to go after credit cards, bank account numbers, social security numbers and we've all got that kind of stuff in our companies. How do you stay on top of the latest security threats and the things your clients need to know about? I live in this space, right? I’m talking to vendors, I’m talking to clients about what problems they’re having. I get emails from vendors and “security alert” types of services. All of the ones I use are free, too. So from there I can pick and choose what is relevant information that I need to know or my clients need to know based on what kind of clients they are. Also, podcasts like this one are super helpful as well. How do you talk to clients about the importance of security awareness and how do you go about that training? A lot of companies have this sort of attitude of, “It can't happen here.” The problem is, it can. Everybody is a target, though some companies are bigger targets. But for example, any one of the listeners right now, their website and their external email servers are being scanned for vulnerabilities as we speak. And so if we're not up to date, hackers are going to see the vulnerability and try and get in. Also, all of this is automated, so when we look overall at the big data breaches and the big dollar losses, that's in the big companies. However, it’s something like 60% of losses, due to any kind of cyber breach or cybersecurity computer breach, are out of small businesses. So we have to be diligent too. What are some security tips you can give our listeners? Whether it’s the personal side of the business side, be careful about what you post out there. People can get passwords or password reset answers from a lot of the things you’re putting online. For business, you should be thinking about how important your data is. What type is it? How critical is it? What types of protections do you have around it? Enabling multi-factor authentication is a big one. Not just relying on an ID and a password. /episode/index/show/securityfirst/id/16834907

E-commerce website security with Lori McDonald 11/02/2020

E-commerce website security with Lori McDonald Host: Jeremy Cherny interviews Lori McDonald, President and CEO of Brilliance Business Solutions “I started my career at NASA Johnson Space Center as a flight controller for the space shuttle program where I met my husband. He went on to work for Rockwell Automation and got a promotion that brought us to Milwaukee. I was trying to figure out what was as cool as space and decided the internet looked like a cool place to be. So I started Brilliance Business Solutions, a web development company with a niche in helping manufacturers and distributors implement digital commerce solutions, in 1998. Just this year we made the Inc. 5000 list.” Why is security so important and how does that show up in your business? We help companies to sell products online. So the solutions we build have to be secure. For customers to choose to work with us, they have to have confidence that we're helping them to build secure solutions. We have to give good advice to customers about how they go about the process of doing that, and by providing secure digital solutions, our clients give their end customers the confidence to do business with them online. So for us, it's really just a necessity in the work we do out. How do you guys stay on top of all the latest security threats? It is something that you constantly have to work to stay on top of. So in terms of e-commerce security, one aspect is something called PCI compliance, or the payment card industry. They have a set of standards that you have to meet in order to be able to accept credit cards. It has a series of steps that you have to take in terms of scanning sites, ensuring that your sites are meeting and passing those scans. Those processes end up being very educational. The reality is the threats are constantly changing, and you have to stay on top of aligning yourselves with other vendors in the market-software platforms that are actively working to keep their platforms secure and minimize the vulnerabilities that may exist. So training on what those platforms are doing. We are also clients of Gartner research. So we attend events that talk about best practices with respect to what's happening in digital commerce and security. What is something people can do to protect their websites from being attacked? One of the things that you want to ensure that you're doing is to stay on the latest version of whatever software you're running and to ensure you're applying any patches that may be available from a security perspective. A lot of companies we work with don't always stay on the latest version, it might not be feasible. But to be aware of how long it's been since your last upgrade, and what vulnerabilities exist in the application to be keeping a really close eye on that - it will depend on what platform you're on - but that's one of the most likely ways that people get hacked. Just ensuring that attention is being paid is a huge thing. When you allow your platform to be out of date, especially if it's no longer supported, that's where you can really get into trouble. What do you see as the future of information security, especially for e-commerce websites? Personal data privacy is growing in importance. I've been talking a lot about credit card data, but personal data is extremely important. We work with a fair amount of customers who are doing business globally. GDPR is something that comes up which stands for general data protection regulation. It's a European standard that is required to meet for EU citizens, which we can have EU citizens in the US as well, and maintains rules around how we need to enable people to ask for what data that we have on file for them, ask people to be able to remove their data and give them choices about how their data is being used. California has its guideline around data privacy as well. And I think we're going to be seeing more rules, requirements and regulations around data privacy, especially, as we all gain awareness of how our data is being used. /episode/index/show/securityfirst/id/16583294

