Speaker 0 | 00:07.139
All right. Well, welcome to another Dissecting Popular IT Nerds, where we’re allowed to geek out with our fellow nerds. Today, I’m proud to introduce Josh Smallman, who’s a cybersecurity ninja. So, Josh, welcome to the show. And please tell us which dojo we want to look out for if we want to get our own cybersecurity black belt.
Speaker 1 | 00:30.392
So first of all, I want to say thanks for having me on the podcast, Mike. Once again, my name is Joshua Smallman, or people usually just call me Josh. The dojo, just to answer your question, that dojo is located all the way in Trinidad, because that’s where I’m from. I’m located in Trinidad, that’s in the Caribbean, beautiful Caribbean islands. So anytime you’re ready to come over to the dojo, you could probably spend some vacation time as well.
Speaker 0 | 00:57.640
All right. I’m working on getting my passport, so hopefully I’ll be able to be there very soon.
Speaker 1 | 01:03.202
Looking forward to it.
Speaker 0 | 01:06.543
All right. So he wanted to talk to us today about the evolution of cyber. So let’s start there.
Speaker 1 | 01:14.487
Yeah, sure. So I’ve been working in the IT industry for about 15 plus years. So I worked in various… positions, environments. I’ve worked for ISPs, government agencies, academic environments, you know, you name it. For the past three years or so, I’ve been mostly focused on the cybersecurity side of things, right? So, you know, what kind of prompted me to consider cybersecurity is just basically if wherever you look now, it seems like somebody’s under cyber attack, right? there’s some cyber breach, some, you know, something happened in the cyber arena, you know, so just given the rise, the exponential increase in the amount of cyber events, you know, it really started having me thinking about the current cybersecurity and kind of honing in into that specific niche.
Speaker 0 | 02:14.088
Okay, so as you started to hone in, where did you start? How did you start on that?
Speaker 1 | 02:22.828
path of cyber security uh yeah good question so uh i actually kind of did it in the job that i previously held right so i was actually a network specialist uh for a government agency in my country in trinidad uh we were particularly uh in charge of the education sector right so i worked at the ministry of education and um at that time in trinidad in particular or the general Caribbean, I should say, cybersecurity wasn’t really a big thing, you know, and, you know, we kind of just put the two together, like once you’re in charge of the network, automatically, you deal with security in some level, right? So being in charge of the network there, you know, I started to kind of gravitate more to the cybersecurity side of things like, so initially, back then, I dealt with our firewalls and stuff like that, vulnerability scanners and stuff like that. And that’s where I kind of got my first induction, I would say. So it was really a full fled cybersecurity role, but it kind of meshed with what I was currently doing at the time.
Speaker 0 | 03:36.476
Yeah. And cybersecurity was not what it is today back then. Because you’re right. networking is the fundamental of cybersecurity. Because if you’re not connected, if you’ve got an air-gapped computer and it’s not connected to anything, that one’s fairly secure. Not always, but it’s more secure than the networked ones. And so we started off with a lot of things back then, but really it was like the antivirus, it was the firewalls, and then it was still um, best practices like making sure not to change or not to, I mean, to change default passwords and default users. Although that’s something that we still are trying to get people to do today is to change those default usernames and passwords. Um, you know, one of the, the first attacks that comes to mind from the, uh, two thousands was the, the code red worm. Do you remember that one?
Speaker 1 | 04:43.486
Yeah. Yeah, I remember the Code Red worm as well as the Morris worm. That kind of comes to mind for me as well, you know, because that was in the days of AppNet, you know. And, you know, that was like back in 1988, I believe. And so that actually happened by accident, you know, because this guy, he was a graduate student at Cornell University. Robert Morris, hence the name Morris Worm, right? And he was actually doing a project to test the size of the then internet, ARPnet, right? And so happened, it kind of backfired, right? It turned to a worm and it created a denial of service attack. And it affected 60,000 machines, right? So now it sounds pretty minuscule. Because we have millions of computers. But back then, that was a pretty big deal. Because in the days of the opnet, we didn’t have a full-fledged internet system like we have now. It was basically just used for research purposes and stuff like that. And also what was notable about that specific cyber event is that it was the first felony conviction in the US. Under the 1986 Computer Fraud and Abuse Act. So I think that’s… Kind of what, you know, highlighted that cybersecurity is a crime. You know, you could be charged for being a cyber perpetrator or a hacker.
