Cyber Crime Junkies

How to Save Yourself. Ransomware, Back ups and more.

April 19, 2024 Cyber Crime Junkies-David Mauro Season 4 Episode 51
How to Save Yourself. Ransomware, Back ups and more.
Cyber Crime Junkies
More Info
Cyber Crime Junkies
How to Save Yourself. Ransomware, Back ups and more.
Apr 19, 2024 Season 4 Episode 51
Cyber Crime Junkies-David Mauro

NEW! Text Us Direct Here!

Great discussion with Gabe Gambill. VP with Quorum.

Topics discussed: 

  • best ways to limit cyber attack liability, brand protection with identification authentication, 
  • how to limit liability from cyber attacks, 
  • newest findings on ransomware cyber crime gangs, 
  • undercover findings on ransomware cyber crime gangs, 
  • pitfalls of data back ups, 
  • how to reduce risk of failed data back ups,
  •  importance of cyber leadership for brands, 
  • and true stories of horrific failed attempts following big disasters.

Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Show Notes Transcript

NEW! Text Us Direct Here!

Great discussion with Gabe Gambill. VP with Quorum.

Topics discussed: 

  • best ways to limit cyber attack liability, brand protection with identification authentication, 
  • how to limit liability from cyber attacks, 
  • newest findings on ransomware cyber crime gangs, 
  • undercover findings on ransomware cyber crime gangs, 
  • pitfalls of data back ups, 
  • how to reduce risk of failed data back ups,
  •  importance of cyber leadership for brands, 
  • and true stories of horrific failed attempts following big disasters.

Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Find much more at CyberCrimeJunkies.com

Saving Yourself When Back Ups Fail 

Topics: saving yourself when back ups fail , pitfalls of data back ups, pitfalls of data back ups, how to reduce risk of failed data back ups, importance of cyber leadership for brands, importance of data back up and restoration, importance of data back up, stories of when data back ups fail, horror stories of when data back ups fail, what to do when data back ups fail, how to avoid risk when data back ups fail, lessons learned data back ups from hurricanes, data back up risks natural disasters, 

Gabe Gambill, VP OF PRODUCT AND TECHNICAL OPERATIONS with Quorum joins us.

[00:00:00] Come join us as we dive deeper behind the scenes of security and cybercrime today, interviewing top leaders from around the world and sharing true cybercrime stories to raise awareness. 

So please help us keep this going by subscribing for free to our YouTube channel and downloading our episodes. on Apple or Spotify podcasts, so we can continue to bring you more of what matters. This is Cyber Crime Junkies, and now the show.

 Joined in the studio today is the Mark Mosher. Our regular counterpart who is always positive and always assistive. Mark, how are you? I'm wonderful, David.

This is going to be a great episode. I'm [00:01:00] excited about Thanksgiving and the holidays, but I'm really excited about today's episode. David, who do we have in the studio with us today? Yeah, so we're, we're excited. We're, we're having Gabe Gimbel. We did a webinar shortly. What was it, Gabe? A few, few weeks back, right?

Yeah. A few weeks back. Yeah. Yeah. And it was about the, the impact and the differences in the MGM and the Caesars breach. Gabe is a, one of the senior leaders at Quorum. He's vice president of, , products and technical operations. He's responsible for, and correct me if I'm wrong, Gabe, but like the product direction and roadmap as well as, Quorum's cloud.

And technical infrastructure, right? And you've been... That's it. Yep, you've been instrumental in, expanding Quorum's work throughout the UK, Europe, and then beyond. So... That is also correct, yep. Pretty good stuff. So, tell us, tell us a little bit about yourself. Kind of, like, what, what got you to get [00:02:00] into technology and cyber security in general?

Like what, like... Sure. Some people have some, some kind of interesting... Segways into the field. Yeah, I went to school for chemical engineering. So totally different field. I found that, yeah, when you graduate from chemical engineering, most chemical engineers go work in, some kind of manufacturing facility or plant of some sort managing things like a water system or whatever, where you do the same tests 50 years and then you retire.

, That did not really you kind of get it. You can't make me eat food and you can't let go of my money. How does that feel to be in Department of, operations? Did you start out as augh technical assistant or are you definitely going to go through more of those PR flight type jobs and actually releasing your mission and depth data to other Yeah, I was a got credit for pretty much the whole process.

field where we managed them from, you know, [00:03:00] Keyboard to router. So everything within their bank was under our purview and, you know, doing disaster recovery planning, BCP planning we set up a, although I wasn't part of the team, we set up a MSSP, so we had a security services for all of these banks monitoring everything going in and out, that really kind of built that platform.

Yeah, so you've worked in our field where you're actually. Both kind of an MSP where you're doing the day to day operations, developing cloud offerings, helping support clients, with compliance and stuff. And then also the MSSP, where it's all of the security operations, pen testing, offense, defense, all of that stuff.

Right. And then from there, kind of took a left turn and hopped onto the quorum bandwagon and started, Managing, you know, the team there and just kind of grew within the company and now I do all these other crazy stuff. Very cool. So tell us a little bit about Quorum. , [00:04:00] yeah, in my experience and yeah, I just wanted to preface it like in our experience, there's, there's a couple different flavors of it.