Train your users with Gjeret Stein 10/19/2020

Train your users with Gjeret Stein Host: Jeremy Cherny interviews Gjeret Stein, Owner of Ultra Scary LLC. “I started in the IT world in 1994. I started learning computers and an operating system called Open DMS. So anybody who knows about DMS is usually old and has gray hair. In the 2000s, I became an IT administrator for a couple of different companies in the Milwaukee area. Then, in 2007, I decided to strike out on my own. So currently, I run an IT services company (Ultra Scary LLC) for small and medium businesses. We focus on security because that's sorely lacking in the small-to-medium business space.” What got you interested in security? It's always been something that we dabbled with, we just never saw a reason to sell it. Mostly because I'm not that smart in that world. But one of our clients used to forward their emails from their on-premise mail server to their AOL account because they did not like the on-premise 2003 mail server. However, their AOL account got breached and they didn't know about it. So the sales manager that was doing this was going on vacation, and suddenly, the CFO got an email from him, stating that a vendor didn’t get paid and was going to pull all of their products until one of their old bills was paid in full to the tune of $34,000. And the CFO was freaking out. He was sure that the bill was paid. But he didn’t want to piss off this huge vendor and was about to hit send on the wire transfer when the sales manager, the one who was hacked, walked in the door and saying, “Hey, I'm on the way to the airport, I just want to stop by and say hi before I hop on the airplane.” And that's when we discovered that that was not a real email. That was an attack vector we never thought about and so we started to relook at not only our processes but what the processes of our clients were. How do you stay on top of the latest security threats? Constant training, constant training, and, and constant reassurance that if they slip up, it's not that big of a deal. Everybody makes mistakes. One of the worst things I have seen is when there's a phishing attack or a phishing exercise, and somebody clicks on the wrong link. And then IT comes in and starts berating the user who did click on the link - who made the mistake. All that does is reinforce to that user that they're going to hide when they do something wrong. Where you go, "Yes, it's okay that you made a mistake, let's go find out what the damage is, let's go fix it." Then when they do something that they weren't supposed to do again, they're more upfront. They're there knowing that, yeah, it's okay. I'm not gonna get fired because I clicked on this. What are some ways that people can protect themselves online? Different passwords for all of the different sites that they use. We actually recommend going old-school and using a binder to write down what the different passwords are. So if somebody has physical access to your computer - unless you're in high security or the HIPAA space, you'll walk into a receptionist desk, and you need to know the receptionist passwords, if it's not on the sticky on the screen, it's underneath the keyboard or underneath the mousepad. Right. So we just take it one step farther and have a notepad that is in a locked drawer that has a list of their passwords. And they make sure that each one is different. And each one is a bit more memorable. /episode/index/show/securityfirst/id/16418063

Securing a law firm with James Oryszczyn 10/05/2020

Securing a law firm with James Oryszczyn Host: Jeremy Cherny interviews James Oryszczyn, Director of Security & Network Services at an Am Law 200 Law Firm “I support network applications, video conferencing, and bundling security. We have a lot of sensitive client data. So we get a lot of client audits making sure that we’re complying with all security programs - and also making sure that we keep hackers out.” Why is security so important for an Am Law 200 Law Firm? Some of the larger clients have very sensitive data and that data gets breached, it's going to cost them quite a bit of money. So why it’s important is reputation. number one. Number two is losing clients. You don't want to be on the front page of the news. Number three, your clients trust you with the data. So you have to make sure you're protected and doing the right things because you're agreeing to certain stipulations and what they call outside counsel guidelines. Outside counsel guidelines are actually the arrangement that most clients have with law firms that explain billing, explain how you're going to do the work, and finally, they have a lot of security requirements in those outside counsel guidelines. So what'll happen is a lot of the clients will come in and they'll audit us saying we're doing what we said we're going to do when those outside counsel guidelines. How do you stay on top of the latest security threats? There’s a number of things. I listen to a lot of podcasts and read a ton of different blogs. We also have a managed security provider that sends us information when there are types of critical security alerts that we need to be aware of. How do you handle awareness training for your clients and for your team? We have a product called KnowBe4, which we do yearly security awareness training through that. A lot of it's for compliance purposes, along with having good security awareness training programs. We have a fairly robust HIPAA practice or healthcare practice. So the healthcare attorneys, on a monthly basis, send out tips on how to be secure. Because of HIPAA, they are very secure environments. So a lot of the users get tips from them too. Have you ever had to really sit down with someone who keeps clicking on things they’re not supposed to? Generally, no. We have an IT security mailing list that people send stuff to. So most of the attorneys are very scared to click on something they shouldn't. They're very judicious about actually sending it over to be reviewed, which I appreciate. Every so often, you'll have somebody click something they shouldn't, but it's getting rarer and rarer. What’s your home network like? If you’re familiar with Palo Alto networks, I have a Palo Alto firewall with a bunch of threat protection on it. I’m running a VMR system with about 10 VMs. One of those VMs is a product called Teapot, which is a ree honeypot where I can actually see people trying to attack my network. I have some three-layer switches and some pretty advanced wireless stuff. For my wireless network, I split it into two - I have, what I call, my Internet of things. So that is my fire alarms, thermostats, things of that nature. Then I have just my regular network. /episode/index/show/securityfirst/id/16250816

Cyber insurance with Arlene Petersen 09/21/2020

Cyber insurance with Arlene Petersen Host: Jeremy Cherny interviews Arlene Petersen, Owner and President of T.E. Brennan Company “We are an insurance and risk management consulting firm, not an agent or broker. We don't sell insurance. We provide advice on how to handle risk to our clients. That is oftentimes an insurance product, but not always, there are a lot of ways to handle risk. So that's what we talk with our clients about without actually selling them a product.” You’re not our typical guest of an IT geek, but you definitely deal with risk. So why is security important? It's not only important for us to safeguard our own data, but it's important to our clients as well that their data be properly protected. Without proper security, it increases our clients’ risk, and cyber insurance can become pretty costly or might not even be available if our clients don't adequately secure their data. How do you stay on top of the latest security threats? We read everything we can on the topic, and we subscribe to a lot of publications and blogs, seminars are great - those are often very timely with the latest threats that are out there. Most of those, of course, is virtual today. We try and stay ahead of the changes, but as you know, it's a challenge. How quickly is cybersecurity insurance changing? It depends on the insurance company, some companies are more flexible, more able to respond, and quicker than others. With some of the larger companies, sometimes it takes a while. And there are governmental constraints on the use of policy forms so that sometimes adds time. We don't always get the response we want from insurance carriers as quickly as we'd like. How do you address security awareness training for your clients? It's kind of interesting that no two insurance policies with different insurance carriers are exactly alike. So one of the steps, of course in the insurance process is to complete the application. What we find is that once the client works through the questions on the application with their IT department, and some of these applications can be pretty lengthy, we help them evaluate their answers, and how those answers will impact the coverage and maybe the price. In more than one case, we've advised clients to actually bring in an expert like you guys, to work with the clients, improve the security and then reapply for the insurance. Because one of the things we don't want for our clients is for them to have a record of being declined for cyber insurance or any other kind of insurance for that matter. That red flag can stay on the record for a number of years. Then once they have the improvements in place, we have them complete the application again, which oftentimes, results in a more positive response to those questions on the application. Then we have them obtain cyber insurance that meets their needs. From there, it can often be at an affordable price and an affordable deductible. Pricing has gone down significantly over the 15 to 20 years that cyber insurance has been around. /episode/index/show/securityfirst/id/16055099

