0:00

Hi, good morning. You're listening to Breakfast Bites, and I'm Felicia King,

0:03

and I have a special guest, Kyle Wentworth of the Wentworth Group with us today.

0:08

And we're going to talk about, as you guys know, Kyle's a CTO,

0:12

and he's also super long-term experienced in the practical application of the

0:19

balance between business needs and IT security needs.

0:23

So we encountered a very interesting article and then we're having a pretty

0:28

interesting conversation about it.

0:30

And it was about 8,000 plus domains of trusted brands that got hijacked for

0:37

a massive spam operation. And I will post this URL to the article on Hacker News for the listeners.

0:47

But the article was not terribly clear, and it didn't really get to the nugget

0:54

of exactly what was a practical risk mitigation approach.

0:59

So I thought we'd talk about that. So welcome, Kyle. Good morning, Felicia. Yeah.

1:04

So let's talk a little bit, maybe like frame this operation of the domain hijack

1:10

for the listeners, and then we can just kind of step through it and see where it went wrong,

1:16

which then leads to concepts of how you might prevent those issues.

1:22

So do you want to start us off? So this whole

1:26

issue has to deal with domain names that were essentially released from ownership

1:33

and subdomains belonging to legitimate companies that have well-known names, ACLU, eBay.

1:44

Marvel, McAfee, Symantec, MSN.

1:50

There were many of these domain names that were listed in here that were names

1:55

that you would have never suspected would have ever been subjugated to this kind of of an attack.

2:02

And essentially hackers

2:06

came in and compromised these historically

2:10

legitimate domains and used them for broadcasting

2:14

a massive spam attack on

2:18

just the entire world so reputational

2:22

damage and then security damage and

2:26

all because i mean there

2:30

there are many reasons but the root thing that would have actually prevented

2:34

it is if they would have listened to your advice which has been yeah yeah if

2:43

you purchase a domain name you never let it go it's yours permanently and forever.

2:48

And and for for business organizations listening to the podcast,

2:54

the concept of have you ever had an alias?

2:58

You could ask this on a lot of on a lot of security documents that you have

3:04

to fill out for a passport or for whatever.

3:08

Have you ever had an alias? Well, you can't ever get rid of that alias in the IT world.

3:13

You can you can just stop paying for it and it goes away. but domain names need

3:19

to be maintained and owned. If you decide that that's going to be a, a domain name that you purchase and

3:25

you're going to broadcast with that, you have to take ownership of that for

3:30

its lifetime or this kind of an event can occur.

3:33

Somebody can, can maliciously use your brand historically for their own purposes in the future.

3:43

So that would have definitely prevented it.

3:47

So now let's break it down to the next step, saying that in the case that this

3:52

article covered, a brand had not renewed the domain because they had basically

3:58

purchased a domain for a specific marketing campaign.

4:01

And the domain was purchased in 2001, and it was released at some point in time.

4:11

And then it was purchased by malicious actors in 2022.

4:17

Now, normally, a good cleaning and scrubbing of DNS records would also have mitigated this risk.

4:29

And so one of the things that you said earlier, Kyle, was you're talking about,

4:34

you know, these are things you wouldn't expect to happen with really large organizations. I completely agree.

4:41

And it's not just on the level of, gee, they should have just continued to purchase

4:47

or renew the ownership of their domains, which really for a large organization

4:53

is an extremely nominal expense. But the second level is I would expect them to have a solid inventory of their

5:02

DNS records and to evaluate those DNS records on a periodic basis, at least.

5:12

And we look at

5:15

the at the business process that's involved in that

5:18

and yes we learn a lot of things because of of ramifications of not doing something

5:25

as we increase our operational maturity in business it's the mistakes we made

5:32

that we learned from that we don't want to make in the future However.

5:37

This kind of mistake, I mean, it's 30 or 40 years old.

5:43

This is a kind of mistake 40 years ago we made. You don't make that today.

5:52

This is proper business process in DNS management. and it should be a standard

5:58

practice inside of any network administrators list of tasks that they perform.

6:05

This is DNS 101. If you're going to get rid of something, you have to get rid of all of something.

6:13

Otherwise, the legacy of that can be utilized against you in the future.

6:18

I mean, even just yesterday, I was working on a project where.

6:23

The fact that I had to go in and look at some DNS records for a client caused

6:28

me to review our manually maintained inventory, right?

6:34

I always look in terms of total quality management and look at it and say,

6:38

what is our manually, you know, human maintained inventory of what should be there?

6:45

And then what's our digital inventory? And in the manual, human inventory,

6:50

we track things such as who made the request for that DNS record?

6:54

What business initiative was that DNS record associated with?

6:59

Who created it? Was it originated from a ticket, a project?

7:05

Is there an expected duration of time at which that's no longer valid?

7:11

Solid you know all of those things are tracked and

7:15

certainly if something is associated with a marketing

7:18

tool and let's say that marketing tool is

7:21

no longer used by the organization well gee

7:24

those dns records shouldn't exist anymore but yeah i think all of this goes

7:29

back to the those human processes that need to be there and there are some tools

7:37

some digital tools tools that really large organizations can use to assist in this matter.