There's like three different levels. It seems like there's cloud components, stuff like that. But what's, what's the mission of Quorum? What is it that it does for organizations? When we started out, it actually started as a policy engine used for military applications. So if a naval vessel was, say, hit by a torpedo, you could transfer function to another part of the ship to keep things running.

So that is how the policy engine and the original brain of Quorum kind of came into, into being. When we took it to the commercial side we tried to find our way on how best to leverage that engine to work with things. And what we found is, is in the backup and recovery field. That seemed to be the way forward.

And so we took that and we built on that, that mentality of making recovery easy, coming from an MSP and doing disaster recovery planning for customers. You know, I [00:05:00] remember the days where you had those big binders, right? Yeah. And it's a lot of work, all the steps you had to go through. Yep. And you know, one thing changes and the binder's no good.

So we had to think of a way to make it as easy as possible. And when we originally came to market, we focused on kind of the small to medium business. Right? We were working for people to make it so that the one IT guy could go on vacation and they could still recover from a disaster. That was kind of our mentality when we went to market.

Just kind of along for the ride. That's still needed today. I mean, we still see that today. Absolutely. Absolutely. That's our bread and butter, right? But as we, as we did that, we really got into a, an idea of, okay, so we can make it really easy. Yeah. But now, because we came from that military background and everything we did was really focused on, you know, When we started, it was all backup.

Everybody focused on backup. Now we really focus on recovery. And so we [00:06:00] started that way and that's kind of our DNA is secure, easy recovery. And so everything we did was kind of You know, like the term immutability is now the buzzword, but we've had that for a decade. That's just the way our product was built.

And so we, you know, we grew from that. So we grew from a secure, easy way to recover in the, in the, in the event of a disaster. And our initial products were appliance based. So you put it in your environment, you protected your stuff, you could replicate to another appliance, and you could do recovery. Well, then the logical jump from there was to build a cloud.

So we made it so you could replicate from an appliance to the cloud, or you could back up directly to the cloud. And then the, you know, next evolution was cloud to cloud, right? So if you had a cloud service, like... Azure or if you were doing Office 365 or Google Office Salesforce, you know, those kind of things being able to back up and recover that kind of data as well.

So those were [00:07:00] our, you know, 3 big leaps that we've gone over time to build our product so that would work in this environment. That's great. That's, that's excellent. And are you guys primarily in the U. S. primarily U. S. based? Yeah, so we are definitely U. S. based. But we have a presence in the U. K., like you said, all over the Middle East, Africa, and Asia.

Oh, really? So we're, yeah, it's weird. In Africa, the appliance model is really appealing, right? Everybody is very siloed there. A lot of buildings have their own power, their own thing. So everything is very... Much appliance driven there. And, you know, Middle East and in Asia, it's much more, much more flexible, but that's just kind of how we grew.

So we're really all over the world for that. We have actually one of our initial partners from the very, very early days, actually in Australia. And they sought us out saying, Hey, we need this solution. And so they've been a partner with us for the [00:08:00] better part of a decade. So that's very cool. So, when you were, when you were younger, what, like, was there something that transitioned you?

I know you got into it and you were working in the MSP, but is there something like lately? You've been really focused on. Cyber security. And is it, is it just because of the glaring need for more people to jump in? Right? Like, you know, like people with your skill set, right? Like, like, there's such a, you know, we hear about the, the, the skills gap or the job gap.

And while clearly there's a lot of open jobs that we don't have people to place, there's also issues in how they're even trying to hire for those jobs, in my opinion. Oh, sure. They keep advertising for entry level job after you've managed a sock for three years. It's like, it's not, it's not an entry level.

We're talking entry level right out of college, like, or right out of trade school, right out of the getting certs, or you have a home lab. And, you know, [00:09:00] like you know, there, and there's so many excellent, excellent. People in security that didn't do the traditional four year route like it's, it's, it's almost not depending on which element of which position, which niche within security, a lot of times you don't need that anymore.

So it's a really fascinating field to all of us, but what, what drove you into it? Yeah, so several things drove me into it really coming from that MSP environment and that banking environment and seeing things firsthand on how fast a vulnerability can be exploited and knowing that all the security you put in place, I mean, everything you can do and, you know, as webinar, MGM is a good example of this.

All the security you can do eventually something will break. You'll still get taken down by an 18 year old, basically, right? And so an 18 and then get online and get his his cyber crime [00:10:00] buddies to to, to launch their ransomware. Exactly. And so you have to have that. Okay, so when it goes bad, it's not if it will go bad, it's when it goes bad, what do you do?

And that kind of became the calling card for me going through my career is always taking that look of, okay, this is going to break. And that goes more, you know, than just cyber security. In everything I do, I look at when this breaks, what do I do? Right? People put in processes that are people driven. Okay, that's going to break because it's people driven.

You know, those, that mentality exudes through everything you end up doing. And so putting that together became an important facet of how I did this. I got a story for you. So we had a customer. And this was maybe two years ago. We have a customer, and we go through the training, we set them up, and we do all of the security things you can think about, right?

We have multi factor authentication, we have a zero trust environment. We [00:11:00] don't want to use single sign on, because that's going to be how they're going to get to us, right? We do none of that. But a customer said, I need to make it easy for me, so I'm going to use my admin password to be the quorum password.

