0:00

Good morning. You're listening to Breakfast Bites, and I am here today with

0:04

Crystal Redman, who is the operations director from Redman Farms.

0:10

She's a rather inquisitive sort of person and came up with a number of technology-related

0:17

questions that she thought would be helpful to a variety of business leaders.

0:24

Leaders, and since Crystal's in charge of the technology leadership as the technical

0:32

point of contact sort of person for the Redmond Farms,

0:36

she came up with these lovely questions and sent them to me.

0:40

And I'm like, wow, those are really good ones for the show.

0:43

So do you have a question that you want to discuss with me today,

0:49

Crystal, and get to the bottom of some answers?

0:51

Oh so many Felicia okay so

0:55

many okay so randomly just so everybody knows like I'm not like you have not

1:01

told me what the question is so this is going to be totally off the cuff let's

1:05

go that's how our relationship has been so far my one of my biggest burning

1:11

questions is understanding network

1:14

segmentation i kind of

1:18

get it i understand why different there's different wi-fi networks for our business

1:22

all that good stuff but i need to know more like how does it improve security

1:28

are there some common mistakes that people make when they're implementing this what does the.

1:35

Typical person need to know? That's really, it's an excellent question.

1:40

And the reason I think it's such an excellent question is because network layer

1:44

security is the foundation.

1:47

It's absolutely the foundation. It's like when you're doing a house,

1:50

you have to have a lovely hole.

1:53

The hole has to be compacted and you have to have a lovely concrete foundation in there.

1:59

And it has to be all level and square and everything.

2:03

And if that isn't right, then everything else doesn't work quite right.

2:08

So the network is what everything else runs on.

2:11

You need that network to be correct. And network segmentation,

2:15

specifically micro segmentation, is actually better.

2:19

There's a wide variety of ways to do it. And I like to focus on things that

2:26

are the lowest total cost of ownership in terms of methodologies and things

2:30

that are the most sustainable.

2:33

So that means that that level of security or that type or that approach can

2:39

be attainable for even a very, very, very small organization of,

2:45

let's say, a business broker who works out of their house, a single individual.

2:51

So that means we can bring enterprise-grade security-level approaches to even a one-person office.

2:57

And that kind of approach is very important because a lot of the other network

3:02

segmentation approaches are economically infeasible at that scale.

3:09

Okay, so the way to think about segmentation is you are going to treat and classify

3:16

your jewelry box different than your underwear drawer,

3:23

different than your bookshelf, different than your refrigerator.

3:28

These are all different types of assets that you're storing in these different places.

3:34

And so you need to treat them differently. I mean, nothing's going to end well

3:38

if you take your underwear and your jewelry and your books and your food and

3:43

you stick them all together. These are just, right? I mean, these are different things that have different needs.

3:49

You know, the books need to be on the bookshelf with their other books and they

3:54

can't be having milk next to it, getting it all wet.

3:58

Same with your underwear, you know? And jewelry, we typically want that to be

4:03

a little more protected. And so the idea of micro-segmentation at its core is a concept that says we're

4:14

going to understand the assets, and then we're going to enable the assets to do what the assets need to do.

4:21

Like a TV on a guest network, for example, needs to be treated differently than

4:27

a corporate laptop. top. But that's different than a printer.

4:31

And that's different from a switch.

4:34

These different things have different requirements.

4:37

And so if you create a security zone profile sort of concept around these and you segment them,

4:45

it becomes very easy to create a security profile for the segment that the printers are on.

4:52

You can say, well, my rule is I'm only going to put printers Now I can create

4:58

a security zone profile that protects those printers from being tampered with or hacked externally,

5:08

but also helps those printers avoid data leakage.

5:13

Like a printer, for example, could have, let's say it got a piece of malware

5:17

on it, which is totally possible. That can happen. Right.

5:21

But then everybody that's printing, every one of their print jobs might get

5:25

leaked to some unauthorized parties, and that's highly undesirable.

5:31

And so as a result of trying to avoid a situation like that,

5:36

you need to restrict what the printers can communicate with and thus restrict

5:43

what they can send data to.

5:46

And now some devices like a TV, that's what you would call an IoT device.

5:52

The IoT devices, you try your best to create a profile of what they can communicate with.