IT during COVID with Paul Riedl 09/07/2020

IT during COVID with Paul Riedl Host: Jeremy Cherny interviews Paul Riedl, CEO of River Run “River Run is an IT firm in Wisconsin, we focus on working with small- to mid-sized businesses. My role in the organization is to help. As CEO, I get to be the chief cook and the dishwasher. I get help with the vision and the direction of the company - and that’s one of the biggest topics that we talk about on a regular basis. I’ve got a team of wonderful and smart people that do the hard work to make things happen and keep our clients secure.” Why is security so important? The answer really comes down just being able to protect people. As we look at the things we do - we’re protecting them physically and also mentally because any security incident is so mentally draining, and in a lot of cases, it can be very traumatic for people. A lot of what we’re protecting is people’s data and making sure their financial well being is intact. The ripple effect of any type of data or security breach can be devastating for the people involved - and not just the company. It can hurt the company’s clients, their clients and clients after that. The other point to this is because so many people are working from home because of this pandemic. This is a new territory. The use of Zoom, the use of Teams, the use of remote access to things has increased drastically and because of that, there's so much more vulnerability. And so again, we really have to make sure that we're staying on top of security. How do you stay on top of the latest security threats? It’s quite time-consuming and quite exciting! What we do is w subscribe to any of the main providers of IT in the marketplace and constantly scan their information - making sure that we’re receiving any types of alerts about IT and security. Because of this, we can react very quickly when new things come up. The other thing is that we have engineers whose job is to stay on top of that stuff. We also go to leadership groups in the IT world to make sure we stay on top of the latest information from all different sources. How do you handle awareness training for your clients and for your team? There are automated type things like a phishing awareness testing tool and those will send out tests to see how well people do and then include some videos to help them learn how to be more secure. And then there are the face-to-face interactions and training. We do that for a couple of reasons. First, we like being able to sit down with people and talk to them. People aren’t as afraid to ask questions in that situation. The objective is just to create some more awareness because awareness is critical. Being a business owner and dealing with COVID, how do you know how to make the right decisions? I'm fortunate in that I have a wonderful network of professionals. I've got mentors that aren't afraid to hold up a few mirrors to me and make sure that I'm seeing things as clearly as I should. And so I learned a lot by talking with experts and spending time with the experts in different areas. Another thing is just absorbing and asking questions and then making the connections that I need to make. The other thing that's wonderful are the people that work with me at River Run. They're top-notch and they stay focused and they're able to accomplish a lot of things and break everything down into very manageable solutions that are easy to understand. I also spend a bit of time on the wonderful web here and just hitting different groups to find more information about specific topics, especially how things are changing with COVID. What are we doing to keep our people safe, keep our clients safe and continue to be able to do business? So luckily as I said, I've got some great mentors and great people in my network circle and it's just through a lot of conversations and a bit of research that really does help move things forward there. /episode/index/show/securityfirst/id/15848402