Oh, there you go. Okay. What a horrid decision. So that's something Mosher would do. I thought it was best practice to use the same password for everything, right? Yeah, no, no. The same password for everything, just don't change it. Yeah, it's easy to remember that way. So, so he did they got in his environment, and they logged into the OnCue and deleted all his backups.

Oh, you're kidding. Well, because that was an account takeover then. They were him. Totally. Right? They were him. Yeah. Yeah. Totally. And that's one of the, there's so many recurring themes we've had about what, Mark, we're at like 130 interviews of people, right? In addition to the crime, the true crime true [00:12:00] cyber crime like research that we've done.

So we've got other episodes on that, but the interviews that we find. It is shocking how some of the largest breaches, or some of the most devastating ones, were fundamentals. It was just pure, basic, knucklehead actions that caused it, right? Like, like, don't reuse your passwords. Like, back up your data, like, you know, update and patch in time, right?

You know, I wanted to get your, that's a good story, and I also want to hear, because you guys were involved, you have a fascinating story about one of the major tragedies that happened years back with Katrina. I want to, I want to get to that in just a second. But, I want to, I want to ask you about this.

To me, there's got to be a better way and maybe there is and I just haven't seen it in the cyber security because I'm not involved in like the high tech service delivery [00:13:00] aspect of cyber security. The, like when manufacturers post vulnerabilities and patches, right? It'd be great if they could do it in a way so the good guys could see it.

But not the bad guys. Like, there's no way for them to actually do that. Right? Like, when, when I see this, I'm, I'm, I'm, I was like, hey, we have a vulnerability. Here's the update in the patch. And the good guys are struggling to get that patched. In a week through 30 days, sometimes it's not immediate, right?

And, and obviously a best practice is as soon as there's an open vulnerability, clearly patch it right away. But when you do that in an enterprise environment or even SMB environment, sometimes you break things. And so there's a reason why they, they wait. They're testing, they're rolling things out. They might have an initiative.

There's a whole bunch of socially acceptable excuses why they don't do it immediately. But, you've let [00:14:00] the threat actors... Know that that vulnerability exists, they can run scans and find out who's got that system in place, and then they can, they can target it. I mean, isn't that kind of like open season?

Yeah, it's, it's a, it's a horrible scenario, and it really comes down to, and this is, Obviously, my personal experience, what I see is most of the delays and getting something patched are driven by like one of three factors, right? They're either, they have a piece of software that is not updated, is not managed well, was in house built or something, where they know that if they patch, they're going to break something.

Okay, so it's, it's, it's their own, yeah, exactly. It's their own coded. It's their own poison pill scenario, right? Yeah, they build their own, they'll have something like that. Yeah. They build their own inventory management system or something. Exactly. Or they've de structured their IT environment in such a rigid [00:15:00] way.

That they have to go through a QA process and a qualitative assurance nightmare of change controls or whatever to get it done. And it's never going to happen. It's like an administrative issue, right? It's their own internal process. Right. Yeah. So, you know, they've pulled their own trigger. And then the third is, is the worst.

They just don't know. Oh, they don't even know that the patch is available. They don't know every piece of software that's out there. They don't know what Robin Accounting put on his machine or, you know, what, or it's departmentally true. How does IT not know? How does IT and your own security team not know that, right?

It's connected to the internet. It's their responsibility. You gotta think of bigger, think of a university. Because that's what people think, right? People, I mean, but think about it. That's what... That's one of the main challenges, right, is knowing everything that's being used, that you're [00:16:00] responsible for supporting or...

Securing, right? Right, but if you think of something like a university, a different IT department for every college, for every major, for every whatever, they create a nightmare of who's in charge of the All these collaborative tools they're using, they're plugging things in, they're throwing things on the network, BYOD, all this stuff.

It's a nightmare. It's horrible. When I was working at the MSP, we had a real estate office, and it was a national real estate firm that allowed any realtor to bring in their laptop and plug it in. And so they would take down the network on a regular basis because, you know, some 90 year old realtor got in and was on their AOL account or whatever, because it's that, you know.

Now, now, now, the data actually shows, we were just doing a security awareness training, so we did a bunch of research for a, for a educational organization yesterday. And the data actually supports, right Mark, which generation? It's actually more prone [00:17:00] to, to negligence and clicking on phishing emails.

It's actually digital natives. So digital, the phrase digital natives encompasses 35 and below, right? So whether it's Gen Z, part of the millennials and maybe Gen Alpha or whatever, but it's something about. They, they're, they're so used to it that they just trust too much. Absolutely. And, and, and I think the older generations are, are kind of, they've been yelled at by Gen X for so long, like for so long Yeah.

On that. Would you please not do that? That that maybe they're, they're, they're getting my, they're, they're number two. You're absolutely right. Right behind it, you know? Yep. But this is, but this is dating me. This is, you know. 15 years ago when this was happening. Yeah, we're all, yeah. No, that's so interesting though, what, man.

Holy cow. You know, but that was their policy. They wanted to make it easy for the realer, but they would take down their networks on a regular basis. Oh yeah. And, you know, we would [00:18:00] go through the fire drill of trying to get them out of it. That kind of mentality, it permeates a company. What's an organization to do as it starts to grow, right?