Speaker 2 | 06:20.863
Hey guys, this is Phil Howard, founder of Dissecting Popular IT Nerds. I just want to take a few minutes to address something. It has become fairly apparent, I’m sure all of you will agree, over the years, that slow vendor response, vendor response times, vendors in general. The average is mediocre. Support is mediocre. Mediocrity is the name of the game. Not only is this a risk to your network security, because I’ve seen vendors on numerous occasions share sensitive information, but there’s also a direct correlation to your budget and your company’s bottom line. Not to mention the sales reps that are trying to sell you and your CEO and your CFO on a daily basis. That’s the problem. That causes a whole nother realm of problems that we don’t have time to address. Our back office program at Dissecting Popular IT Nerds, we’ve put together specifically for IT leadership, and it’s on a mission to eliminate this mediocrity. And the best part is that we’re doing this in a way that will not cost your IT department a dime. So if you’d like us to help you out, get better pricing, better support. and jump on pressing issues in minutes, not days, then contact us now so we can get on a call with you and conduct a value discovery session where we find out what you have, why you have it, and where you want to go and how we can improve your life, your IT department, and your company’s bottom line. What you’re going to end up with is number one, just faster support from partners who care about your organization’s uptime and bottom line. And because you’re going to be able to access our 1.2 billion in combined buying power, you’ll be able to benefit significantly from historical data. And on top of that, you’ll also benefit from the skills of hundreds of on-demand experts that we have working behind the scenes that are all attached to our back office support program. So if you’d like, again, none of this is ever going to cost you a dime. At the very least, it’s going to open your eyes to what’s possible. Let our back office team provide you the high-touch solutions and support that your IT team deserves so that you can stop calling 1-800-GOLD-POUND-STAND for support. Now, if you’re wondering, what does this apply to? This applies to your ISPs, your telecom providers, all your application providers, whether you’re a Microsoft shop or a Google shop, what you might be paying for AWS, even Azure, co-location space. any of those vendors that you’re paying a monthly bill to, we can help you with.
Speaker 1 | 09:04.089
Hey, it’s Greg, the Frenchman secretly managing the podcast behind the curtain. To request your one-on-one call, contact us at internet at popularit.net.
Speaker 0 | 09:13.454
And remember,
Speaker 1 | 09:14.255
it will never cost you a dime.
Speaker 0 | 09:16.756
Back in 86, man, 60,000 computers, that was probably what, 90%? Or, you know, a very high percentage of the total amount of machines on the network. at that time. What are some of the other early examples of the cyber attacks and and that evolution that we started to see? What are some of the other ones that you can think of?
Speaker 1 | 09:42.576
Right. So we had quite a few on the way. Another one that kind of stands out for me, right, is the I love you virus. Right. So, yeah, the love bug. Right. So that happened somewhere around 2000, I believe. Right. And this one was spread actually through email. Right. And it was it originated somewhere in the Philippines. I believe it was two Filipino brothers, you know. Right. And how it worked, actually, it was kind of a bit of social engineering. I mean, it wasn’t called social engineering back then, right? But it started with the subject saying, I love you, right? So, and it had an attachment with the I love you letter, right? So, I mean, it’s obvious, you know, back then, everyone’s still new to the whole internet. Who doesn’t want to email saying with the subject, I love you, right? So, you know. Long story short, it was really a visual basic script that was basically hidden as this text file. And once it downloaded, it rapidly infected millions of computers because it propagated itself once you download the script. It would self-propagate and automatically email other people on your contacts list and stuff like that. You know, that was really a big another milestone, I would say, you know, in highlighting cybersecurity, cyber threats, I should say, you know, on the whole. And, you know, just to give a bit of context, you know, like I was looking at some statistics, you know, and now as it currently stands, it’s estimated that in 2023 last year, right, we spent like 11.5 trillion US dollars. on cybersecurity, you know, that’s how much cybercrime costs, right? So coming from the early days, you know, of just, you know, people kind of sort of playing with programs or malicious programs in their dorm rooms or in their basements, you know, cybercrime on the whole has increased dramatically, you know, throughout the years.