6:00

But some devices are just really poorly engineered.

6:04

And most TVs, I would say, are the antithesis of anything that's able to be secured.

6:11

But one of the ways that you keep corporate devices from getting ransomware

6:18

is to restrict what they can communicate with.

6:21

Well, if I had to go to the level of effort of mixing TVs and printers and switch

6:32

interfaces and telephones and surveillance cameras,

6:37

you know, and company computers, right? Corporate laptops.

6:41

Oh, and guest devices. If I had to do that all on the same subnet,

6:45

do you think I could protect anything?

6:48

Probably not. Right. It becomes very difficult if it's basically practically impossible.

6:54

It's impossible to do it at an economically viable level because you can't actually

7:02

know what traffic is occurring and what IP address at what time.

7:10

So there you go. I mean, most of IT, or I should say IT security,

7:13

is this balance between trying to protect assets, but still facilitating the

7:19

functionality that someone legitimately is authorized to do.

7:24

Notice I didn't say need, right, because it's not up for employees of an organization

7:28

to discern what they need. It's up for the security management team to listen to them and say,

7:37

okay, I understand you want to do that. Now, what does company policy say about that?

7:42

And then let's see if maybe there's a company policy change that needs to happen.

7:47

I mean, a big example of that would have been when ChatGPT came out.

7:50

I think a lot of organizations failed to appropriately have an AI usage policy

7:58

before they allowed AI to be accessed in that way in their organization.

8:04

And really, they just introduced a whole lot of risk to the organization.

8:07

And network segmentation would have been a very easy way to turn that off if

8:13

it was allowed to be turned off. But unfortunately, most organizations don't function that way.

8:19

And without a governance system like a policy and without leadership who are

8:25

thinking first about risk management,

8:29

then those things tend to go nowhere. So what do you think about that?

8:34

As an answer. Does that help you understand these?

8:37

Absolutely. I'm really glad you said AI because that reminded me of another

8:43

question I have for you. Okay, go for it.

8:48

How do you see AI being used by cyber criminals in the future? Are there.

8:56

New security threats on the horizon that we should be aware of that are coming. How serious is this?

9:02

I think it's wickedly serious. And I mean, I've actually already seen quite a lot of it's come out.

9:10

So one of the things that's super duper cool is we have a system called the

9:16

Breach Prevention Portal System.

9:18

And it's effectively a large scale on demand training platform,

9:24

training and assessment platform for individuals.

9:28

We can deploy it for residential home users and one-user businesses to large

9:34

businesses. It really doesn't matter. It's really cool because we can just provide it to everybody.

9:39

One of the things that comes out of that sort of interaction is that becomes

9:44

a way to provide the answers to those very questions

9:49

to the staff at an organization across the board and to enable personnel managers

9:58

to know that the staff have taken that class or those courses,

10:04

maybe it's a couple courses, and there's always an assessment at the end of it.

10:08

And how did they do on the assessment? Did did they complete the assessment?

10:12

So I've already seen where the criminals are using the AI.

10:18

And I have to mention something else that I think is quite relevant here,

10:23

is that we don't, on our company website,

10:27

we don't list the employees of the company with their photos and their names

10:34

and their fun proclivities or whatever.

10:38

And I have seen organizations do this and it's typically when those organizations

10:43

are driven by marketing people instead of operational security people.

10:48

That type of information is absolutely harvested by the criminals.

10:51

So criminals will also buy all kinds of people finder lists.

10:57

So using something like a service like Abine's Delete Me can be exceptionally

11:02

useful to an individual to help reduce the number of lists that they're on.

11:08

That service is very economical. And again, that's Abine Delete Me.

11:11

I really enjoy that service. I think they do a good job at that company.

11:15

And the criminals are collating all this data using AI.

11:20

They're also drafting messages now that are less prone to have spelling and

11:26

grammar mistakes because now they're not having to do it.

11:29

They're using AI for that. that they're utilizing AI to do deepfakes.

11:35

And that's the one that is really the giant meat and potatoes,

11:40

is the biggest bang for their investment

11:45

is when they're using AI tools to perpetrate deepfakes on people.

11:52

Because let's imagine that an organization didn't have their protocols together.

11:57

And if the person who or multiple people potentially who could be authorized

12:03

to do like a large wire transfer.