7:43

But I still think there are no substitute whatsoever for tracking the business

7:48

side of who requested the DNS record, what business process,

7:53

is it associated with, was it part of like a temporary campaign.

7:58

Is it marketing related? You know, in many cases, this is, you know, 101 of resource ownership tracking,

8:04

like who is the resource owner for this? Because if it was part of a marketing campaign, which is what almost all of

8:12

these particular issues associated

8:15

with this particular article we're talking about, those were all.

8:19

Domains that were registered as part of a marketing effort.

8:24

Right. So I see this. I can't even count the number of times this year, 2024,

8:32

that this has happened already, where I get a telephone call from a client or

8:38

from a colleague that is working on a project.

8:42

And the marketing department, they'll call me up and they say,

8:46

say, hey, well, I registered this domain name with GoDaddy, or I registered

8:51

this domain name with whomever.

8:54

Who gave you permission to register this domain name? Are you the IT person?

8:58

Right. Well, no, I'm going to do this marketing campaign and I bought this domain.

9:04

Well, let's have a discussion about that for a second.

9:07

First off, the domain name that you purchased isn't the domain name for your business.

9:13

So it's not like you bought a subdomain for your business, WentworthConsultingGroup.com is our domain name.

9:21

If I'm going to do a marketing campaign on security, I might buy a domain name

9:28

for security.WentworthConsultingGroup.com.

9:32

But I own WentworthConsultingGroup.com. So if we're buying a domain name,

9:40

who has the authority to buy domain names in your organization.

9:45

It sure as heck isn't your marketing person. They should not have that authority.

9:50

They should be told they don't have that authority.

9:53

They can have all of the desires to have XYZ as a domain name for their marketing campaign,

10:00

but it's the responsibility of the technology management department to purchase

10:06

and maintain maintain and document and apply domain related information to that campaign.

10:15

It requires people who are educated in this process to do this.

10:19

So we're in the process right now of trying to unearth this mess that a client

10:26

created because they purchased a domain name and lost authentication to that domain information.

10:34

And there's no email associated with it that's associated with the business.

10:39

And the employee that did the purchasing no longer works for the company.

10:43

So, getting access to that resource that was used in these campaigns is like pulling teeth.

10:52

You know exactly what that's like. You have to have managed processes when you're

10:58

dealing with the naming structure for your company.

11:01

You wouldn't just from a business perspective,

11:05

you wouldn't just allow any Joe Snuffy inside of your company or outside of

11:10

your company for that means to go down to the county seat and register or to

11:15

your state or to the IRS and register new business entities inside of or or

11:22

as a sub entity of your company.

11:24

You can't do that from an Internet perspective either. So you have to manage

11:29

this structure with integrity and people who are intellectually responsible

11:35

and educated for maintaining domain infrastructures have to do that.

11:40

They have to be under control. Totally agree. And I think this even goes beyond the security aspect.

11:47

It's also just a cost aspect. I've done so many projects where I've had to unwind

11:53

that mess that was the result of any Joe Snuffy with a credit card was allowed to purchase things.

12:00

And frankly, the owners of the business are oftentimes equally as culpable.

12:06

You know, so it's not just the marketing department doing it,

12:11

but it takes so much time to unwind that.

12:15

And then in when there is an issue, I remember so vividly, so many times we've

12:22

had a ticket or a request from a client that's like, oh, I've got this problem

12:26

and I'm trying to solve this problem. And I'll look at it and go like, well, where's the login ID for the DNS?

12:33

In fact, for that matter, where even is your DNS hosted?

12:37

And then you get to a point where, gee, well, the DNS hosting that you have

12:42

doesn't actually support the record types that are required.

12:46

Required or the publishing time on it is so bad that you can't actually get

12:53

any sort of DNS record changes published to the world in a timely fashion to resolve the issue.

12:59

And in the case where you're like, okay, well, if we just had access to the

13:04

domain information, then we could move the DNS hosting.

13:09

Well, you can't because there's no darned inventory.

13:14

There's no standards for it. So the things that people in business decision-making

13:21

spaces think, they're like, oh, well, I'm going to buy from GoDaddy or I'm going

13:26

to buy from here because it's cheap. It's not cheap. buying from those spaces

13:32

is some of the most horrifically

13:36

expensive choices that you can make because not

13:39

only unwinding it is extremely labor

13:43

intensive but when those resources are used they just are so deficient from

13:52

a technical capability perspective that it takes so long to try to just simply resolve an issue.

14:00

I mean, so many times outages are occurring because either you can't get to

14:06

the domain hosting information, you can't get to the DNS hosting information

14:09

or the DNS hosting that exists. It doesn't publish records in a timely fashion. We use this example frequently. Yeah.

14:18

You don't you don't purchase your domain structures from just any company that

14:23

comes up with a better price. No differently than you don't hire three or four or five CPA firms to handle your taxes.

14:32

And and it sounds it sounds well, it's just a domain name. I just bought a domain name.