MacOS security with Brian Lamantia 08/24/2020

MacOS security with Brian Lamantia Host: Jeremy Cherny interviews Brian Lamantia, MacOS Administrator “I've been doing this for a few years now just completely involved in that. And I use that to ride security down to our macOS users in our environment. We're fully Integrated with an MDM. We use Jam, which is one of the premier MDM providers out there. So I've been using them for the whole duration for about three years now since we set up the infrastructure and started enrolling our first Mac's.” What was it like enrolling your first Mac’s? It was very interesting to start out with because MacOS is coming into its own for security with all of the different security features that they've been adding. For example, the system integrity protection and the T2 chip which is a chip they’re putting on top of the system boards and is a secure enclave for the boot process. So lots of new security features, lots of challenges for an admin like me to integrate those security features into the deployment. In the beginning, we weren't fully into automated enrollment yet so it was - get a Mac, get the endpoints on it, get the user set up and then mail it out to them. We didn't have to image but we had to do a lot of setups. Then gradually, as things were starting to come around, and when we got enrolled into Apple business manager and we became an Apple DEP customer, we were able to then automate enrollment, which was really just an eye-opener - functionally and security-wise, for our C-level folks at our company. What about that was the eye-opener? The fact that we could do direct shipping from vendor to employee, and then have them just enroll. Then, all the security endpoints come down - zero imaging and zero-touch. That was huge. Why is security important in this process, and why is it important to your job as a sysadmin? It's important for us because we have auditors that come in to audit our systems. They find that we have to have a certain security stack in place. So those requirements are handed over to our security teams, and they have to work with me closely in order to get those security features in place, which is the primary reason why we have an MDM - to be able to enroll but also to provide all those things and to provide all the security features to ensure that they’re locked down and safe. So if you work closely with the security team, what is that relationship like in terms of staying on top of threats? Are they doing research and then handing down policies? We started out doing our own homegrown policies to try to match the Windows world a little bit to get everybody familiar. We just now recently are going to be updating that to basically go off the CIS benchmark. I've now been handed that whole guide. So now we’re picking through that one by one to firm up our security and our policy and then once that policy is set in place, it's my job to make sure that every box is checked off on my side and enforced and that we can prove that. What do you see as the future of security? Related to Mac OS, there are lots of changes. A lot of the security features that we use on the Mac OS side at our company have come because we already have a relationship with that security vendor on the Windows side. But we're learning that Mac OS is not the same as Windows, it's a completely different OS. So some of the conversations I am now having with the security folks are maybe changing over to some of these newer products that are on the market that are now agentless and also serverless. They actually have a product out there that is agentless and serverless that we could be using that would greatly improve our performance on Mac OS. It seems like security is ever-evolving, right? I mean, the old days of binary agents, I think there's going to start going away for more MDM and scripted based solutions even on the Windows side. /episode/index/show/securityfirst/id/15707030

The importance of a backup with Roger Heindl 08/10/2020

The importance of a backup with Roger Heindl Host: Jeremy Cherny interviews Roger Heindl, Owner of Tech Lab, Inc. “We're an IT support company. We provide home and business support for companies in Southeast Wisconsin. I've been working in IT for almost 20 years. We have four tech people that also work with me at Tech Lab, and I've been interested in computers probably since I was a teenager. Our first computer was actually an Amiga, which we later upgraded to a Mac. And then I ended up buying a PC to go to college. So I've been interested in tech for a very long time.” Why is security important to you? There’s a lot of companies and even home users that are getting scareware and ransomware, and that really costs people a lot of money. And the hacker is just trying to get money out of the person or if it’s real ransomware that actually locks down important data - say healthcare or a law firm - it can prevent people from doing the work that they need. It creates a lot of anxiety among customers - so for me, it’s really about helping people navigate through the world of tech and keeping them safe. How do you stay on top of the latest security threats? I follow a bunch of tech news sites and also encourage my staff to follow them as well because those are good sources of information on what’s currently happening. We also attend DEF CON in Las Vegas every year. DEF CON is an annual security conference that tech people, government officials, and, potentially, hackers all attend to increase their security awareness. I believe a lot of that is happening online this year - with all their training and presentations. How do you address security awareness training for your team? Security awareness training is something that we’ve been pushing more and more over the past couple of years. A big one that we do is help people learn about social engineering because there are so many phone scams. We also do online training and classes through our partner organizations to provide our customers with the ability to do things on their own time. As a team, we also meet and do a weekly review of everything that’s going on where we also sneak in a lot of talk about the latest security issues that come up with different customers. We really make it a point to stay on top of it as best we can. What are the most important things people can do to protect their data online? For us, the number one thing is to be aware of what you’re clicking on. We work with a lot of people that work in stressful environments so they click without fully reading or understanding what they’re clicking on - and that is the number one way we find people getting in trouble. When someone clicks on something it often spirals them into a stream of very bad things. Where do you think the future of information security is headed? We’ve been starting to see third party reviews of trusted authorities. You can’t just go out and pick the first tech solution provider that comes up because, for all you know, it could be a scam from India. So it’s becoming more important to show value to customers that you have other people reviewing. /episode/index/show/securityfirst/id/15503807

Staying mindful with Sandra Estok 07/27/2020

Staying mindful with Sandra Estok Host: Jeremy Cherny interviews Sandra Estok, Founder and CEO of Way2Protect “I’m an expert in the fields of cybersecurity, IT, and data privacy. Through my stories, experience and expertise, I help people feel empowered in navigating the cyberworld. I help people find ways to protect what matters against hackers, scammers and cyber monsters, even if people feel they are too busy or do not understand the why, what or how of technology.” How do you stay on top of the latest security threats? Every day something else pops. It’s either a vulnerability or a new way for us to be hacked or to be breached. And so how I stay on top is I read a lot. I research a lot. I could read all the news, and I can read everything that's going on, but I'm always trying to find a way to take what's going on and make it a message that is different. And have it shifted in a way that gets into my audience. And that's what I focus on the most. How to take what's happening in the world and articulate that in a way that is more simple so people can understand it. How do you handle awareness training for people about what the current security threats are and about the specific security threats that might impact them? Let's take an example with phishing, which is very common. We all need emails, and so it’s an area where we’re exposed, whether you’re in security, just a regular business or a mom or dad, or kids, like everyone gets emails that are trying to either impersonate, steal or do something. So, one way that I teach phishing prevention is when we change our mindset to cybersecurity The first thing that I teach is just brief, just stop knowing that you have control over your cyber life, knowing that you can decide whether to click or not, it's so powerful. And when we start seeing it that way, we start changing. So now we are not so unconscious to just click or browse and get malware in our computers because we're not even realizing it that we're clicking on a malicious link. What are the most important things that people can do to protect their online information? I have three steps. The first is mindfulness. What I mean by that is when you get an email, when you get a phone call, just briefly pause. And once you do that, make whatever decision or go in whatever direction you want to go. I think number two is taking care of the basics. And by that I mean, we have a lot of different tools, devices, technology, and if we don't take care of the basics of updating and keep doing the housekeeping of things, it's gonna break. It's like if you never clean your carpet, your house. My third recommendation is that I'm a believer in intentions, decorations and keeping a positive attitude in life. I'm super grateful for everything that has happened to me. So what I do is I use a password manager. I have one long phrase as my password. And that phrase has meaning to me, because every time I type that phrase, I'm reminding myself of something that I want to achieve or something nice that it's in my day. So it makes me happy and at the same time, it’s a very long phrase that protects my passwords. What’s your favorite tech gadget? I will say wearables. I love to see my data and what they are. My new gadget is about wellness. It's a ring that measures how I sleep and I love it because it changed the way I do things every day. It helps me to keep myself on track. A lot of people are paranoid about having health data, but this is locked down enough where it’s safe and I can have data that helps me. /episode/index/show/securityfirst/id/15344699