We have a lot of listeners that are SMBs that are growing or they're in leadership and growing organizations and. You know, they, they want to balance between allowing flexibility and BYOD, letting people have collaborative tools, trying things out because there's so much, especially since last fall, since Jenner of AI shot out of the gate on the, you know, among commonplace, a lot of things that, a lot of things that everybody's saying is AI has been around for a while, like it's not really that shocking, but the, but the commoditization of it and the popularization of it.

What is how do they balance that with having some level of control over testing before we connect things to our network? Without coming into, like you said, [00:19:00] some massive... Admin, you know, people blocking logjam where you can't get anything done. Well, there's definitely softwares out there that are, that are better equipped to, to help with that nowadays.

There are things out there that are looking on the network saying, hey, this is weird activity, right? It's looking for what is happening on the network, not... You know, not like the old antivirus looked at signatures in the files or signatures. Oh, yeah. Yeah. Well, I mean there's computers acting Oh, yeah. No, there's there's managed sim tools.

There's mdr platforms all of those. Yeah all that Okay, so that's from the security stand but I was almost thinking from the organizational piece. We'll see. This is the hardest part So, I've always watched this happen in an IT, the IT is viewed as a necessity in a company, right? You need to have your computers in order to do your job, but it is a cost center, and every company wants to manage that cost, and so they [00:20:00] do that risk assessment, and if you have the wrong people in leadership that don't view it as important as the IT guy, that's where it breaks down.

That's how the Katrina thing broke down. We want to jump back into that story. Let's segue to that. So most most everybody knows about the tragedy. Most of us either were impacted or involved or had have had friends or colleagues involved in the catastrophe from the Katrina. Event that was about, what are we, five years ago or so?

No, eight, even longer. Yeah, it was even longer, wasn't it? Oh yeah, that's right, George Bush was president then. Yeah, so we are back. Wow, man, time flies. That was like five years ago. I'm like, well, what was I thinking? Yeah, it was a while back. Okay, so, okay, this is 2023, forgot. Okay, so tell us about how 2021.

The challenge of data and backup played a role in [00:21:00] making that catastrophe even worse. So, as, as we were just talking, the management wanted to control costs, they switched from their classic backup systems, whatever they had locally, to a cloud based backup. And they thought, oh, we've saved so much money, everything's great.

The problem that happened with Katrina is it was an extended amount of downtime, right? The, the servers that were there were destroyed. They had to rely on their backups, which they thought, oh, they're all in the cloud. The problem is they only had 30 days of retention in the cloud and Katrina lasted much longer than 30 days.

So all of the data in the cloud expired. But when they went to recover, they had nothing. So walk us through, so walk us through a third grade level of what you're talking about. So, the massive storm comes in. The storm comes in, wipes out the data center. Because of the, because of the, [00:22:00] the level, right?

The, the water table level, the dams, the, like, all of that. We all saw that, it was, it was horrible. Right. The data center that housed the data. All of the mortgage, all of the housing, everyone that bought a house, owned a house, that data system was in those data centers, and it was destroyed. And those data centers were destroyed by the flood, by the...

Completely. Later. Okay, so all of the... Actually, I think they were destroyed by the initial hurricane impact, to be honest. Like, if I remember right, they weren't in... The upstate data center, they were right there and they were destroyed. Oh. And so the people managing the systems, um, never reached out to the cloud providers to say, Hey, hold the data, and it expired off.

So when they went to recover, they had nothing. Oh, now the problem that this created far beyond that of the data itself. is that nobody in, in [00:23:00] New Orleans could buy a house or sell a house. If you were arrested and wanted to post bail, you couldn't do it. sO lawsuits were being filed. You know, every, everybody's trying to go, Hey, I need to file insurance.

You can't file insurance because I can't prove you own the home. Ah, man. The, the ripple effect of this was immense. So what they had to do is one of the IT guys, and I can't remember the names, it's been a little while had a tape from before they replicated to the cloud and they moved and they recovered that data.

The problem was that tape was nine years out of date. They had to hire an army full of college students to come in and manually re enter all of the data for every housing transaction over the last nine years. Get out of here. Horrible scenario. [00:24:00] Well, first of all, you're talking about tapes. Which is a scary thing, one of them right here.

Backups, and they've still got tapes. And I'm like, yeah, let me, let me. I was watching a show on my VCR last night, so hang on. Like, that's the time frame that this was. That's the time frame, right. Wow. Oh man, that's horrible. So what happened ultimately? Like walk us through. Okay. So what happened is they manually re enter all the data.

There were multiple lawsuits, right? Anyone that was arrested wanted to file insurance. Lawsuits were going crazy. It cost the city something along the lines of almost a billion dollars in stuff to get out of this mess. aNd what they did horribly is, you know, in that kind of scenario, you just cost us a billion dollars.

I want to know who to point the finger at. So they looked at the IT guy. Like one individual [00:25:00] who was employed by them, or was it a firm? It was a, it was the individual, individual employed by them. Oh. This was a city employee, and they went after her. You've got to be kidding me. They went after her.

Luckily, she had all of her emails. Going back, stating, this is a bad plan, here's why it won't work, right, she had covered herself to say, hold on, you're not listening to me. 30 days of retention is not enough. Oh, this is great, well, she did the right thing, at least she did absolutely the right thing. She still got, she still got laid off, but there was obviously settlements and stuff that came from that.