14:38

Well, I I just had I just hired this this tax guy to make modifications to my books.

14:45

I mean, I've got a tax guy over here who normally does my books,

14:49

but this guy over here just came in and just modified my books just for me because I just had a question.

14:54

Well, first off, that other CPA is responsible more than likely.

15:01

That other CPA has reasons that they do things the way that they do.

15:05

And it all comes down to this cost structure.

15:09

Just because I can do it today doesn't mean it's going to be beneficial tomorrow.

15:15

And the money I spend today needs to be in line with the money I spent yesterday

15:20

in order to make sure that my processes don't continue to cost me more money

15:26

in the future, spending good money after bad.

15:29

And more than likely, that good money is astronomically more expensive than

15:34

if you'd have just had your IT department handle the right task.

15:38

IT stuff should be handled by IT people. so

15:42

one of the things that you very frequently say

15:45

that is just a reinforcing

15:48

point to what you just articulated is that there can

15:50

only be one brain surgeon and i just like

15:54

to me that is like a theme song i live by

15:56

there can only be one brain surgeon somebody has to establish policies processes

16:03

protocols and then once that's in place the rest of the organization needs to

16:09

support that And the leadership of the organization needs to enforce adherence to the policies.

16:16

Nothing but chaos, turmoil.

16:21

High levels of expense, and frankly, a lot of toxicity inside of organizations

16:27

come from a lack of policies, protocols,

16:33

processes that are also enforced by the leadership.

16:37

We talk about operational maturity all the time.

16:40

And this is just one of the aspects of operational maturity.

16:45

You have to establish and add to this the Mike Michalowicz book, The Pumpkin Plan.

16:55

You have to establish whose pumpkin you're issuing to which person.

17:01

And they have to understand what pumpkin they're responsible for growing in the business.

17:08

If you're a marketing person, you grow marketing pumpkins. That's it.

17:12

That's your biggest pumpkin. You do marketing.

17:16

But as soon as it crosses the line out of application choice for CRM,

17:23

application choice for ERP, application choice for DNS management,

17:30

that's not your pumpkin. And you have to go to the person who's responsible for managing that pumpkin. Extremely important.

17:38

I think another way to think about that is that the business wants to be supportable.

17:44

In order for them to be supportable and receive support,

17:48

they have to be in alignment with standards, which means that IT does need to

17:57

set the standards, but then the business needs to adhere to the standards.

18:01

Otherwise, they shouldn't have an expectation that they're going to receive

18:05

support. And adherence from an executive perspective means dissemination of

18:11

adherence to the people in your organization.

18:15

It can't just be something that the owner says, okay, we'll take care of that.

18:18

That you as an owner of an

18:21

organization you have to disseminate how the

18:24

organization is going to run to the people within your organization and

18:28

when it comes to things like technology management dns control as we're talking

18:33

about here the dissemination of who handles what tasks in the business is very

18:39

important so that the rest of the staff can understand when i have this need this is where I go.

18:45

And that's right what you're saying. Uh-huh. Right.

18:50

So I want to pivot to a little bit more on the technical side of this now,

18:56

going back to the Hacker News article, because I think that the Hacker News

19:02

article was really not terribly clear about some of those aspects.

19:07

And I think we've certainly addressed the two core things that people could

19:12

do to prevent this issue from happening to them.

19:15

You know, key number one is if you buy a domain and you use it for some sort

19:22

of a business purpose, like a marketing campaign, even on a short-term basis,

19:26

that's it. You own that sucker forever. That's rule number one. Rule number two

19:31

would be you need to have business processes where you are handling your DNS

19:38

record management review and quality control with a completeness of level of operational maturity.

19:49

And that includes procurement side, inventory side, standards,

19:53

and the whole nine yards. This cannot be done on sort of a flim-flam basis.

20:00

It needs to be extremely rigorously structured.

20:04

And I would also like to inject that it's really the quality control of these

20:09

things I have personally experienced is above the skill set of someone that's

20:17

like a PC technician or your standard IT manager.

20:21

They just don't have that kind of background in that.

20:24

This is more like it's okay for them to follow a standard if the standard was

20:29

developed by somebody like a CISO or a CTO.

20:32

But I have yet to just see most...

20:37

Operational IT that's not in like an executive capacity come up with these standards

20:43

whole cloth on their own. I just don't see that. I mean, what's your experience?

20:46

And I completely agree.

20:49

In addition, one of the things that we see frequently is an organization will

20:56

hire a web development company to come in and build their website.

21:00

And by your expression, you know where I'm going with this. Your web development

21:04

company builds websites. They don't manage the keys to your kingdom.

21:08

Your DNS information, your domain information are essentially the keys to your business.

21:15

I've watched web development companies. You didn't pay a bill.

21:19

You didn't want to use their service anymore. They got all high on the collar and and turned off your website and you lost

21:29

access to your domain and your email stopped flowing.

21:32

And you ended up with all this big struggle as a business owner because you

21:38

gave the keys to your kingdom to somebody who wasn't responsible for managing

21:42

it, who shouldn't have been responsible for managing it.