Getting educated with Pat Riley 07/13/2020

Getting educated with Pat Riley Host: Jeremy Cherny interviews Pat Riley, President and CEO of New Horizons of Wisconsin “We’ve grown to be Wisconsin’s largest provider of technology training and skill improvement. We work with clients on everything from end user training in Microsoft Word all the way to cloud computing and cybersecurity, IoT, blockchain and AI - and then everything in between. We also work with people who are looking to convert their career paths and want to get into computer learning.” Have you seen an increase in people wanting a career shift with everything that COVID has brought? There’s two things that I think are really driving that. The first is our ability to bring live instruction into people’s homes - everything we do is live. We deliver our training either in-person, which we’re doing very little of these days, but we also do what we call Online Live. This way people can interact via video, they can raise their hand, ask questions and get face-to-face interaction with an instructor. It’s an incredible experience and a huge differentiator for us. The second part is just the growth of technology. The two hottest areas to be in right now are healthcare and technology. So we’ve got the ability to deliver into people's homes a live experience and we’ve got the growth of the industry as well. Why and how is security important for your business? So we have a lot of people come to our facilities to take certification exams. Those are very important and can be worth $20,000 in compensation based on a person’s level within certain companies. In addition to that, these certifications are generally very difficult, so we have to have certain things in place to make sure no one is cheating or anything along those lines. We also have a lot of data on our students and the companies that we work with, so security is extremely important there as well. We work with a hybrid cloud solution to ensure that everything anyone shares with us is and stays secure. How do you address security awareness training for your team? I think the biggest thing is the relationships that we have with the vendors that are delivering the actual component of security - so we have relationships with everybody. We’re a Microsoft gold partner, VMware partner, Cisco partner, Google AWS, Redhead partner, the list goes on and on. So we’re actually getting information first hand directly from these companies and, a lot of time, have access to information even before products are on the marketplace. The second part, is that we are very aware of the marketplace itself - specifically what’s important to particular customers. We are really client-centered and offer our clients what will best fit their needs. Since you’re seeing these things ahead of time, is there anything you can tell us about the future of information security? I think one of the trends we’re seeing is a movement of cybersecurity from being a hardware solution to being a software solution. A lot of companies are moving away from cybersecurity as a hardware solution to making it into a software solution. The other thing that we’re seeing a lot of is the creation of incident response teams. Cybersecurity touches every part of the business so these teams are made up of all kinds of people - lawyers, communications departments - and they’re building these teams to be ready in case there’s an incident. What’s your favorite tech movie or show? I just got done watching Altered Carbon on Netflix - I was bored at the time and didn’t have a show I was watching so I thought why not. It’s very Blade Runner-ish. It’s about a dystopian future where you can live forever by having your life force be on this little disc, and when your body runs out they can pull out the disc and upload it to what they call a sleeve, which is just a human body. It’s a pretty interesting show - people living forever and accumulating a lot of wealth, and there’s a murder that the main character has to solve. Once I started watching I got hooked, and I thought it was really good. /episode/index/show/securityfirst/id/15193214