Yeah. And she, I'm sure, landed on her feet, but. That mentality had to purview and it was a scenario of, you know, the, the management layer made a call to save money without regard to the impact if it goes wrong, right? And that's, [00:26:00] you know, what we were talking about earlier that happens in security that happens in password management.

That happens in everything where someone says, I'll take on that risk that happens with the the would you call it the under 35? digital natives that say You know, it won't happen to me, right? That mentality is what's killing all of this stuff Yeah well and it it gets to a bigger picture right and that is The role of the CISO or even if an organization isn't large enough to have their own CISO, right?

But whoever is in charge You Even at the SMB level of securing an organization, if you're just in charge of I. T. and there's nobody else, then you're also in charge of security, right? That's right. That's the way business owners will look, because when a data breach happens, you're the I. T. guy, and they're pointing a finger right at you.

I think it's so important. And, and there's a whole, there's issues with the way vendors sell security, that's a whole other rabbit hole to go down. [00:27:00] We address that pretty often. Because we want to make sure we're doing it right. But the role of that IT person, or CISO, or whatever the, the scenario is for the client, they have to make sure that they have...

a paper trail because this happened like it is a wise move to engage with different vendors, different offerings, and to make a recommendation that's backed up, right? Like, yes, look, I've spoken to clients that have used this platform. This will give us 24 seven eyes on glass. They have their own sock.

Like I recommend that we have this. I am one person and I don't work 24 seven. And I take vacations, et cetera. Like, we have all these other initiatives we're doing. I need to be more strategic. I can't be sitting there 24 7 eyes and glasses. I can't hire a kid to do that. Right? We need a platform. We need actually [00:28:00] trained you know, advanced threat hunters, all of that.

Making those. Making those recommendations, and even if you get shot down, at least you have that in there, because we've seen it, Mark, right, where post breach, post boom, and they, they didn't have enough, or they didn't have cybersecurity insurance, or the security insurance company declines coverage, right, and then we get brought in, and we're walking them through this, and they're pointing fingers right at the IT person, and the IT guy is able to say, oh, here's my recommendation last year, The year before I said we needed 24 7 eyes on glass.

These guys were in for a while. We could have detected it immediately. We could have stopped it. We could have leveraged our EDR platform, whatever the scenario is, right? Given the type of attack. But I think that's so important. And part of it is also making that internal business case. Right? I mean, you get involved.

And no IT guy is trained in that. [00:29:00] I mean, have you ever seen an IT guy that's trained to make that business case? No. And if anything, the, the personality type doesn't lead, doesn't tend to be also strong in that field. Right? Like the personality type is not the type that, is an excellent conveyor of messaging and business impact and understands, like, the Harvard, there's, you know, there's a Harvard course on how to make an internal business case.

That's our most, CISOs and most IT guys haven't really even taken that course. They don't know, like, you've got to evaluate this. There's, like, whole steps that you need to take to convince. A board or ACEO and ACFO that yes, it's going to cost money. Yeah. But the ROI is actually positive. Right? Right.

'cause of the stats and the predictor. If data is a predictor, if past data is a predictor of future behavior, of future incidents. We will get breached, but there's a difference between a breach that is an inconvenience [00:30:00] and a short sum of money and a breach that gets you in the news. Right. Right? I mean, we have ROI calculators.

Yeah. Like everybody else does. Yeah. And I've gone into companies and I've shown them and I said, look, based on your revenue stream, your number of sales reps, your cost of downtime, right, you walk them through all the steps and you show them, this is what your, your ROI looks like. Like, it's, it's a no brainer.

You're going to lose, you know, whatever it is, 7 million. over your outage. The answer inevitably, I always get back, is no, it won't be that way. It won't be that way. Always. You're like, you're just trying to spread fear, uncertainty, and doubt. And we're like, now we're like, and this is, we kind of explain this to people and, and we, we talk about this on the show, is we're not spreading fear, uncertainty, and doubt.

We're not trying to. We're, yeah, it's, it exists. It's there. We're telling the story. We're socializing it. [00:31:00] So that the technical fears can be understood. Because once we understand it in a business impact. Like, I don't understand what cybersecurity, I don't know why we need this acronym, that acronym tool. I don't understand it.

I think some of it's pokey, right? I don't, I don't get it. I want to go build widgets. I wanna go, I don't wanna be Big Brother. Right? Yeah, exactly. Any of that. And, and, and the right, and the problem is, is that Will torpedo Yeah. All those efforts and, and here's a example. Look at a small company. It'll destroy it.

Yeah. Let's look at a small company that has an IT team of. Less than three people, maybe less than five people. Oh, yeah, that's pretty normal. In order to make that business case. They would actually have to have the information on what the finances are of the company, but they don't have that. Most of those five team, five, five man teams, they're not going to be led into what the finances are of the company.

[00:32:00] That's, that's on the business side. You just manage the computers. We'll take care of that. So how are they going to make an ROI? They have no way, right? No way. It's almost like they need a partner. Yeah. Well, when they're, I think they need to look at their vendors, not as just a vendor, right? Like, if you look at Chris Roberts always talks about this and it's the, if you look at a vendor as a strategic partner to help you make your business case, we need this service.