Speaker 0 | 11:56.748
Oh, yeah. I remember that in the organization I worked for got hit by one of those email viruses. I don’t think it was the I love you, but it did that almost that exact same thing where one person opened it up, opened up the attachment. It then got into their mailbox, got all of their contacts, emailed itself out to everybody else. And it just propagated across every one of our systems. So luckily for us, this happened on a Saturday morning. So unluckily for me, it was, we had a multi-site. set up and i was running from one city to another and running the antivirus cleaning it off of the machine and you know that was back in the day when antivirus you could trust the antivirus to clean it off of the machine and think that it would be safe that you could continue to use that machine that’s no longer the case at least i don’t trust any machine that shows up having something like that anymore yeah exactly yeah and so You know, we started to transition to some more sophisticated kinds of threats and more sophisticated means of trying to detect these. Because those initial ones that you were talking about are the worms that are self-propagating. And just as soon as one machine’s infected, it looks for or finds other machines with the same kind of vulnerability and then goes after that. And then there’s the social engineering one of the email virus, which the business email compromise seems to be. It’s still one of the largest moneymakers out there for the nefarious side of this, you know, the black hats. But in the mid 2000s, 2010s, we had some more sophisticated things and we started to have things like snort. And. and intrusion detection systems. So tell me a little more about that time in your experience.
Speaker 1 | 14:07.802
Yes. So as you said, you know, the early security technologies we would have used back in the day, right, was antivirus programs, right? This was a must on any computer. And it was sort of a marketing campaign. a lot of vendors used us as well right you know when they went this when they were selling a computer they would be like you know oh this has up-to-date antivirus included free right so you know it was for the first 90 days yeah right so it was like a big marketing campaign as well you know but uh antivirus software was definitely like um one of the first early security technologies. And the thing about them, they have also evolved over the years as we probably talk about here shortly, right? But the very first iterations of antivirus software, they basically use signature-based detection, right? So they would have a signature in their database of all the available antiviruses at the time. So once it detected that virus, once it matched against that database, it would automatically block that virus, quarantine it, et cetera, right? So it was primarily signature-based. Throughout the years, you know, this has evolved. Another major thing that we used back in the day for security was firewalls, right? So everyone, you know, most corporate organizations and even the residential to some extent, they had some sort of firewall device on their network. And again, the first… iteration of those firewalls was stateless, right? Basically, it just forwarded based on an IP address and a port number, you know? So these things have also evolved to keep up with the evolution of the cyber attacks and the cyber technology that we currently have. So towards the mid-2000s, earlier, they were more domestic, more residential. kind of attacks. They were more, you know, kind of quote unquote for fun. You know, it wasn’t really anyone was taking this serious, just trying to test the limits of what computers and what the internet could do, right? But in the mid 2000s, the strategies kind of changed up or evolved a bit, right? So then we had like major incidences where companies like MySpace in 2013, 2013, MySpace was hacked, right? And they compromised, I think it was something like 300 and something million user accounts, right? They were leaked on the dark web. And I think they were asking some ridiculously low price of a couple bitcoins, which was like a couple thousand dollars. You could buy, you know, this database, this large database of leaked usernames, passwords, credentials from MySpace of 360 million user accounts, right? So… We start to see a sort of uptick now, and where instead of just being fun, instead of just testing the boundaries of computers and what they could do on the internet, we see where people are actually making money off of cyber attacks, right? Of cyber crimes, right? MySpace, another big one was Yahoo, which I’m sure you’re probably familiar with in 2014. You know, they had a massive data breach as well, too. And I think it was a cop. like 3 billion yahoo user accounts were hacked right again these things were most likely uh put up for sale on the dark web you know and uh there was a bunch of legal uh repercussions there as well too so definitely from just the homegrown viruses we were seeing much more sophisticated you know type of attacks happening in the mid 2000s and primarily geared for more um profit making, you know, not just for fun, but to actually make a profit and to target like these large corporations.
Speaker 0 | 18:18.509
Right. And, you know, you actually, now I’m wanting to Google real quick to see when the dark web started up. And, but that, that brings up a whole nother aspect of everything because we started leveraging encryption for more and more things. Not only are we using firewalls and a majority of us have. private network so we’re we’re using the um now i’m trying to think of the the t1s and and uh i’m trying to think of what the designation was before mpls yeah so we started using a little more of the encryption vpns were becoming more more prevalent and and actually microsoft started putting the firewalls on the machines before or in the software um versus us having to to get at Symantec or McAfee and their attempts at firewalls for our application firewalls.