21:45

As a business owner, you own your domain.

21:48

If you have a contract with an an external service provider like Quality Plus

21:53

Consulting to manage your DNS, that's perfect.

21:57

But because they're qualified to do the job, they should be the company responsible

22:03

for doing the management of your DNS external to your organization. But you own the DNS.

22:11

The domain name should belong to the entity, not to any other external service

22:18

provider who is managing that entity.

22:21

But if you do choose an external service provider, they need to be held accountable

22:25

for managing your domain name for you.

22:29

You've touched on so many incredibly important points here. So I continue to

22:33

encounter situations where somebody says.

22:37

Has an agreement with a web dev company, and then the web dev company will literally

22:41

go and as part of some sort of

22:44

a marketing effort, or they'll do a domain transfer, something like that.

22:49

They'll register that domain to the ownership of the marketing company.

22:54

I'm not talking about just the admin contact or the technical contact.

22:58

No, no, no, no. They list themselves as the owner. As the owner.

23:02

And I have caught these people doing that so many times, and I have called them out on it.

23:10

And the clients, if they would simply use a procurement process where they enable

23:19

themselves to be making informed decisions by engaging their CTO or engaging their CISO,

23:27

So rather than just strictly going to the web people,

23:32

all of these issues could have been avoided.

23:35

Just in the last six months, I have been engaged with a web dev company on behalf of a client.

23:43

And I think overall, the web dev company does a good job, but there are clearly

23:49

aspects that it's not their wheelhouse, that they just are not the experts on.

23:56

And so by the client having me involved, I've been able to put terms and conditions

24:02

and language in the statement of work agreements with the web dev company and

24:10

the client that represents the client's best interests.

24:14

Now, had the client not gotten me involved on that, they wouldn't be having

24:18

that as a benefit. There's so much more to DNS and the domain infrastructure

24:24

of an organization than the website.

24:29

Yes. Yes. That web hosting company doesn't handle your email.

24:32

Most commonly doesn't handle your email. They don't handle external service

24:39

providers where you have APIs connected to an external location to access or

24:46

to transmit data back and forth. They don't handle access to SQL servers or database access. There's so much.

24:56

They don't handle remote support or remote access into your network.

24:59

They handle the website. So you really need to make sure that as a business owner, you need to make sure

25:05

that your technology department is responsible in managing the DNS records in

25:11

your organization, not some other external company.

25:14

I've personally seen so many clients who have had major outages just because

25:20

they inappropriately gave access to some either external marketing firm or some

25:27

external web development firm to some records.

25:32

I had an example where a client reached out and said, oh, do you have the login

25:39

credentials to our LinkedIn company page?

25:41

Because we want to give those login credentials to the external marketing company.

25:46

Okay. Well, my head about detached from my shoulders. Okay. Because I'm like,

25:51

first of all, Well, it doesn't work that way.

25:55

Well, it can if you really want to give away the keys to your LinkedIn accounts.

26:02

Well, I mean, that is just so wrong in terms of the way to handle that.

26:06

I mean, like, first off, if there's a marketing company that literally is saying,

26:11

give us the credentials, oh, please just stop right there.

26:15

Stop using the marketing company. Just do not hire those people because their

26:19

instincts on things are so apocalypticly bad.

26:24

You know, a more appropriate request would be something like,

26:28

you know, hey, can you you grant us not like company admin,

26:33

but like a publisher poster access to your company LinkedIn page.

26:40

And then this is the email address of our person at our company,

26:44

at the marketing company, who's going to do that for you.

26:46

And we don't need to have admin just give us the ability to create posts.

26:50

I think they call that the creator role or something like that.

26:53

But the bottom line is that that that's a marketing company that actually respects security.

26:59

And I was just in an email debate yesterday with another web dev company who

27:04

was literally not even understanding the hosting technology at WP Engine.

27:12

And they kept bringing up this commentary about how, well, we need to transfer

27:18

admin. And it's like, I already have admin.

27:20

The company already has admin. Because when QPC set up the WP Engine account

27:25

for the client, we did it where it was owned by the client. QPC doesn't own it.

27:32

The company owns it. The web dev company doesn't own it. So there's really nothing

27:37

to transfer from an admin perspective. And they demonstrated through this email chain that they didn't even understand

27:47

what their preferred website hosting company is even capable of.

27:56

And, and they had some of the things that they were commenting about was like

28:00

stuff that they should have handled as part of a migration project.

28:04

They're like, oh, well, the, you know, the, the old stuff that's no longer needed

28:09

in the account, it hasn't been removed yet.

28:11

Okay. Well, whose responsibility was it to do that? It's not mine.

28:15

I'm not the web dev who was engaged to do that migration project.

28:19

So there's so many struggles,

28:23

I think, that a business has in the instance that they don't have their CTO

28:30

or their CISO involved in these sorts of vendor management engagements or vendor

28:38

relationship engagement. You bring it up so many times.

28:43

You're talking about how the technology is so nuanced and complex that the business

28:54

owner really can't all by themselves represent their interests.