Because here's our internal model, whatever it is, big, small, whatever, right? Whatever layers of security you've got or you don't have. Here's our existing model. We need this additional layer in this model. Here's the likelihood of a breach. Here's the cost of our people, right? We could find out even from Glassdoor, roughly.

You could find out online through Robert Half. Like there's, oh, there's, there's data [00:33:00] points out there that you can get rough estimates. And if those are the salaries, you can estimate the overall burn rate of those employees if they are down for five, six days. Right? Because we're not going to pay the ransom.

We're not going to do that. We're going to be down until we recover, right? Then what is the cost? And so, how much is this each year? What's the likelihood of it even happening? And I always... If you have insurance, what's your premium going to go up? No, you're not even going to have it. Well, first of all...

Yeah, you won't, yeah. After you've got a claim, you're not getting it. You're barely getting insurance again. It's not, not in any cost effective way. Right. It's, it's, it's it's, it's, ransomware has done one positive thing. It's such a complicated chess game, all of this. Well, ransomware has done one positive thing, that it's made businesses actually look at IT as, hey, we, we need you.[00:34:00] 

Yeah. We need you to make sure this doesn't happen to us, because I'm afraid of this. I'm not afraid of a hacker. They don't exist. I'm not afraid of a disaster because those always happen somewhere else, right? I'm afraid of ransomware because I've seen it happen. It's exactly it took down MGM. It took down Caesars everybody on Business owner.

Oh, yeah any business owner any leader in any educational government entity always belongs to associations It's how they network. It's how they built their brand and They've all heard those stories They've all heard that school district was down for a while. They declared a state of emergency in that local town.

Like there's three state of emergencies going on right now, as this podcast is being recorded, in various small towns across the U. S. It's, it's, it's just because of ransomware attacks. And it's so crazy. And then because of that, they can actually start to gather up an ROI. I mean, [00:35:00] obviously it's not like a ROI in terms of investment.

If you, you know, like if you're, if you're offering to build a mobile app, let's say for an organization, you invest this amount, you can capture new revenue this way. Okay, that's great. Right. And it's very powerful. But in here, it's you are at X risk, right? And how do we quantify that? And I think that's a really interesting discussion.

Because in every field, in every sport, right, like last night's game, right, Kansas City against the Eagles, like they were able to quantify it after a specific time, X amount of points, they declared a winner. It's true, had they played longer, the game could have turned around, or it could have even gotten worse, right, like there's so many different ways, but we've all agreed at the rules in the beginning at X amount of time.

Whatever the score is, we declare the winner and in cyber security, [00:36:00] a lot of IT leaders and CISOs are like low, medium, high in terms of risk, right? So we can't, like, everything else is measured. How do we measure cyber security? Because we need to do that for business owners or decision makers, because that's the language that they speak.

Yeah, and the only thing you can do is measure downtime. I mean, that's really and the fallout, right? You have to measure the fallout. So there's actually studies that have been done and it's one of the things I use that say, hey, you had an outage for this much time that causes on average, you know, across your industry, this many customers to leave you.

Right? So you have to look at that number. You have to look at the cyber security insurance. You have to look at the cost of actually not being able to make sales. Oh yeah, I think, well, that's, that's the key. I think there's even [00:37:00] more metrics than just downtime, too, that could be added in. I just don't know that, that somebody's selling a calculator or a model that captures it all, but think about it.

Like the long term loss of being, like, let's say post breach that gets you in the news. Guess what? It becomes, there's tons of data out there. It becomes harder to hire good talent. What does that cost you? Your SEO is harmed. Like when people Google you. It looks bad. How long, how do you quantify that, right?

In terms of new sales. If your product or your offering has, is, is something that the competitive market can switch very quickly. For example, I may really trust my doctor. If they're involved, if the hospital organization that he works for is involved in data breach, may not switch doctors. Some people will, but some people may not.

Because of the region, let's say [00:38:00] they live rural, like that's the only freaking place I can go. I'm still gotta go there, right? But how about lawyers? There's a million of them. Literally, there's more than a million. Like, you can get a new one. I don't care how great your law school was, how great you were in trial, et cetera.

You can go hire another one immediately. Because, and when, when an attorney loses their data breach, that's a huge, like when they lose their confidential information, everything you tell them is supposed to be sacred, right? Within the attorney client privilege. But it's all supposed to be sacred. If that got publicized, we'd be, as so many people would be searching for another lawyer and there's other industries like that, like auto parts makers or manufacturers, you know, a, a, a, you know, if they're a sub of, of a larger group, right?

Let's say it's Toyota or even not even that big, but they're, they're, they're a sub of a, [00:39:00] of, of a larger group in the, in the chain of custody in the supply chain. Okay. then they're going to just find another one of your other competitors to go with. They can't risk it themselves. So there's so many elements that could be captured in that.

Yeah. And it's, it's a moving target for your industry, right? Your industry is going to dictate that. Sometimes you're kind of locked in, sometimes you're not. But one of the things that, that, like, I live on the other side of the fence from you guys. You guys spend a lot of your time trying to mitigate the disaster.