12:07

Well, what if they were not immune to getting deep faked and wire frauded?

12:15

Oh, this is where the problem comes in. Did you see the article about the guy

12:21

who was deep faked by like seven?

12:25

He had seven people at his company that were deep faked and he was on the receiving end of all this.

12:31

I think they had a conference call and he was the only, this was a video conference call.

12:37

And he was the only legit dude in that meeting. Did you see that article?

12:41

No, I did not. You'll have to send that to me. That sounds horrifying. I was scared.

12:47

I'm terrified now. It's pretty wild.

12:51

So imagine this dude. This guy was like the ACH wire transfer guy at a bank.

13:00

And he got deep faked in a conference call where there was like seven other

13:06

people in This was a video conference, right?

13:09

How long did he stay on this call?

13:14

I don't know. That information was not in the meeting.

13:19

But I think they got like $50 million.

13:23

Oh my gosh. Yeah, it was pretty crazy.

13:27

Anyway, so this is exactly what AI is doing.

13:31

So, right, if AI is that good now that it can do a video conference call deep

13:38

fake in order to get this guy to make it like a very large wire transfer,

13:44

this is exactly why people need, like, everybody needs this kind of training

13:50

that we have that's available.

13:53

I mean, it's really good training we have. And I've had nothing but very positive.

13:59

Commentary from people about like, yeah, you know, it's really cool. You got AI training now.

14:03

And, and that's really relevant. It's really practical and easy to understand.

14:07

It's like, yes, because it's a big deal. It's a big deal. So what do you think

14:11

about that as an answer to your question? Wonderful. Your answers are always wonderful. So we have AI helping cyber criminals just go wild.

14:23

You don't even need that much knowledge, it seems. You just have AI to help you out here.

14:28

I assume that means malware is probably evolving rapidly?

14:34

Right there yes i

14:38

i think we adapt our strategy to counter like

14:41

these emerging risks well that yeah again

14:44

another fantastic question you have here you know i was thinking about your

14:47

your malware point it's become so super duper easy for bad actors to there's

14:57

kind of like two things that they're doing and i'm sure that i'm i'm underselling

15:00

it right one thing that they're doing is like scenario planning.

15:03

Oh, if I ran my malware and I did this, what's the probability of penetration

15:09

into said company or theft of data or whatever, right?

15:15

So they're now able to do much more sophisticated scenario planning,

15:19

which helps them tune and refine their attack.

15:24

The second huge piece is they don't even have to be able to write code anymore.

15:29

I mean, I mean, this used to be where malware coders used to actually have to write code.

15:34

Now, granted, for probably at least five to six years, there have been ransomware

15:43

rootkit sort of things you could buy on the dark web.

15:47

So this is you got some malicious actors who are coding wizards and they're

15:54

out there and they're basically building like a ransomware kit.

15:57

Kit and you could take a 10 year

16:00

old and some people have done this they'll take a 10 year old put

16:03

them at a computer and say okay use this application

16:06

to go make some ransomware and so here just a 10 year old with a computer and

16:12

this like ransomware wizard generator tool rootkit thing can go and generate

16:19

their own variant and so this is a key piece here is that

16:24

when there's, I believe there was like 100,000 new pieces of malware every hour around the world.

16:33

I mean, there's some sort of just completely outrageous statistics like that.

16:36

And so that's why signature-based...

16:39

Detection isn't that great anymore.

16:43

I'm not saying that people should stop using it. I'm saying that if they're

16:46

using a tool that is centric around that type of functionality,

16:51

it's going to be deficient in its capability set.

16:55

So what we use is we use something that's really a zero trust approach.

17:00

And that's where you really got to get to at the point with malware.

17:08

I could go back at least a decade and

17:11

i can tell you that even a decade ago if a

17:14

p if a computer got some malware on it

17:17

it was done absolutely done i

17:21

mean there was like no removing it so the

17:24

whole thing when people buy they pay the

17:27

the ransomware guys and then they get their you know decryption keys i mean

17:33

i just want to laugh at that type of stuff from the perspective of saying that

17:37

if you think If you think you're going to get data back that actually has integrity

17:42

that you can count on, I think that's a naive thing.