Speaker 1 | 19:19.812
Yes. So as you said, you know, everyone was trying to do their part in terms of seeing how best they could harden their defenses, right? So whether it was at the operating system level via patches or built-in antivirus and stuff like that, also transcending just operating systems. But over to the hardware level where we had better firewalls, we had stateful firewalls that could actually look for patterns in the way the traffic. came across if it looked like suspicious, right? So it was, it went from just packet switching in a sense, right, to now, we’re actually concerned of how the behavior of this traffic looks, right? So the technology definitely started to evolve, as you rightly said, we had people more conscientious about using VPNs, especially if they’re using public Wi Fi, and stuff like that. So yeah, I think you know definitely in the 2000s and especially like from 2010 right the present date right there was another surge in in cyber crime and with a little twist as well right as you probably remember the solar winds uh incident that happened uh somewhere around that period the the the date eludes me right now right yeah but i went to us like 2020 i believe yeah Yeah, so like SolarWinds, and we saw a lot of APTs, right? So advanced persistent threats, right? That’s where they kind of get, instead of just infecting your system with a virus, right? Hackers got pretty clever, and they would actually gain a foothold into your network and just stay there for an indefinite period of time until you would probably find them. Or they would… harvest enough data than to ask for ransomware, right? So, you know, we start to see definitely a more sophisticated trend in terms of, you know, hackers and these black hats, in terms of how they would attack systems and how they would gain access and what they will do with the data, especially. SolarWinds being one, StutNex being another one. If you’re familiar with StutNex, that happened. 2010 right and this specifically uh focused on scatter systems you know and they basically hacked i believe it was somewhere in russia if i’m not mistaken one of the uh it was a range iran sorry yeah somewhere there and um you know where they hacked one of their their plants right and basically crippled all their computer resources So they couldn’t harvest and stuff like that, this nuclear technology. So throughout the mid-2000s to present it, there’s definitely been a steady evolution of more advanced persistent threats and a lot of runs somewhere, I would say. That seems to be the hot buzz with now especially, but it started happening even back then.
Speaker 0 | 22:40.790
Right. Yeah, I remember that. you know the first times that i heard about um ransomware it was more of that denial of service but it and and actually i want to say that it was focused more towards your your area of the world or where you came from because there were the caribbean gambling sites that were outside of u.s jurisdiction but servicing many um many of the gambling persuasion in the u.s and if i could lock down the gambling site for a few hours at the right time, it became worth millions. And I’m only asking for hundreds of thousands in ransom. It wasn’t quite the ransomware where they were encrypting things like they are today, but it was just doing a denial of service and keeping you from earning money. So I’d threaten you saying, hey, if you don’t pay my ransom, I’m going to take you offline. And so we started with some of those. And Stuxnet was an example of a different type, too, because Stuxnet, not only was it, you know, attack on the SCADA system, but it’s one of the first well-known state-sponsored attacks. So now we’re talking governments attacking other governments and or entities to accomplish their goal. versus just somebody trying to make a buck by getting you to buy, you know, there’s all of the spam stuff and or, you know, the ransom. attacks that I was just talking about where they were going to do the denial of service against your website or your business and keep you from making money to the ransomware that we see today where they’re now encrypting. They find a way in and then they stay inside as that APT that you were talking about, that advanced persistent threat, wait until they can get a hold of things. evolving and learning. They wait until they can get a hold of all of your backups and destroy your backups. And then they encrypt your system so that you can’t just go to your backups and say, yeah, you know what? I’m not paying. I’ll just restore everything to back before you showed up. And even then, how do we know that we’ve gone back far enough in time?
Speaker 1 | 25:13.096
Yeah.
Speaker 0 | 25:13.616
Because they’ve been hiding in the network for a while. And that’s like what SolarWinds, the SolarWinds attack did. They had compromised the supply chain for SolarWinds six months before they attacked anyone. They were just letting their attack proliferate amongst multiple entities. So, yeah, it’s amazing how much it’s changed.
Speaker 1 | 25:44.326
Yeah, definitely. The landscape is always evolving. As you said, from the 2010s to now, it’s a lot more state-sponsored and politically aligned. We’ve seen a rise in that type of cybercrime. And it’s definitely a good business model for the bad actors, right? Like you rightfully said, with ransomware, where you pay… Just join a random number here, $10,000, and we’d give you back your data as opposed to you losing $10,000 every hour your system is out of commission. So definitely the bad actors, they have become much more intelligent in their demands and their whole business model of what they’re doing with our data once they have it.
Speaker 0 | 26:39.967
Yeah, but on the opposite side of the coin. I’ve been amazed at how much the cybersecurity and the white hat or the blue team, because there’s lots of red and blue teams now, seems to be better than the white and black hat. Things that have been developed, things like the MITRE ATT&CK framework, where they’ve taken and listed out every attack that’s happened so far that they know of. And they’ve categorized them into very specific types of attacks, like the difference between a worm and a virus and a ransomware. And, you know, it’s just amazing to me all of the different ways that you can do this. You could become a DFIR, you know, the digital forensics and incident response, or you can be somebody that’s doing the threat hunting. Or you can be somebody that’s trying to, you know, the XDR, the sassy. There are so many different aspects to cybersecurity today that it’s just overwhelming. No one person can know it anymore.