28:59

You know, they really need a relationship with a CTO or a CISO who can advise them effectively.

29:08

Otherwise, you know, the only decision making factor that they really have on

29:12

things is like, well, do I like this person?

29:14

And do I, you know, think I trust them?

29:17

And, you know, do I have a referral to them from one of my friends or something

29:22

like that? But they don't really have anything other than that to specify guardrails

29:27

on the terms and conditions of the relationship. Rewind to previous podcast in UPC's Breakfast Bites list.

29:37

It is a common discussion, very, very common discussion.

29:43

Business owners think that they can wear all the hats and you just can't.

29:47

I mean, Felicia, you're a business owner. I'm a business owner.

29:52

We we understand the fact that we have to surround ourself with other people

29:56

to wear those hats it goes back to mike's book the bumpkin plan you can't wear

30:02

all the hats to manage your business, and you definitely shouldn't be wearing hats you're not technically trained for,

30:09

so you should be passing those hats off to trusted individuals to support your

30:13

business to do that Right.

30:16

I don't think we've covered this newly registered domains thing quite yet well enough.

30:22

That's another big deal. It is.

30:27

It's a massive security problem. I mean, massive.

30:30

So let me tell you my perspective on it, and then I want to hear your perspective

30:33

on it. Well, let's define it first. Let's define it first. So newly registered domain names, you are,

30:41

let's just use the one in this example, you are msn.com.

30:46

And you go out and you register msn2.com.

30:51

Because because you have another function in your business you want to do inside

30:57

of your company and you don't want it to go to your main domain name.

31:01

You want it to go to a different domain name. So newly registered domain names are domain names registered.

31:07

What is it within the last 90 days? Last what is the standard?

31:11

I think it's 90 days. Yeah. Yeah. So in the last 90 days and the struggle with

31:17

this is that most firewalls in in the corporate space and web content filtering, even on endpoints.

31:25

Correct. Oh, and even on on endpoints now. Right. With web content filtering

31:30

built into endpoint management software. Right.

31:34

Antivirus software, as we used to call it. But so those software packages are

31:39

now set to restrict newly registered domain names from just coming up on your browser.

31:46

So it'll block newly registered domain names from showing up.

31:49

And and the reason is because scammers use new domain names frequently.

31:56

They'll change a specific letter and you'll think it's that domain name and

32:00

they just they just registered it within the last two weeks.

32:04

So solutions that security professionals put in and that software developers

32:09

put in for protecting your system is to prevent you from getting to newly registered domain names.

32:17

So there's the definition. Excellent definition. Excellent recap on that definition of it. Yeah.

32:23

So there's basically a ton of risk associated with newly registered domains. domains.

32:30

And even just within the last week, I received a request for,

32:36

oh, well, we want to use these particular domains associated with marketing

32:42

efforts and we want them whitelisted. So I feel like a broken record.

32:48

I feel like the broken CISO record quite frequently when I'm saying,

32:52

okay, please do not ask me for whitelisting anything.

32:56

Creating exceptions is not legally defensible. Thank you.

33:00

And the core reason around creating exceptions, not being legally defensible,

33:07

is because as a company, you've paid for security protections.

33:13

You've paid for some level of technical controls, whether it be the endpoint

33:17

protection software and its web content filtering or web content filtering through the network layer.

33:25

Or both, right? You could even be paying for an additional layer,

33:30

because defense in depth is a fantastic concept.

33:32

You could also be paying for it through DNS filtering.

33:37

So all three of those layers, at a minimum, all three of those layers,

33:41

there's other ways to do it too. But those three layers offer the company the opportunity to not have bad mojo

33:52

delivered to their users. And so that aspect of blocking the bad mojo is oftentimes based upon dynamically

34:01

updated, curated, very professionally managed category lists.

34:09

And there's, I don't know, maybe 15 companies in the world that really do that professionally.

34:16

And that's all that they do. And they use a ton of AI to do it.

34:20

So it's generally not the IT department who is specifically managing that.

34:27

That's a subscription service. And so it becomes a professional security product that the company is paying for and subscribing to.

34:40

So it's no different than email security, scanning. Geolocation control, all of those solutions.

34:49

Right. There has to be somebody else who's maintaining this because there's

34:53

no way your IT department can maintain it.

34:56

So it becomes a technical control component of your security posture.

35:03

As such, when you fill out your cyber insurance application and your cyber insurance

35:09

application says, do you have these things in effect?

35:13

And you say, oh, yeah, we have web content filtering or, yeah, we have DNS filtering.

35:19

We have web content filtering at the endpoint layer and at the network layer, right?

35:23

So when you say to your insurance company that you have these technical controls in place,

35:30

you cannot be invalidating your cyber insurance policy by telling your IT to

35:41

create exceptions to that. To create poke holes in it.

35:45

I mean, that's essentially what you're doing by creating exceptions.

35:49

Granted, you may have approved the exception, but essentially you poked holes in your solution.

35:54

Yeah, I have a wonderful example of this, completely real world example of this.