17:45

And if you also think that you're going to get usable systems from paying that

17:50

ransomware, I think that's also a very naive approach.

17:54

Because even 10 years ago, there was really no viable method for correcting

18:00

a computer that had been something malicious happened to it,

18:06

other than you have to wipe the whole thing.

18:09

I even saw, oh my gosh, I can tell you it was the year 2004.

18:13

This was a super long time ago. It was 2004 when I saw partition persistent malware. Malware.

18:23

So if you took a computer and had this nasty thing on it, you rebuild the whole thing.

18:28

And well, shortly thereafter, it was getting something nasty, infecting it again.

18:35

What was the one thing that continued to needed to be done there?

18:39

Well, it wasn't just format, the hard drive. It was all the partitions had to go too.

18:45

So this is something that you have to realize.

18:48

And sometimes you have to question, hmm, has somebody contaminated the BIOS on the motherboard?

18:55

Has it infected a USB attached device like a keyboard or a mouse?

19:03

You know some of these monitors now have like an integrated docking station

19:08

in them that has its own brain chip effectively it has its own motherboard right

19:12

so you're now in the world,

19:17

where you have to assume that everything is a threat and you have to use dynamic

19:22

live updating databases so we're talking about zero trust i have to protect my monitors now too.

19:30

Yes, yes you do.

19:33

I mean, you've always had to protect your monitors from nasty power surges,

19:39

but now monitors have firmware in them. Did you know that?

19:45

No, my mind is right now.

19:49

Okay, so I thought I would just plug it into the wall for a power strip,

19:54

and then you have that HDMI cable, you know, harmless.

19:58

We're good. I don't think about anything.

20:01

No, the HDMI cable is bidirectional in its communications capabilities.

20:08

And so the monitor has firmware, and something has to be able to update the firmware.

20:15

So So there are various communication channels.

20:20

Whereby a computer could do a firmware update, legit or otherwise, to that monitor.

20:28

Actually, this is exactly why I have a very, very strong love for mature and

20:38

enforced procurement policies.

20:40

If you have a procurement policy that does not allow your team to go down to

20:47

random store and procure things like a USB charger, in fact,

20:53

well, I mean, shoot, you've seen these business,

20:55

you've seen these news videos you have to have.

20:59

I mean, I feel like they're like all over the place where is somebody saying,

21:03

you know, do not plug into your mobile phone, you know, a random power cord.

21:10

I didn't sleep for a week after I read the article about these USB phone chargers

21:16

and what's on that could potentially be on them and the threats they pose after.

21:21

Wow. My mom was pwned then.

21:24

Oh, yeah. Yeah, well, I mean, this is one of the reasons why we use wireless

21:28

phone chargers, because that's a surefire way to be successful with that.

21:35

Rather than telling somebody, hey, only use the phone charger that came with

21:39

your phone, I'm saying, hey, don't use the wired phone charger at all.

21:43

Use a wireless phone charger. And they're like, oh my gosh, I got to buy phones that are capable of that.

21:49

And I'm like, the quantity of phones nowadays that can't do that is getting

21:53

even smaller and smaller and smaller. So.

21:57

Bottom line, let's go back to zero trust.

22:01

Zero trust is effectively saying we have to assume that everything is malicious

22:06

until it's been inspected. And this isn't a matter of scanning. It's a matter of do I know you?

22:12

So there's a classification process. Let's say there's an unknown thing that's

22:16

unclassified and it is attempting to do something on a computer.

22:22

Well, the protection tools will grab that thing and they will upload it into

22:30

a virtual machine in the cloud.

22:33

They will execute that thing on the virtual machine in the cloud.

22:37

So this is a terminology we call detonating. You know, it's detonated in a virtual

22:42

machine in the cloud, and then we get to find out what happens.

22:47

Does it hack that virtual machine or not?

22:51

And so this is a way of doing behavior observation and outcome observation.

22:57

Conservation there are also those sorts of processes that

23:00

are going on all the time like a great example is if you have

23:03

really good zero trust threat protection then it's

23:07

going to look at it and say oh we have microsoft

23:11

word is invoking a

23:14

powershell instance what do you think about

23:16

that crystal do you think that word should invoke powershell no

23:21

why would it need to that's exactly

23:24

right so it smells like something malicious

23:27

doesn't it okay it's so

23:31

zero trust is like we're we're gonna do we trust word yes we've classified microsoft

23:38

word but now we're still gonna watch it if microsoft word is doing something

23:44

weird then we have to think that word even though it's a legit tool.