Speaker 1 | 27:58.521
Yeah, that’s true. It went from just being this kind of vague thing that you will normally mesh with. network and system administration to be in a full-blown career path and career paths, I should say, because as you rightly said, there’s a whole different subset of career paths that you could take under the umbrella of cybersecurity. And just want to kind of touch on something you mentioned there about frameworks, you know, and I think that as those, sorry, frameworks in general have become very much more important within the last, I would say, maybe five years, you know. So as we’ve seen this steady progression and the rise of cyber-related crime, you know, frameworks in general have been because before we were just kind of doing our own thing, right? We were doing antiviruses. We were doing firewall devices, intrusion protection devices and stuff like that. But then it’s had to evolve now. So… okay, what’s the best process or policy of doing this? What policies do we follow or procedures? Is there some sort of standardization, in other words, that we could best do this, right? And that’s where frameworks, as you said, came in. We had the MITRE framework, as well as we had frameworks put out by NIST, right? We had frameworks put out by ISO. we had a bunch of different frameworks come out we have uh ppcidss which deals with you know payment card industry you know how you how you how you uh you uh deal with customer uh credit card information and stuff like that. So those things were, aside from the tools, having these necessary frameworks in place was definitely a critical milestone in our defense system or mechanism against cyber attacks. We also have things like GDPR, how you handle data in the EU Union, right? So yeah, frameworks, a lot of the times in cybersecurity. we tend to focus on tools, right? Or we did so at one point in time, at least at the beginning. To some degree, we still do that, but frameworks are actually a very integral part of the whole process, making sure you align your system, your workplace, and the systems that you use with a framework that is appropriate.
Speaker 0 | 30:39.262
Yeah, for sure. I mean, some of the other people that I’ve talked to, on the show about this, we started talking about the policies. We weren’t using the term framework, but we’re definitely talking about the policies and the procedures and how it’s definitely evolved out of just IT’s realm because everybody that’s sitting at a computer needs to be able to recognize spam and recognize potential threats of that. attachment that they shouldn’t be clicking on um but also then like that nist framework are some of those that you were talking about i i was talking to another gentleman about the nist 800-171 um requirements if i’m if my company is a subcontractor to a company that deals with the government the united states government i have to as that subcontractor you I have to meet certain specific procedures and policies about password management, about validating the security, about control, who can access what. And there’s so much more today than just, hey, let’s run an antivirus and make sure that the computer’s clean. Or let’s look at our network traffic. Do we see any anomalous traffic? Not to mention, you know, SIEM tools, the security event incident management tools that are just, you know, giant log aggregators that then start looking through that, which brings up, you know, that next interesting point and this next evolution that’s going to change and rock our world as we are dealing with the artificial intelligence. artificial intelligence on both sides. We’re already trying to use it to look through those logs and find the anomalous events, but it’s guaranteed that the state-sponsored attacks and actually even the groups that are trying to just make a buck are starting to leverage that, trying to figure out how they can do more and better.
Speaker 1 | 33:02.278
Got any thoughts on that? Yeah, definitely. As you said, you know, AI seems to be the big buzzword right now, right? It’s something that everyone is talking about. And I think the introduction of chat GPT, you know, kind of introduced the masses to AI, you know, although it’s been around to some degree in the past, right? But I think chat GPT and some of these other programs kind of pivoted it to the masses, right? And, um… It has two sides to that coin, as you said. We have where it could be something great in terms of helping our defense systems. So in terms of pattern recognition and stuff like that, having AI would be great because they can read machine code and stuff like that greater than any human could ever do. It would be faster. Yeah. So. They definitely have the potential. Having AI definitely has the potential to reduce false positives and stuff like that, as well as just to speed up the overall incident response and recovery. AI could automate a lot of actions that would normally be done manually. We could have this done by AI now. It could also probably help in some extent to creating a phishing campaign, sorry, like phishing training could be used. create simulated events and stuff you know if we’re looking at our security awareness program which most companies are doing right now you know definitely using ai there could help improve that process on the other side of the coin you know ai now they could be it could be used in uh very nefarious ways right so like you know automated malware campaigns right cyber criminals could employ ai to do this you know so instead of you having to have a team of hackers or cyber criminals you know one person through the aid of ai could do something that 20 people would have normally have to do you know that could be done to one person and just having the right ai tools at their disposal right uh also uh something pretty interesting is a lot of deep fake videos i’m not sure if you saw you know a lot of these things circulating where they imitate like donald trump and other other politicians and you know and ai is getting so realistic you know you really have to look twice to see is this really this person saying this or is this ai generated video so beside actually creating and crafting the attacks we have ai in this other uh you know in this other kind of spin-off category where we have to look now if what we are seeing you know the data we are actually looking at is it real or is it something uh for developed by EA.