35:59

And it's just, I mean, it's fantastic because it drives this point home very phenomenally.

36:04

So we had a client who engaged with a particular bank website on behalf of their

36:11

customers because they basically like, you know, they did accounting for them.

36:13

And it turns out that that bank website had

36:17

been compromised and so

36:20

we ended up getting a support ticket that was

36:23

like hey we can't get to this bank website you need

36:26

to allow us access to this bank website so i

36:30

go and i look at it and what is the categorization that's happening well it

36:35

came up as compromised websites which is the same sort of functionality that

36:40

is delivered through the the automatic AI classification of newly registered websites.

36:47

So the way I handled that particular request is I referred the client back to

36:53

our written policy on how we handle websites that are getting blocked.

36:59

And then I called them and had a conversation with them.

37:03

And I basically said, look, if you really deeply need to get to that website,

37:09

I would really strongly encourage you to utilize a burner computer that is not

37:20

on your company internal network because that website is compromised.

37:28

It is not even remotely legally defensible for you to access that known compromised

37:34

website from an internal work computer that has access to other sensitive data.

37:43

And so I said, if you really want to fix the problem, call the bank and tell

37:49

them that you can't get to their website because it's compromised.

37:54

Compromised and so basically i

37:57

would not create an exception for that you know because it's it's bonkers right

38:03

it's bonkers in the instances where people want us to create exceptions for

38:09

newly registered websites again i refer them back to our written policy on it and i'm saying to them.

38:17

We cannot in good conscience do this because, let's say, for example,

38:25

that newly registered website isn't fully and competently maintained.

38:31

Next thing you know, it's compromised, and now it's hosting malware.

38:36

And you've instructed us to create an exception.

38:40

Now, at the point in time that known malicious content is being hosted through

38:46

that, it's It's maybe not a newly registered website anymore,

38:50

but you've asked for your security solution to be blinded to that new categorization.

38:58

Well, you've just created a hole through your security and you will probably

39:04

get compromised adversely because of that, right?

39:06

So I think this goes back to the point of marketing needs to be working with

39:13

the CTO or the CISO or both.

39:18

Because if marketing doesn't have respect for the people in those positions,

39:24

then the productive business collaboration can't happen.

39:28

It would be awesome to be able to have that relationship with the marketing

39:34

people where they would meet with the CTO or the CISO quarterly and say,

39:41

hey, we're thinking about these business initiatives.

39:44

Is there anything that we should be doing proactively? effectively,

39:46

you know, et cetera, et cetera. So what are your thoughts about those things?

39:49

And in the, in the, that same discussion, it's not like this used to be this way.

39:59

So it didn't used to be a major issue or it didn't used to be really an issue

40:05

at all that you could create a new domain name today and have it effectively

40:10

work tomorrow for the entire world.

40:14

It's the security posture of the world that's changed, that's caused us to have

40:20

to take additional precautions in protecting clients' networks.

40:24

Works and it's these malicious

40:27

actors that are causing this

40:31

to happen we have when somebody finds a new way to break in to a house lock

40:37

companies figure out new ways to create locks to prevent people to get into

40:40

houses and this is the situation in technology so every time and this This is on a daily basis,

40:48

and the bad actors are increasing in numbers exponentially.

40:55

So the IT infrastructure is having to work overtime to stay on top of the problems.

41:03

The reason why we use all of these external resources and why companies have

41:07

to pay so much money for their solution stack,

41:10

specifically their security stack, is because you want to maintain your business

41:15

and you want to keep your business uptime as high as it possibly can be,

41:20

you don't want these bad actors from taking your networks down or causing stress in your business.

41:27

So we are having to add new solutions to this list.

41:32

Sometimes once every six months,

41:34

sometimes once a year, we have to add something new to the process.

41:38

We have to train somebody on how to do something new that they didn't have to do before.

41:43

And it's because we're trying to protect the network along the way.

41:48

So maintaining your security posture,

41:52

it's so important that you're using companies that are intrinsically connected to one,

42:01

the world's deliverance of of problems and solutions to those problems,

42:08

and that they're constantly paying attention to how those problems can affect your network.

42:14

They're implementing great standards in security and doing better than best

42:20

business practice in how they protect your company's intellectual property.

42:27

It's extremely important that you're hiring and working with extremely competent

42:32

technology technology service providers, not just somebody that's that's putting together a solution stack because they

42:41

heard about a new service on the Internet. I guess that's the gist. To that point, I think you just touched on something

42:50

that's, I think, a bit of a hot button for me.

42:53

And even just earlier this morning, I got a query from another business owner

42:59

where they were asking for the answer to a particular question.

43:05

And I pointed them to the fact that I've written white papers about that particular thing.

43:11

And I've done a number of podcasts about

43:14

that particular topic and really gone into it

43:18

in very adequate depth through those resources to make it so that someone could

43:27

be making a contextually and requirements-based informed decision about the

43:36

direction that they want to take. And this person's response to me was like, this takes too much time.

43:44

And it does. Security is a nonstop 24-7.

