Episode Cover Image

32. From Getting Shot at in Iraq & Afghanistan to 1.5 Million in Ransomware

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
32. From Getting Shot at in Iraq & Afghanistan to 1.5 Million in Ransomware
Loading
/

Joshua Stroud

Experienced Manager with a demonstrated history of working in the utilities industry. Skilled in Enterprise Risk Management, Market Risk, Electricity and REC Markets across the US, Financial Risk, and Advanced Analytics including statistical modeling and machine learning.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

From Getting Shot at in Iraq

3 Key Takeaways

Episode Show Notes

Joshua Stroud and Phil Howard discuss… the journey from 1 tour in Iraq to 1 tour in Afghanistan and getting shot at to helpdesk technician, consultant, and to IT Leadership.

Are your businesses that will have to close down in 6 months if you experience a ransomware attack? … The Majority end up having to close up shop.

  • The biggest learning and key skill to learn as a Systems Admin
  • Getting shot at in Iraq and Afghanistan
  • Floating Bridges
  • Human Hacking
  • The helpdesk for the dark web

Transcript

Speaker 0 | 00:09.626

Welcome everyone back to Telecom Radio 1. We’re continuing our series, Dissecting Popular IT Nerds. Today we have Joshua Stroud on the call from, he’s IT manager at Kelly Road Builders. So Joshua, welcome to the show, man. Thanks for being on.

Speaker 1 | 00:25.397

Thanks for having me.

Speaker 0 | 00:26.678

Yeah, man, you’ve got a really good… uh, it history and, uh, interesting how you got into it as well. I mean, I know you did some time, you did some time in Iraq and Afghanistan, so I don’t know where you want to start off, man, but maybe just give us a little background story on, on a, how you got into it to begin with. Maybe what was your, what was your first computer? That’s always a fun one too. Sure.

Speaker 1 | 00:49.677

Sure. So coming up, I, uh, sporadically, um, very sporadically dealt with computers. With that being said, I grew up in the country, so it wasn’t like I had access to someone, you know, in the same era.

Speaker 0 | 01:10.289

I’m in the country right now, man. I grew up in the country, too. I’m still in the country. I had to pick some ticks off my kids, let’s see, this week. But at least we had an Apple II. We had an Apple IIc with some flop, you know. Single floppy drive that was our first computer, but but keep going man.

Speaker 1 | 01:31.629

Oh, yeah, definitely though I would think With the with computers, you know here and there But I initially started out going to UAB under the electrical and computer engineering program That particular program really put more focus on the electrical engineering side versus the computer engineering side So my initial focus was actually engineering.

Speaker 0 | 02:00.441

And that’s University of Alabama, right? For anyone out there listening.

Speaker 1 | 02:04.942

Yes, University of Alabama at Birmingham, yeah.

Speaker 0 | 02:07.523

Awesome. All right, so electrical engineering, very exciting for some people. Some people would say not too exciting, but you kind of went down a different pathway.

Speaker 1 | 02:19.366

Definitely, definitely. So beginning in the UAB, I actually joined the OAS. Alabama Army National Guard. They actually paid for school. What I didn’t expect was to not be able to finish school, having to go overseas.

Speaker 0 | 02:39.995

How long were you overseas?

Speaker 1 | 02:43.617

The first time, so I left Iraq in January, or December, rather, of 2009, and I returned in February of…

Speaker 0 | 02:55.104

thousand a living so just out of curiosity man uh how was that well first of all i have a lot of friends i do a lot of jiu-jitsu i have a lot of friends that that uh served a lot of friends that were overseas some like to talk about some don’t i mean it’s completely up to you man i’m just curious man if you want to talk about it great if not no big deal um

Speaker 1 | 03:14.069

we can move on but i wanted to ask you what it’s like over there if you’re all right with that oh sure so it is definitely a um a different world world than what I would used to here. With that being said, there’s a lot that we take for granted. It is a third world country, so the resources that are available to us aren’t really available to them. Just as an example, clean water. It’s a guarantee that they’re going to have clean running water. Electricity. Having a comfortable home to go to there’s not really a middle class over there you either Have a lot of money or you don’t there’s not a lot of in-between, you know You either live in a palace or you live in a any other thought out, you know

Speaker 0 | 04:07.140

What about conflict you see I mean, did you see a lot of conflict or?

Speaker 1 | 04:11.261

Yeah, I was uh, I was in transportation. So I stayed on convoys a lot. So there was a Definitely a lot of different things that happened outside. And this is combat related and non-combat related. One of my favorite memories, actually, is in Iraq, they had what they call a floating bridge. And essentially, the bridge kind of sits on top of the, as you read, it actually dips below the water. So, um, until you get across it, you don’t even see the breed, you know, you’re on it. So, uh, the running joke was, uh, once you get on the bridge, do not turn the steering wheel or otherwise you may, you know. You end up with the river. So it was very, very exhilarating. Glad I made it through that. But, yeah, they had a lot of neat little sports and whatnot. Another interesting thing about their environment, their culture, they don’t really have power lines. So there’s no height limit when it comes to, you know, loads. there would be some unbelievable cargo that’s being carried by, you know, just whatever. I’ve seen a…

Speaker 0 | 05:40.905

I see what you’re saying. In other words, maxing out. There’s no weigh stations.

Speaker 1 | 05:44.367

Oh, yeah. Oh, yeah. Well, weigh stations and then the height, the total height period.

Speaker 0 | 05:50.351

Yeah, yeah. I got you. Oh, yeah.