Speaker 0 | 36:07.847
Yeah, and it’s not something that we can just look at or watch with the human eye and pick up on or recognize. They’re getting so good at this. I’m trying to remember which government it was, but there was an example of a couple taking their daughter to the movies, and suddenly their daughter was put on the screen in the movie theater. And they used AI to advance her age and to show different threats that are happening because the parents were being very open and sharing in social media about the child and their lives. And they started showing all of these different things that are happening today and through the use of AI and the different things that could happen to their child because they’re… sharing all of this stuff through social media. And it was just one of those things of just trying to help make people aware of the amount of information that we’re sharing today, which deviates a little bit from our topic of the cybersecurity, but it’s a different level of security. It’s that personal security. It’s not even just attacking my wallet, it’s attacking my reputation. Or my mental health, because if you haven’t seen this or heard of what I’m talking about, you need to go look it up and find out. And I wish I had the name of it real quick to give to you. Our world has changed for sure. And then the use of AI. You know, I don’t think that chat GPT really brings home the difference or the threat that. that we’re going to see in cybersecurity because of this. But it does show how, like, for the longest time, the phishing attacks. I’ve always been watching for bad English or misspelled words or, you know, sayings out of the normal idiom. And taking that email and throwing it to chat GPT and saying, hey, make this sound. like, conversational English or American English and make sure that there’s no misspelling in it, ChatGPT is going to give them emails that are going to tell us, hey, your package is late or you need to open up this invoice because you’re overdue. And there’s not going to be those clues except for things like the email header or the email address. And we’re going to have to look at those details to be able to catch those.
Speaker 1 | 38:59.546
Yeah, you know, definitely cybersecurity awareness, you know, often overlooked, but definitely would play a major role in how we move forward, especially with AI in the mix. You know, cyber criminals are getting more and more smart and employing AI makes it that much more difficult to detect, you know, what is real from what is not real and what is nefarious, right? So, as you said, you know, haven’t been. more aware, you know? So I think, uh, each company you know any company or organization out there you know having a robust security awareness program and they’re they’re the key solutions from a lot of vendors out there right uh met and compliance and some of these other vendors offer turnkey solutions but definitely having uh from a business perspective or company’s perspective having some sort of professional security awareness program is no longer optional but it’s mandatory for any company and just on a personal note you know on a personal level you know we too should seek to better be able to be informed about these things as well and inform our families by extension right you know because a lot of us have kids other family members that may not necessarily know the harms and dangers of the cyber cyber world that we have out there nowadays so Definitely being better aware, you know, and having that knowledge in hand is adequately important as the various tools that we have discussed.
Speaker 2 | 40:40.011
At Dissecting Popular IT Nerds, we expect to win and we expect our IT directors to win. And one of those areas where we know that we can help you win is internet service providers. As an IT director tasked with managing internet connectivity, few vendor relationships can prove more painfully frustrating. than the one with your internet service provider. The array of challenges seems never ending from unreliable uptime and insufficient bandwidth to poor customer service and hidden fees. It’s like getting stuck in rush hour traffic. Dealing with ISPs can try once patients even on the best of days. So whether you are managing one location or a hundred locations, our back office support team and vendor partners are the best in the industry. And the best part about this is None of this will ever cost you a dime due to the partnership and the sponsors that we have behind the scenes of Dissecting Popular IT Nerds. Let us show you how we can manage away the mediocrity and hit it out of the park. We start by mapping all of the available fiber routes and we use our $1.2 billion in combined customer buying power in massive economy of scale to map all of your locations, to overcome construction fees, to use… industry historical data, to encourage providers to compete for the lowest possible pricing, to negotiate the lowest rates guaranteed, and to provide fast response times in hours, not days. And we leverage aggregators and wholesale relationship to ensure you get the best possible pricing available in the marketplace. And on top of all of this, you get proactive network monitoring and proactive alerts so that you’re not left calling 1-800-GO-POUND-SAN to enter in a ticket number and wonder, why is my internet connection down? In short… We are the partner that you have always wanted, who understands your needs, your frustrations, and knows what you need without you having to ask. So, we’re still human, but we are some of the best, and we aim to win. This all starts with a value discovery call where we find out what you have, why you have it, and what’s on your roadmap. All you need to do is email internet at popularit.net and say, I want help managing all of my internet garbage. Please make my life easier. and we’ll get right on it for you. Have a wonderful day.