43:49

It's actually more like a 47 if we could cram more hours in a day.

43:55

Security is an extremely detailed process, requires a lot of people in a single

44:01

organization to stay on top of the process.

44:04

Process and even all the external tools that

44:07

we use the automated tools that we use they're not

44:10

enough to to to eliminate the

44:14

necessity of human interaction with the

44:18

process and i don't know that that's ever going to reach that level probably

44:23

not for as long as we're alive or probably the next three generations you know

44:29

it still is going to always be required somebody defines finds the requirements in a written format,

44:35

they evaluate solutions to be able to deliver an outcome against the set of requirements,

44:43

and then they actually have to do real testing.

44:47

Because the evaluation, the way I would look at it is kind of like a tabletop exercise.

44:52

Versus the real testing is, okay, now we get it and now we actually do like

44:57

a, you know, know, like a real BCDR sort of testing instance,

45:03

you know, you have your, your passive tabletop exercises, and then you have

45:07

your actual real, like incident response testing.

45:10

And I'm just using that as an example, because tabletop exercises can be used

45:14

for, you know, all kinds of things in decision making processes.

45:17

But anyways, my main point is, I just find it completely ridiculous that somebody's

45:24

response to a suite of free, this is the ridiculous part,

45:32

free resources are available to help you make.

45:38

Informed decisions, and you can't make enough time in your life to put yourself

45:45

in a position to be an informed decision maker.

45:49

Not everything in life is simply, oh, gee, I'm going to subscribe to this thing

45:56

for 150 bucks a month and it's going to solve my problems.

45:59

To me, that's the same sort of failed paradigm as I see a lot of businesses

46:04

doing where they're looking to hire IT, an external IT service provider,

46:09

and then they want to transfer all risk to that external IT service provider.

46:16

And then they want to abdicate all involvement in responsibility of delivering any of those outcomes.

46:25

When 90 to 95% of the problems in a a business are people, policy, and process.

46:33

The IT department is technical controls and support and maintenance.

46:40

If you have a CTO or you have a CISO, yes, they can help you with policy,

46:46

but unless you've given them that authority over your organization,

46:50

it becomes an officer of the the company that has to be the one who says,

46:57

I'm approving this policy, and we now as an organization will be held accountable to this policy.

47:04

I wonder, go ahead. Well, until that threshold is met, as far as I'm concerned,

47:10

the customer is not fulfilling their portion of the shared responsibility model.

47:15

I'm really wondering just how much more integrity there would be inside of businesses

47:23

today if they did put the CTO and the CISO in charge of business operation.

47:32

Oh, I mean, you just chalk that up as one of Kyle's genius statements of all

47:38

times, because I continue to have these thought processes over...

47:45

You know, wow, what would happen if the CTO became the COO?

47:51

Or if just there was a flip in order of precedence, order of responsibility, order of leadership.

48:02

Because the way that the world is running today, if that change doesn't happen,

48:07

if business executives, if CEOs don't realize that the top person in their organization

48:13

underneath of them needs to be the CTO.

48:16

CEO and and directly in line with that is the CISO, if they don't realize that here pretty quick,

48:24

these bad actors are going to consume these businesses and it's happening. It's happening.

48:32

We we see it constantly in the news. This event right now is a great example of that.

48:39

What we only see in here are just the notices of what affiliated big brands

48:48

were associated with the event.

48:50

We don't really see the ramifications of those 8,000 plus domains.

48:56

And the ramifications are ransomware, stolen PII, remote access to machines,

49:07

invasive technology solutions being deployed.

49:11

And a lot of these things we won't see.

49:15

I mean, this article came out February 26th. We won't see the ramifications

49:19

of this potentially for six or 10 months because this is what the hacker does.

49:27

They come in, they sit, they monitor without anybody knowing.

49:31

And then 10 months later, they activate.

49:35

Right. After they've gathered all the information that they were looking to

49:39

gather on the machines that they've infected.

49:41

And if you don't have a CTO or a CISO in charge of your organization's deployment

49:48

of technology and solutions decisions related to technology.

49:53

You could be bothered by this and your IT department has no clue it's even happening.

50:00

So you touched on one aspect here that I think people oftentimes do think about,

50:06

although I think they don't put enough weight on the adverse impact of the financial

50:14

adverse impact of the factors you just articulated.

50:17

I think there's another crucial one that they also typically undervalue or underestimate,

50:24

which is the adverse financial impact,

50:30

which, of course, is now just affecting the whole profitability of the business.

50:34

And the whole question is, do you want to continue to stay in business?

50:37

Because if you continue to just light money on fire, then you're not being competitive

50:42

in the marketplace and just all kinds of problems come from that.

50:47

And so by not having the right people involved with strategy and those policy decisions,

50:54

it can lead to not just the adverse financial impact of what bad actors are

51:00

up to, but it's the decisions that everybody else in the IT realm is also making in the business.

51:08

So my example of that is, let's say you have a data center and you had 500 server

51:15

workloads in that data center, and you basically had three people,

51:20

one person per shift, who was maintaining that data center.