Protection at the pump with Chris King 06/29/2020

Protection at the pump with Chris King Host: Jeremy Cherny interviews Chris King, Network Analyst for a large petrochemicals corporation. “I provide second level network support for a large company in the petroleum world. What that entails is for our retail locations around the country, I can do anything from placing communications orders to writing and verifying firewall rules for new technologies that we have rolling out at the site to trace network traffic. We support about 6400 locations so we have a standard template that goes out for our retail locations, and which template gets applied is solely based on what type of technology exists at the site.” Why is security important to you? The industry that I work in is all about protecting customer data. You want to make sure that when your customers go out to a site and swipe their card, they have comfort and the peace of mind to know that out of all the threats that are out there, we’re staying vigilant and their customer data is not going to be stolen and used by someone else. So on top of that there are legal ramifications. The government has established payment card industry standards, which require us to go through and vet our networks on a quarterly basis and have an independent auditor come review those findings to make sure that we don’t have any material breaches in our network security. How do you stay on top of the latest security threats? So obviously the government requires us to do our scans quarterly, but we do ours monthly - just to make sure that everything is the way that it should be. Also, there’s nothing quite like physical security. If you walk up to a pump and you see that there is some security tape that has been breached or you see something that says “void” or “alert” absolutely do not use that pump. Technology is sophisticated these days where we used to have skimmers on top of what would be where you swipe your card. Now they put devices inside with Bluetooth transmitters. So they may be sitting in the parking lot, watching your card data come into whatever capture tool that they’re using real time and capturing your pin. What are the most important things people can do to protect their data online? First, random passwords for every account - it’s a pain but it’s the biggest way that you can protect your information. Secondly, use a VPN when you’re out in public. Essentially what you’re doing is you’re encrypting your data before it gets to the internet and individuals can’t sit in between and see what it is that you’re sending back and forth. The last thing that doesn’t get talked about enough is just having awareness. There are tons of attacks like phishing and fake websites and just having the awareness to know about those is super beneficial. Tell us about a time where you’ve gotten attacked. Oh absolutely. My fiance recently had somebody trying to commit identity theft and they were logging into her websites and trying to figure out her passwords. The good thing is that she had me on her side. I took one of her emails where the IP address of the attacker was logged and used a couple of tools to find the location of the attacker. From there I was able to get property records, names of the occupants, social media accounts, emails, phone numbers and even voting records. From there I let them know that I was going to alert the authorities and that they should stop what they were doing. What’s your favorite tech movie? That’s a hard question, there’s so many great ones out there and they all rank really high for me. I’m actually going to change it a little bit and say a series - Black Mirror on Netflix. That series is absolutely amazing. It takes the idea of how technology influences everyday life. It gives a Twilight Zone kind of twist and shows how everything can go ridiculously wrong just from relying on technology. /episode/index/show/securityfirst/id/15009167

Security in investing with Sean Tepper 06/15/2020

Security in investing with Sean Tepper Host: Jeremy Cherny interviews Sean Tepper, Founder and CEO of TYKR “I’ve been in the software engineering space for about 15 years. I started a business in 2006 where I was focused on building custom software and websites for small and mid-sized businesses. Then in 2010 I went through a merger and kind of branched away and started doing more contracting with bigger businesses. In the meantime, I’ve been involved in the tech investing space, doing some angel investing and then doing a lot of investing within the public sector - which really leads to TYKR. TYKR is a tool that really helps investors find stocks and make a lot of money in the stock market.” Why is security important to you? From a cyber security standpoint when building custom software, it can be overlooked especially in the beginning. If you get into the build of the software and don’t have your foundation built around security, you can run into a lot of rework. And of course, if you don’t build it correctly, you can run into a lot of nightmares like clients calling you at late hours of the night, telling you that their site is down. So really, you need to make sure that when you’re building something custom, you have a strong cybersecurity foundation. There’s also the world of investing where cybersecurity is such a hot topic with cybersecurity businesses being excellent investments that aren’t going to go away anytime soon. How do you stay on top of the latest security threats? Since investing is really my career right now, I pay attention to the hot businesses in the cybersecurity space. But after I figure out if they're a wise investment or a poor investment, I get to take a deep dive into what the business is all about. So I really learn about the newest trends through looking at a business’ products and services. If these businesses are releasing new products and features that they are doing well with, then that’s an indicator to me that that’s where the trend is going. What are some ways you address security awareness for the users of TYKR? With TYKR, fortunately it’s a software that we don’t collect any sensitive information. We mostly just collect first and last name and then email, which is generally pretty public information. We do keep everything in a highly secure database. There’s a firewall that blocks people from getting in and you have to have two factor authentication, even if you’re an admin like me. I have built software that you’re dealing with highly secure information like social security numbers and that’s when you get into data encryption. If we have something that uses credit card information we also use tokenization. So let's say you have a 16-digit credit card number, we then transform that into a token and then that token changes every month. It’s a cool process but it’s really hard to do. What do you see as the future of information security and how it might apply to you? Yeah, here’s a different answer for you - estate closures. I’ve been the executor for several people and it’s one of those things where it’s really hard to close an estate when a family member passes because you have to look up everything - passwords for this site and that site, bank information. It’s a huge process, like six to nine months, to collect everything. I think there’s going to be a solution out there where somebody engineers a software where it’s an estate - it’s everything in a centralized location, one password to get to it. You’ve got a will connected to it with designees that log in once and they can help close the bank accounts and shut down any subscription services. Today, it is a very cumbersome laboring process. So I see cybersecurity that is highly secure but also highly efficient for the end user to work with. What’s your favorite tech movie? Inception. It wasn’t really cyber, but they want to enter the dreams of somebody who has a really big business and then change the trajectory of the business. On the surface it sounds boring, like business, but it’s all about the process and the challenges of entering into somebody’s dream - with tech. /episode/index/show/securityfirst/id/14803547