Speaker 0 | 43:00.221
Where do you go on a daily basis to learn more and to stay in tune with what’s going on today?
Speaker 1 | 43:09.445
Right, so I actually subscribe to a bunch of different podcasts and programs. A really nice one is Bleeping Computers. Okay, yeah. You’ve probably heard of them.
Speaker 0 | 43:23.171
Yeah,
Speaker 1 | 43:23.451
oh yeah. That’s pretty… Yeah, they’re pretty up to date with anything tech related, specifically also in cyber related incidents. So bleeping computers, it’s fairly easy and digestible to read. So even the common person who’s not necessarily involved in IT per se, but they could actually be able to digest that information and find it useful. So I subscribe to bleeping computers. Professionally, I follow a lot of people in the works in the space, cyberspace, TCM security, they have been a great resource to me actually. I’m currently doing some of my cyber security related courses with them. TCM security, they’re on YouTube as well, and they have a whole academy, you know, designated to cyber security certification, career paths and stuff like that. They’re great. And there’s a bunch of other platforms out there. You know, if you’re specifically into the whole cybersecurity side of things and you’re looking to practice and stuff like that, we have like Trihack Me and Hack the Box and some of these other platforms that are pretty useful as well.
Speaker 0 | 44:37.610
One of my favorite ones is SANS. S-A-N-S. Yeah.
Speaker 1 | 44:43.073
SANS is good as well.
Speaker 0 | 44:44.635
Yeah. Yeah, they’ve got lots of great information. And actually, you know, I was watching an event with them around the whole solar wind. And that’s when I really became aware of how much the cybersecurity arena had changed in the last five years. It’s just amazing to me. I’ve been paying attention to it my whole career because I found out who the freakers were and what the original hacks were and what the significance of the number 2600 is and the Captain Crunch whistle. Right. And so the true cyber nerds will know what I’m talking about on those ones. Josh, you got anything that you want to leave us with? today? Are there any last thoughts?
Speaker 1 | 45:38.700
Yeah, just kind of in closing, I would say, you know, just some things that, you know, people on the whole could do to strengthen their cybersecurity defenses, right? I would say for companies especially, right, do conduct a comprehensive risk assessment, right? So sometimes you may not necessarily have the in-house expertise to do that. That’s fine. You could contract that out. There are a lot of consultants and people in the cybersecurity space that offer that. But I really think that’s the first step you want to take to build and strengthen your cybersecurity defenses, because that shows you gaps that you may not be able to identify, right? Having a third party look at potential vulnerabilities and their impact would give you a better understanding of before you actually. implement a bunch of stuff because a lot of the times i would tend to see the reviews and maybe you could identify with this mike but uh everyone gets on the cyber security bandwagon and we go ahead and we procure all the latest technologies and stuff like that without really taking the time to do a comprehensive risk assessment right and i would liken it to you know taking vitamin supplements because you know at the point of time i was pretty big on that right you And I would, I would just go on Amazon, fill up my cart with a bunch of different vitamins and just take it. Right. And eventually I came across this pretty, you know, pretty knowledgeable physician. And he told me, you know, what you’re doing there, you’re basically one wasting money, right. And two wasting the vitamins, because a lot of those things would just come out your system. Right. It’s, you know, what he suggested was I do a blood test to let me know what I’m lacking in. And what. specific vitamins and minerals I’m deficient in. And then based on that, you know, I go ahead and purchase my vitamins. Anyways, you know, similar to cybersecurity, instead of going out there and just purchasing all the shiny gadgets, you know, first, I would think, you know, having a comprehensive risk assessment is definitely should be your first thing on the list. Secondly, I would say implement multi-layer defense systems, right? Mechanisms in place, right? So this would be basically tailored to your environment, you know, but the idea is to have multiple levels of security, right? So we want to have security at the network layer. This might be a firewall device. Now we have next generation firewalls that kind of do everything, you know, in terms of IDS, IPS and stuff like that. Also, you know, the network layer, the endpoint layer, the transmission layer, right? So definitely. You know, don’t think, you know, it’s just buy one product and that’s it, or do this one thing and you’re secure. You definitely want to have a defense in depth sort of a model, you know, so be secure at multiple layers. Third, I would say educate and train your employees. And I know we touched on this already, but definitely consider having a security and awareness plan in the organization. If not, if you don’t have it already. for stay up to date with patches and security updates, right? And I think this was even from the early days, this one was like a big thing, but it’s still relevant now. You know, make sure your systems are always up to date. Make sure it’s patch. Make sure you have all the latest security updates because, you know, every week or so, we find some new vulnerability in Windows or some of these operating systems, you know, and the only way we could really protect ourselves is if we patch it because… chances are Microsoft will release a patch once they find that particular vulnerability. And leveraging encryption, data protection measures, we already spoke about that. And I would say last but not least, just conduct regular security audits. This is an ongoing thing. The cybersecurity landscape is always changing, always evolving. Now is AI, now is machine learning. You know, tomorrow might be some shiny new thing, right? So definitely you want to conduct regular security audits in your organization, you know, just to make sure you are relevant in terms of what protection you currently have and what mechanisms you currently have.