51:23

And you've already got the real estate, you've got that building,

51:27

you're already paying the property tax on that, and all of those things, right?

51:32

Those expenses don't really go away if you move those workloads to public cloud.

51:39

But what does happen if you move those workloads to public cloud is you're now

51:45

going to pay 5 to 7x the cost of that.

51:50

Furthermore, I'll add that the

51:52

people to maintain the public cloud hosted resources are more expensive.

51:58

And then you have a completely separate risk profile, which is much harder to

52:04

manage and much harder to visualize.

52:08

In the realm of now you've got 500 servers sitting in public cloud.

52:14

Then that's a lot harder to assess and also lock down from a network access perspective.

52:23

On the other hand, those 500 servers in your data center, oh,

52:28

that becomes easy to lock down.

52:30

That opens up, once again, back

52:33

to a previous podcast about the

52:37

lack of security inside of

52:40

cloud infrastructures versus on-premise infrastructures and just the passing

52:50

off that business executives think that they can do because now they've moved

52:55

to the cloud in relationship to security.

52:59

And another point in this, in this example of this article, VMware is one of

53:06

those companies who they specifically highlight where they had two hijacked subdomains found.

53:13

Cal.vmware.com and www.vmwcal.com.

53:18

So the domain takeover, the affected domain was cal.vmware.com,

53:23

and the takeover was the second one, www.vmwcal.com. And this was hijacked in July of last year.

53:32

As we look at this, VMware is a $61.5 billion company in 2024.

53:41

They probably have processes in place on how DNS is supposed to be managed in their business.

53:49

Something went awry in that process that caused this issue.

53:54

More than likely, they have looked at that and have adjusted.

53:59

They're probably not getting rid of old domains. And they're probably doing

54:05

better at how they manage the domains that they currently have.

54:09

So, as a small business owner, as a medium business owner, as a business owner

54:16

that's not doing a billion dollars in business, let alone $61 billion in business,

54:20

it's just as important for your organization to have people in place who can

54:28

manage this data properly. You can't just think that you're not going to be affected the smaller your business becomes.

54:36

And although we'll probably have another podcast on it in the future,

54:41

there are statistics today that are showing an extensive increase in the hacker

54:51

community targeting small business.

54:54

Because they're a soft target. Because they're now being seen as a soft target

54:59

and small business under 20 employees is 88% of the population.

55:06

Yep. So if 88% of the population,

55:11

I mean, it's the whole reason why Windows computers were attacked by hackers

55:15

more than Macs were back in the day, because 97% of the population used a Windows machine.

55:22

And so there were more potential opportunities for them to gain access.

55:27

And they're realizing that in the small business capacity today,

55:30

small businesses have a lot of value to give to the hacker community.

55:34

And in the mass numbers that they are as a collective,

55:40

they give more information and easier pathways of extraction than the detail

55:49

level of work that they have to do with larger companies like VMware.

55:53

And yet VMware was still penetrated.

55:55

I didn't do any research on what cal.vmware.com was for.

56:01

I hope it wasn't client access licenses. That would be crazy.

56:06

Yeah, that would be crazy. That would be pretty apocalyptic if a component of

56:14

the licensing structure, so we're now talking about the customer licensing infrastructure of VMware,

56:22

was actually the thing that was compromised. Right.

56:27

Well, I think we've covered this very well now.

56:30

And I really genuinely hope that people finally get it, that they need to have

56:38

a CTO or a CISO or both, you know, or both.

56:43

And they need to stop asking for whitelisting.

56:46

They need to stop thinking that they're saving themselves money by not proactively

56:54

engaging the correct IT resources,

56:57

that IT needs to be their business partner and not just simply tech support, not an afterthought.

57:06

It's not an expense in your business model. It is your business model.

57:11

You are a technology company. Regardless of whether you wanted to get into technology as a technology company

57:19

today or not, technology runs your business. You don't.

57:22

You facilitate technology in your business to conduct a business.

57:26

And the better you do that, the more efficient your business becomes.

57:30

And if you don't believe it, turn it off. off.

57:33

Technology runs your business. Therefore, technologists should run your business.

57:40

You always crack me up with that. If you don't believe it, turn it off. There you go.

57:46

You should see how well that works for you, right? Turn it off. Perspective.

57:53

Oh, thank you so much for your time. Thanks, Felicia. Another great,

57:57

highly educational, free resource for people.

58:01

I just, you know, We're just trying to move the needle on this because I think

58:04

we both are so unhappy by people that get really victimized by misinformation

58:11

or a lack of their own wrong.

58:16

You know, they've got like the wrong paradigm about how this stuff goes,

58:19

goes down. You know, you can't just like delegate and abdicate.

58:23

There's no way to completely prevent it without unplugging the computer from the wall.

58:30

However, there are great ways to help protect your network and the integrity of your network.

58:36

You just have to listen to the right people to get it done.

58:40

All right. Thanks so much for your time. And hope everybody enjoyed it.

58:45

And we look forward to seeing comments. Go out to Podbean and put your comments.