Make a good password with Duane Maas 06/01/2020

Make a good password with Duane Maas Host: Jeremy Cherny interviews Duane Maas, President of MC Services “I started doing computer consulting in ‘96 so I ended up doing a lot of stuff with the internet because nobody knew how to do it - learning DNS and all the networking stuff. We do a lot of Apple and a lot of Windows, especially moving into networking environments. We’ve also done some app development as that’s exploded with iOS and Android. But really, Mac is becoming a more accepted device for a large company, so we work a lot on integrating Macs into corporate networks. At MC Services we range from one to two people companies to $12 billion dollar private companies where we do all their Mac and Windows support. In the course of that we’ve worked a lot with security.” Why is security important and when did you get really interested in it? I think I wrote the first eCommerce site in Wisconsin back in 1997. The first year of Christmas for this company, they got 10 orders a day. The next year they got about 100 orders a day and my code couldn’t handle it. As the internet sprung up learning about SSL and TLS became more important because it became a lot easier to steal from people. It’s amazing to me now how people are “fat, dumb and happy” out on the internet. The important thing is to have different levels of security for different reasons. There are always different levels. It’s kind of like buying insurance - how much insurance do you buy on a car. How do you stay on top of the latest security threats? You have to have trusted experts to talk to. There’s a Slack Mac admins channel that I probably look at every day. The other thing is Twitter. I look at people talking about threats and stuff like that. The big discussion going on now is about the vulnerabilities of Zoom. It isn’t something that my wife or kids would care about, but if you’re using it for corporate stuff, then you need to know about it. How do you address security awareness training for your end users and the different stakeholders that you work with? It seems like the biggest thing right now is in corporate email phishing. It’s combined with what they call spear phishing. For example, they see that you and I talked and have had communication so they could send you an email with my name on it and you’d be apt to click it. We’re doing a little webinar on what you should be aware of and how to check the email sender by rolling your mouse over it and seeing if it is what you think it is. People have been pretty open to these webinars. The other thing is just to discuss with the corporate team their strategy for blocking emails. We also do penetration tests on our clients networks where we act as the hacker and see where their vulnerabilities are. What are the most important things that people can do to protect their online information? I think the biggest thing is to use a password generator. Another thing I do is tell people to take two random, common words and put a character and number in between them - it makes for a very secure password. But there are plenty of online generators or places to check the strengths of your passwords. When you get into something that’s further up, I think of two-factor authentication where you enter your password and then it texts you a code to put in. What do you see as the future of information security? Unfortunately I think it’ll get worse as far as the attacks. One of the other things I think about is cyber currency. It’s the only place where people can transfer money without being tracked. Also with faster computers the old types of encryption become less effective. So it’s definitely scary. Once you get something blocked, they just come around the other way. /episode/index/show/securityfirst/id/14503805

Small business security with Joe Skotarzak 05/18/2020

Small business security with Joe Skotarzak Host: Jeremy Cherny interviews Joe Skotarzak, General Manager at MotherG-Wisconsin “At MotherG, we’re focussed on being a managed service provider. We really strive to help small businesses manage their technology. Security is a big part of that, so it’s certainly a focus area for us.” Why is security important? As we’re out there working with small businesses, every small business is dependent on some level of technology. Some of them it’s a tool that's foundational to what they do and how they compete and how they deliver. The downside is these cyber security threats. They can upset and turn the whole thing over. It’s important because it potentially could bring a business down. It’s foundational to make sure that it’s a part of every relationship and managing every client and their network. How do you stay on top of the latest security threats? It’s a multi-faceted approach to things. We do a lot of reading and talking. We’ve got partners who are specialists in this, both from the manufacturer perspective and from the delivery perspective. It’s a big part of all of our jobs and it’s always growing in importance. It’s a lot of reading, listening to podcasts, listening to experts. It’s a lot of talking to manufacturers and staying abreast of what they’re doing. How do you address security awareness training for your end users and the different stakeholders that you work with? Again, it’s a multi-layered approach. We use a lot of tools - KnowBe4 is a good one, it’s a service that really helps. They do spoof attacks to allow the business owner to have a really good clear understanding of how susceptible they are. We look at tools and resources and try to make those a part of our culture. People need to know what the rules are to keep things safe. We also make sure that our clients know that we’re their partner in this. We try to have interaction and really learn what our clients need and want. What are the most important things that people can do to protect their online information? The number one thing is to have an awareness and a little bit of paranoia that someone could be after you. We say that a healthy skepticism goes a long way. If something doesn’t look and feel right, maybe just take a breath before you do something. There’s a lot of phishing campaigns out there and we’ve seen an increase in them with COVID. Two-factor authentication is another big thing, just in terms of keeping your information safe. A lot of that stuff gets exposed unfortunately. What do you see as the future of information security? We see it as really an arms race with good guys and bad guys. We also see that cyber security is going to be a growing business. With small businesses leveraging more and more, there’s going to be more attacks as well. The days are gone when all you needed was an antivirus software. /episode/index/show/securityfirst/id/14439314

The trade-off for security with Eric Clark 05/04/2020

The trade-off for security with Eric Clark Host: Jeremy Cherny interviews Eric Clark, Client Success Associate at SWICKtech “Client Success Associate is something I’m not entirely sure what the title entails. But I will say that our client’s success is one of our core values and something we put first ahead of most things. Working at SWICKtech is like working with the smartest kids in class. A lot of very smart, talented engineering minded folks that know way more than me about the technicality of what it is we do for our clients. However, it’s my job to be that middleman and speak English to our clients rather than the tech jargon.” Why is security important? “It’s one of the most important things we can help clients protect, in addition to their data. Cyber criminals that have success in cyber attacks have been well funded, and they invest that money back into creating businesses overseas that attack our businesses here. Unfortunately, there’s not much we can do about it legally because they’re not in our country.” How do you stay on top of the latest security threats? “It’s in our DNA. It’s our duty to our clients. We’ve been a Gartner client for some time, so we look at who the leaders are in various spaces and what they’re doing to stay on top of trends. We’re doing a lot of things on the cutting edge as well.” What do you do around educating users about security and security awareness? “Quite a bit, it’s a big focus for us. We start with some baseline things like a dark web scan. Then we work with the company and mimic what an attack could look like. A phishing attack is a good example. And no one is in trouble if they click on this attack, but we use that data to say, ‘Hey, this is what’s happening at your company.’” What are the most important things that people can do to protect their online information? “There’s definitely a layered approach. But the one thing that we believe is the lowest hanging fruit that has the biggest impact is multi-factor authentication. If a hacker tries to log into your account, you’re going to get a prompt on your phone. We recommend that you put that on your Facebook, LinkedIn, banking accounts just to add another layer of security.” Do you run into people being resistant to that? “Yeah, there’s a convenience trade for security. You can do it with some things that can run in the background that can take some of that egregiousness out of the picture for you. We try to make it as frictionless as possible. And if you want to talk about inconvenience, let’s talk about paying $50,000 for six bitcoins and losing all your data, right? That’s a bigger inconvenience, so I think the trade off is clear.” /episode/index/show/securityfirst/id/14274899