Speaker 0 | 50:20.168
Yeah, I think that those security audits that you’re talking about, that just brings you full circle back to that assessment. Because you got to know where you’re at and you have to get that honest evaluation of where am I today? How secure or how vulnerable am I today? And then you start working towards the level of security that you want. But you’ve got to constantly check that because a one-time… penetration test uh or once a year penetration test it really isn’t enough you’ve got to constantly be on guard for any of the new things that have been added um you talked about doing the updates the updates are more than just the os it’s you’ve got to be watching for the updates for every application that’s on your network every application even if it’s a one-off on one person’s computer because what happened with the um Oh, the password keeper, not password keeper, but the other one that everybody loved so much. And it was one developer’s laptop that got compromised. And once his was compromised, then they got a hold of the encryption keys and they were able to get much deeper into that. So it was just, you know, just a single machine, but the whole company at risk.
Speaker 1 | 51:48.124
Yeah, yeah, yeah. And, you know, last but not least, just to kind of say security, a lot of times people think it’s an IT thing or a security department thing. And that’s far from the truth, right? It’s a everyone thing, right? Everyone at the end of the day, we need to take, you know, some sort of measures in place for security, you know, to ensure that we are secure. You know, simple thing as you find a flash drive in the parking lot, maybe it’s not a good idea. to take it to work and plug it into your computer right and also a good idea to take it home and plug it into your to any computer any computer right so so definitely unless you get some prophylactics out there so that you protect the
Speaker 0 | 52:32.918
machine that you’re putting it into and and you know that it’s a potential threat because yeah yeah oh wow all right i found a 48 gig um usb yay
Speaker 1 | 52:46.212
Right. Yeah, so definitely it’s a personal thing, you know, each of us have our personal responsibility, you know, in terms of cybersecurity.
Speaker 0 | 52:56.878
And that’s definitely something that is not a one and done, just like those assessments and the audits. It’s a continuous thing. The education about the current threats and what’s happening, it’s actually one of the cheapest things and probably one of the best things. that any organization can do is to continue to teach their employees what the constant threats are, what the current threats are, what the past threats are, and try to help them be aware to watch out for those future threats.
Speaker 1 | 53:29.635
Yeah, so true.
Speaker 0 | 53:31.677
Well, Josh, it’s been a great conversation with you today. I truly appreciate your time. One more chance. Any last thoughts that you want to share with the audience and about being a cybersecurity ninja?
Speaker 1 | 53:47.502
I would say, you know, if you’re looking into cybersecurity, you know, I would say, you know, go full throttle, right? You know, don’t feel intimidated in any way. There’s a lot of things out there, a lot of resources out there, YouTube. is full of a lot of free resources, particularly if you’re looking to get into some of the cybersecurity spheres, you know, and get knowledge. I just shamelessly plug in my own channel here. You know, I have a YouTube channel. I have a YouTube channel, Joshua’s Tech Tips, you know, and there I discuss, you know, cybersecurity system administration, network administration, and a bunch of different things pertaining to tech, you know, so. By all means, feel free to check it out if you’re interested in any of those sorts of things.
Speaker 0 | 54:37.912
All right. You guys heard it. Joshua’s Tech Tips, correct? Yeah. Is your YouTube channel. All right. Well, let’s see if we can drive some traffic there.
Speaker 1 | 54:47.979
Yeah. Thank you, Mike, for having me. It’s been a pleasure speaking with you as well. And I did hope I added some value to the podcast.
Speaker 0 | 54:57.587
Sure you did. So as we come to a close on another Dissecting Popular IT Nerds, I want to invite all of our listeners to comment and rate the podcast on the iTunes store or wherever you’re grabbing your copy of the podcast from. Make sure to swing by Joshua’s YouTube channel. And we really appreciate the support of the program and the time you invested in nerding out with us geeks. So thank you, everyone. Peace.