I spend a lot of my time going, Okay, it's happened. Where do we do now? Yeah, we're mostly pre boom, and then we have some people on our organization that handle boom and post boom, but that's more the exception than the rule. We're mostly preventative, right? Right, and what you just said is a perfect thing.

Boom and post boom. So everyone [00:40:00] tries to put those two together and they are actually two distinct different things. Is your security team coming in going, how did this happen? And then post boom is, okay, how do I get back up? And if you don't have both of those pieces thought through. Yeah, you're in a you're in a world of hurt, you know world of hurt.

So in our post boom world where I spend most of my time, you know, we spend a lot of our time getting customers back up, recovering their servers, getting them rebooted, but a lot of times we have like we we hit ransomware, I don't know, on a weekly basis, maybe one of our customers will get ransomware at some level.

And, and we'll spend time going, okay, we're ready. We're ready to recover when you say go. But they'll spend three days figuring out that boom. Oh yeah. And so that three day outage, even though we can recover in minutes, that three day outage is a cost. And that's the, that's, goes onto your side to the pre boom, [00:41:00] like, they should have been ROIing and planning for that, because the boom has a cost in itself.

Absolutely. Think about the, think about the time. Time is money. Even if you don't, even if you're not like an attorney and you bill your hours. But time is money. And when there's boom, when a data breach occurs. There are so many meetings that internal resources from HR, from the executive suite, from other directors and different roles and people using platforms and users and end users, so many meetings.

Where we're evaluating what happened, how it happened, who did what, and then how do we fix this, the planning, so that, so that it doesn't happen again. And all of that, that can be quantified. Like, that's cost to the organization outside of we're building the brand. Right? Right. We invest in salespeople, ROI, if they're profitable, they will give us this.

[00:42:00] That's a, that's a very clear ROI. There's also an ROI. Right. Like when that happens, there's so many meetings involved that are not making you money. Right. They're not helping your operations that have to do that. It's so interesting. It's, it's, it's, and, and there's different types of, you know, I'm, I'm coming to the realization and I'm sure there's.

A lot more smarter people to me that have already written about this that I haven't read or Mark hasn't brought to my attention. Mark's my guy that like, on Saturday night he's like, Nick Alpha V is, is posting this on the dark web, like, when, when, when Black Hat, was it Black Hat? Yeah, Black Hat filed the SEC Oh yeah.

Yeah. After after the organization didn't pay the ransom, so they locked them down, extorted them. [00:43:00] They made the ransom demand. They didn't pay. Right. So they threatened to leak the data. Right. And that's like the, the triple ransom attack, right? Yeah. Yep. Right. And then this last week we saw. Or Alpha V, Black Cat, actually then filed their own SEC complaint that said they did not disclose the data breach within four days as required by the new SEC rule.

I'm like, what? That's just, that's next level. That is just, that is some mafia, like, thought process. That is brutal. You know? That is brutal. Like, but that's what they're doing, is, they're, I mean, that's just unbelievable. So think about it. If they're doing that. Think about a healthcare organization, you're going to file those HIPAA complaints.

They're going to contact the Health and Human Services. If it's a financial institution, right? They're going to contact auditors because they'll be able to find who your past auditors were. They'll have all your records. [00:44:00] They'll be able to see everything, right? And they will go and notify. And we have heard where they've reached out to actual customers in the past.

So that's why that's great. When everybody was kind of shocked about what Black Cat did to the SEC, I'm like, wasn't that shocked? We've seen organizations, there was one a, Mark, do you remember this? It was a healthcare organization, online platform, um, it wasn't Better Health, but it was something like that.

And, where they did the online therapy work, right? Online mental health. They got all those records and when they wouldn't pay, right, the, the ransom, they went and contacted the actual customers and tried to blackmail the actual patients and saying, if you don't pay me a thousand bucks individually. We're going to release all of your records and we'll post it, we'll throw it on social media.

The lawsuit filed after that, I mean, could you imagine? Think about that. [00:45:00] The fallout of that has got to be catastrophic. Yeah. Yeah. That's huge. It's unbelievable. So I'm, I'm getting to the point where... Oh, go ahead. Oh, I was going to say, these are big companies that you're talking about that have these...

These breaches that are, you know, broadly impactful. Yeah. But even the little companies that you don't think about, that don't make the news, that have these breaches. It takes these companies out. It, it really does. I mean, one statistic we've seen, yeah, one statistic we've seen is like close to 60 percent close within a year or six months.

I don't know if it's that, yeah, I don't know if it's that, like there's, there's some debate on that, but I think it's clearly a contributing factor, meaning since it's a small business, right? It could be on a shoestring budget and just teetering anyway, but that breach. Yeah, that breach is the final thing.

It's [00:46:00] like losing your biggest client, right? And those small companies are the ones that are least likely to invest in security. Absolutely. And those small companies make up 98 percent of who Americans work for. Most Americans don't actually work for big companies. Most people think, most people think they do, and most Americans work for small businesses.

Unbelievable, it's such a challenge. And, and I think that what we're going to see is, because there's so many breaches, so many different attacks, two things. Tell me what your thoughts are on this. One, there's a difference between a breach that gets you in the news, And a breach that is contained and restored from backup, etc.

Both struggle, but to me, I think there's a difference between those two. Like, and we, you and I discussed that, Gabe, in like the MGM and the Caesars at a macro level. But I think even with [00:47:00] small business, I think there's, and small organizations and school districts, there's some that are more minor than others.