23:51

Maybe it has a malicious plugin embedded in it or something.

23:54

This is no different than if you look at like a web browser,

23:56

take Edge as a web browser.

23:59

It can have a malicious browser plugin. And then that malicious browser plugin

24:03

can do nasty, naughty things.

24:07

So we got like about four minutes left.

24:10

So why don't you give me your next kind of small question if you have one? Small? I don't know.

24:19

Antivirus software. Now, I'm thinking back to the days when I first got a computer.

24:23

You know, you have that notency when you get pushed in and you're,

24:26

as far as everybody knew, everything was great. We're protected.

24:30

I guess, how has that changed since then? And how machine learning,

24:36

has that impacted AI machine learning, the effectiveness of this antivirus software? Is it effective?

24:43

Is it worth it? I don't know. Well, I don't even like to use the term antivirus anymore.

24:49

In fact, I pretty much stopped. As a modus operandi, I'm only utilizing the

24:55

terminology, you know, zero trust threat protection or, you know,

25:00

endpoint protection detection and response. Response and the reason is because

25:06

these things really cannot be unmonitored anymore

25:09

so we do knock sock and mdr and without killing you with acronyms it's just

25:16

basically security monitoring security response actively 24 hours a day now

25:22

we only do that for the clients that subscribe to that service but.

25:27

But that's like, you know, having a little monitor, a protection system,

25:34

like having your own cop that's running around with you all the time.

25:37

Like, you know, the cop's going to watch who's coming in on your zone and should

25:42

you get to go visit Crystal or not. And then how is somebody interacting with Crystal, right?

25:49

That's kind of like having your own personal cop. But we use a lot of machine

25:55

learning and AI for that to keep costs low.

25:59

And the system is really incredible.

26:02

And as a result of that, we have not had a single client get breached who was

26:09

under our full management. The only times we've actually experienced issues is when, you know,

26:16

other people are involved that don't have the same level of training or vigilance on this matter as we do.

26:23

But I don't really use the term antivirus anymore, just simply because antivirus

26:27

represents approximately maybe 10 to 15% of the kind of protection capabilities

26:34

that you need just for your individual computer,

26:37

right? That was my next question.

26:40

Is it enough for personal use? Do I need to supplement with other tools?

26:44

Something like I certainly do. Yes. And so we get to the question of, is this economically viable?

26:51

And I really feel like so many people just think about this wrong.

26:57

They think, oh, well, this is only just for my home use. And it's like,

27:01

yeah, but it's your bank account. You know, it's your identity. How many people do their tax return on their home computer?

27:10

I mean, how many people are interacting with their bank account and their bills

27:14

and their credit card and all of their personal photos and their personal files?

27:20

I mean, these are, you know, the family jewels.

27:23

I would think that they would be looking at this and going like,

27:27

well, I really need some enterprise grade protections here because that's how I think about it.

27:32

I'm like, how much time am I? Go ahead. As a normal everyday person,

27:37

I was guilty of this before. I had no idea that all these threats existed that I was completely naive to

27:47

just go on Amazon, buy a monitor, buy a USB charger.

27:51

Who cares where it came from? Not even looking at the seller.

27:53

Did they just open a shop? No idea. Just purchasing because, well, I have no idea the risks that are out there.

28:01

I don't know the big bad wolves out there. I do now.

28:04

I think a lot of people don't know or they don't care to know.

28:08

Yeah, brands definitely matter. I mean, I would only ever personally purchase

28:13

a SanDisk or a Western Digital. That's it. And there's reasons for that.

28:19

And the brand matters.

28:22

For me, the whole thing around that is that I think that their firmware process

28:26

is done really good and it makes those devices harder to hack. So that's cool.

28:31

Well, we're out of time. Thank you so much for joining me.

28:34

I hope that you will come back and ask me some more of these questions because

28:39

I think your questions are fantastic. Oh, absolutely. I promise I have a lot more for you. Okay. All right.

28:46

Talk to you next time. All right. Thank you. Bye.