Using your auto-attendant for security with Jesse Gnas 04/07/2020

Using your auto-attendant for security with Jesse Gnas Host: Jeremy Cherny interviews Jesse Gnas, owner of ACS. “We are basically a business that sells cloud based solutions for voice and data. And we are a full service, single point of contact for all your needs. So that includes the project management through the entire process. So when our clients order new services from us, whether it be a cloud based phone solution or data, we manage that purchase from start to finish. “ Why is security important? “The reason we incorporate those is because they are a very essential lifeline for our businesses to maintain their business model. And in the event, there are any security issues, we want to make sure while we partner with Tobin solutions, that we exhaust all those possibilities that could occur, because they'd otherwise be compromising the business model. “ What are you seeing from your side of things in the world of data comp and telecommunications and the demands on you and what people have been around requesting right now? “The businesses that we currently work with, we've set them up already in an environment where they're able to take their desk phone home, and use their internet at home as a remote teleworker.” How do you stay on top of all these different security threats that are out there? “We really encourage having an Auto Attendant and I know most businesses love to answer the phone live and they like to take that call and differentiate, differentiate themselves. However, a simple Auto Attendant would say thank you for calling Tobin's solutions. If you'd like to speak to someone live, please press one. that eliminates 100% of the robo calls because robocalls cant’ press one. So it really increases the productivity of the receptionist and many receptionists that I see are “ What are some things you did in your prior role in IT around protecting people's data? “You know, for example, you could put your accounting system on your network. But if you don't have any kind of security measure put in place, everybody, every employee that has asked for access to that network could access anything at all. So that includes all of your financials, your general ledger. And then it also includes not just accessing and viewing, but the ability to modify and change and or delete.” How do you educate your customers on security around Telecom, telecommunications and phone systems? “We do risk management in our own conversations. Is there any value to having this business turned over to you or an assessment because if someone's in denial, that they've never had a problem, we try to encourage everyone to educate our customers that if you have not had one, a virus or any kind of attack on your business, it's only a matter of time that you will.” /episode/index/show/securityfirst/id/13892738

Security importance when working from home with Dave Steffen 04/07/2020

Security importance when working from home with Dave Steffen Host: Jeremy Cherny interviews Dave Steffen, a business coach with Action Coach. “And for those of you that don't know what business coaching is, it's really just my job to help business owners grow and succeed and thrive in their business and do the things that are going to help them be the best business owner they can be. So that means helping them strategize on actions to take and making sure they take those actions, talk about things that they can look out for from a marketing standpoint, a sales standpoint and an operation standpoint. So whatever the business is looking to do, my job is to really help them move through that process with as much philosophy as possible.” Why is security important? “So there are a couple of things that come to mind for me, when somebody asks me about security relative to my business, the thing that I have to be very conscientious of is I receive a lot of confidential information, intellectual property, information from my clients. So safekeeping their information is obviously of significant importance to me. “ How do you communicate that to your clients? “The first thing that I do is when we when we sit down and we talk about bringing on a client, I explain how I will keep their information confidential.” Anything that you want to say about today's world, with COVID-19 and people working from home? “The number one thing that I am communicating to the business owners that I've chatted with and including my clients is, seek help. There are a number of resources available out there for you to use and find to help you work through this. This is not something you have to try to do on your own. You're certainly not alone in this environment. “ What are some things you did in your prior role in IT around protecting people's data? “You know, for example, you could put your accounting system on your network. But if you don't have any kind of security measure put in place, everybody, every employee that has asked for access to that network could access anything at all. So that includes all of your financials, your general ledger. And then it also includes not just accessing and viewing, but the ability to modify and change and or delete.” Any favorite war stories? “Yeah, there's obviously a number of times, but probably the one that I had the most fun with was working with a business and we were actually doing a proposal. And we had a contract and outline of a project that we were going to do for them. And I was talking with the president at the time, he kind of sidetracked the whole security piece of it and said, Well, this is really unnecessary. In my world today, he was in what I would call a state of denial. And really not sure that that was important. So I looked at him and I said, Sir, give me five minutes and if I’ll go to any workstation in your office and login and get access to your general ledger, will you sign the deal? He looked at me and he said, Go for it. Within five minutes, I had access to their general ledger. So I walked back in and said, Yep, I got your general ledger. And I said, Sir, you've got a lot of cash. You could do this project, you know. Right. He was a little dumbfounded. And he said, okay, clearly I've got a problem.” What about a favorite Cybertek movie? “Hackers with Angelina Jolie” /episode/index/show/securityfirst/id/13886753

Security Strong Podcast

TOPICS