And I also, I, I think that is something that most people don't think about. Like, oh, they were breached, but they all kind of assume a breach is a breach and they're all the same. I'm like, no, I don't think they are at all. Secondly, what do you think about this? That we're going to get to the point where there's either a grading system.

Or an informal system where people are going to judge their vendors, who they do business with, consumers who they buy from online, not whether they've been breached, but how they handle it. I think we'll get there. Yeah, I mean, most people, the Target breach was a phenomenal story back in the day, right?

And especially because it wasn't Target. They were doing a lot of the best practices. They had FireEye. They didn't necessarily have it configured right, but they had FireEye, like, they were doing themselves. [00:48:00] Good best practices. They got breached through their HVAC system. So what broke down there, it seems, are the processes for vendor evaluation.

Okay, that's fair. Very few people have stopped shopping at Target because of that, right? Like people still go there, right? Right. It might be a blip, a short term blip, but people still go there. But I think it's because Not necessarily that people understood that the breach wasn't that bad because it wasn't their fault.

It was the third party. It was their HVAC vendor. I think most people don't even know that. I, I, I think some brands are able to sustain You know, longer, but, but I mean, it's like anything else. Some brands are able to sustain bad PR better than other brands, right? I mean, there's, there's, there's been other controversies affecting target and, and their stock will dip.

It's either going to do, as you say, it's either going to do, as you say, we're, we're going to gravitate [00:49:00] towards the people that handle it well. oR it becomes one of the things that I typically see is. It's just noise. Wow. Pe the average person just sees it as white noise. Oh, there I am again. I'm, I I was breached again.

At Walmart or at Target, or at, you know, Yahoo. Yeah. I, whatever. Yeah. I get free credit monitoring. Again, like I think we all have three credit monitoring, like threefold or fourfold. Right. We all have like, and so they're like, I, I can't, there's so much information with that. I get it from my college that I went to.

Yeah. Right here, I'm holding up my, they just don't know how to adjust from my college. They can't pivot. Yeah, they can't pivot. Right. They just have to accept that's the way it is and that's a horrible thing. Yeah, you know, I mean I use those what is it secure 360 that kind of stuff? And so I'm always getting updates saying hey this you showed up here Okay, let's go change those passwords.

Let's lock that back down, right? But you know, that's gonna become a [00:50:00] full time job after a while Yeah, so one of the things what we tell people is always freeze your credit Right. It's so important. Always for, for you personally, not for a small business uh, a larger enterprise, but always freeze your credit always because you can look, you're not taking out loans every day anyway, and you can still use your credit cards and your FICO score can still improve, right?

It's just freezing it from allowing any new accounts to be opened in your name in an unauthorized manner. That's all it does. Right. And then you can literally with a button on your phone. Unfreeze your credit, get the store credit card you want to get, or the car you want to get, or whatever you're buying, and then freeze it back up.

And it just, it is such a smart move, and obviously monitor your credit, but a lot of that wouldn't matter if you just used different passwords on everything. Gets back to those fundamentals. Yeah, and I mean, when mine shows up in a breach, [00:51:00] like all my passwords are already pretty different but, you know, it's catching it and doing what to do with that information that there's no mass training out there for the average home person.

Hey, you know, your Instagram account has shown up on the dark web. You better go change your Instagram password because so many people don't care. They're like, what are they going to do with my Instagram? I'm like, would you like us to tell you? Like, yeah, I can tell you. Yeah. They can become you like they can become you.

They can, they can leverage something like that as a evidence of that is who you are with. With your credentials and leverage that into credential stuffing a whole bunch of different tactics. To, to, to take loans out for you, to buy things on your behalf that you're liable for that those products and [00:52:00] goods and services go to the threat actor.

There's so many different ways they could use that to establish other accounts and, and, and other forms of identity. So we've, we've seen quite, quite a bit. Gabe, this was an excellent conversation, man. Oh, happy to have it. Happy to have it. Absolutely excellent. And we will also have a link to the MGM Caesars discussion that we had.

We'll, we'll have that link in the show notes. That was a great discussion because those two breaches really show how in the short term, one of the people that follow the best practices and that fought the fight, they actually got really bad PR in the beginning. But, you know, the truth is, is that once you pay ransom, everybody on the dark web knows, and you are a prime target again.

So, you know, people on the dark web are like, when is Caesar's going to get hit next? Because they paid. [00:53:00] Right now, they didn't sustain the bad PR that they, that, that MGM did, but, but they did pay so un un unlike MGM who fought the good fight. So very interesting. Great, great conversation. Gabe follow we, we will have Gabe's link to his LinkedIn in the show notes and information on Quorum in the show notes.

Check them out. And sir, we will, this will not be the last time we talk. No, I hope so. I look forward to the next one. Oh, right. Excellent. Thank you, gentlemen. Have a great day. Have a great, thanks guys. Take care, everybody. See you guys.

Well, that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and. cyber crime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cybercrime Junkies podcast and download and enjoy all of our past episodes on Apple and Spotify [00:54:00] podcasts so we can continue to bring you more of what matters.

This is Cybercrime Junkies and we thank you for joining us.