Speaker 1 | 05:54.734

I’ve seen a cargo bus with two of the metal content containers on top of it. and it had two cars on top of the connect fingers all this how they got it up there i have no idea uh it’s it feels like that that you would never see um you know here in the us nice man but yeah even with with all of that being said um the only i’d see exposure i had overseas was dealing with our uh communication system uh yeah we use long range radio systems um i was uh in charge while we were out outside the wire you know by outside the wire i just mean not on base we’re running missions yep uh while we’re outside the wire i was in charge of um making sure our radios were uh stayed in working condition uh maintaining our comp six and uh all that good stuff though um Well yeah, in Iraq and Afghanistan, the difference is, I’m not going to say like night and day, but they are vastly different. Iraq is more spread out, more flat. You have your desert areas, but you also have your areas of lush vegetation, surprisingly. But still, it was really flat for the most part. Of course, if you get to the northern part of Iraq, around Madul, It’s a little more hilly. Versus Afghanistan, even our bases, everything was a lot more compact. Everything was closer together. I ran more missions in Afghanistan, but they were shorter missions. In Afghanistan, I actually did more convoy security than actually running the convoys themselves. But it was very mountainous. I was a little more comfortable. And it was significantly colder in Afghanistan.

Speaker 0 | 08:00.942

Let me ask you this. Have you been shot at?

Speaker 1 | 08:06.066

Definitely. That kind of comes with the territory. Anybody that’s been outside the wire over there, that’s not something you can avoid, to be honest with you.

Speaker 0 | 08:18.734

What was that like the first time you had gunfire coming at you?

Speaker 1 | 08:24.738

Yeah. Definitely, definitely. And that was in Iraq. And you would, you know, gunfire, you know, it kind of became, we kind of got desensitized to it, I guess you could say. You know, kind of just part of the deal, part of the day. Yeah, gotcha. Yeah, definitely. And again, I spent 13 months in Iraq. I live in Wisconsin, Afghanistan, and definitely an experience that I’ll, you know, be able to kind of reflect on here and there throughout the rest of my life.

Speaker 0 | 09:04.727

I’m sure, man. I’m sure.

Speaker 1 | 09:07.408

With that being said, I don’t have any desire to go back.

Speaker 0 | 09:11.929

I gotcha. I gotcha. So, so thanks, man. Thanks for sharing that. I appreciate it. So, hey, so moving on to IT stuff, though, you come back, you get into IT. Um, and I, you know, I don’t know where we want to go from here. What was kind of like the biggest, uh, what was kind of like the main thing that got you to where you’re at right now? What was kind of like the biggest stepping stone?

Speaker 1 | 09:38.150

Biggest stepping stone. I’m sorry. I said that one more time.

Speaker 0 | 09:42.273

What was the biggest stepping stone?

Speaker 1 | 09:45.115

Um, the biggest stepping stone was, um, coming off the help desk. Um, what I found initially is. that a lot of professionals that go in through the health care crowd. kind of sit there, I guess, because there is a comfort level associated with it. You’re sitting behind a phone the whole time, you know, so there’s not really a face-to-face interaction. Yep. But it came to a point where I just desired to, you know, be more involved. I wanted to expand my knowledge base when it comes to IT. I wanted to get a better understanding of systems, how systems are being used. you know with businesses across the board uh not just when something isn’t working you know so um in addition to maintaining and improving and building on my reactive knowledge i also wanted to start to build on my proactive knowledge yeah so you know i took a leap and that kind of landed me in my role where i uh worked up in a hunt still it was uh well no defense contracting jobs and that’s really where i um kind of started expanding beyond um the help desk um i got exposure to managing uh fiscal work systems for example um managing uh certificates uh these were specifically dod certificates but tickets nonetheless it gave me a big plan of uh of the importance and the use of certificates in internet. So from there, I worked with a non-profit where I was the desktop support person. It was only myself and the system administrator there, so we more or less handled everything. That’s when I got exposure to physically running cable, terminating those Terminating those Ethernet ends, getting exposure to the physical side, you know, hands-on. We built a few servers. First time getting into a split, configuring a split.

Speaker 0 | 12:09.749

So what do you think, I mean, what’s the big difference between that and just, you know, a help desk technician? I mean, what’s the big difference there? Is it dealing with end users? Is it more of an expansive knowledge of, you know, I don’t know. database admin or servers or actual physical hands-on, you know, what’s the, what was the big leap?

Speaker 1 | 12:30.439

Yeah. The big leap was going from sitting on a phone to hands-on. That was the biggest difference. Yeah.

Speaker 0 | 12:40.508

So then we, we fast forward, you know, so now you’re an IT manager and I, I know we’ve got a good ransomware story to talk about too, which is really cool, but you know, What do you think the key difference is between help desk? Do you think you got more experience dealing with end users from the system admin side? And then it was just a matter of expanding your actual physical experience or experience with IT knowledge in general, or do you think you got more end user experience when you moved up?

Speaker 1 | 13:12.264

I feel like I got more end user experience on the help desk side, to be honest. And it’s really more from a soft skills standpoint, learning how to, you know, how to talk with it, how to, you know, deescalate situations and that type of stuff.

Speaker 0 | 13:32.577

So I think that’s a key, I think it’s a key point though. So for like anyone, like any system admin guys out there listening or anyone that wants to, I don’t know, eventually move into, to, you know, CIO, CTO role or IT director role. really, you’re getting your most important skill or one of the most important skills, which is talking with people and how to deal with people right at the beginning. So if you can be successful with end users from a systems admin standpoint, then it’s just a matter of time. If you can’t be successful with end users at the very beginning, then you might as well just kiss goodbye.

Speaker 1 | 14:07.298

Definitely. And as you know, over the last five, 10 years, the role of the IT, in general is steadily changing. We’re starting to come to the forefront of the business. IT is the backbone of most businesses anyway.

Speaker 0 | 14:27.624

Yeah, and IT cost center versus IT as a revenue generator. Like back in the day, I think people are still stuck in the IT as a cost center. How much money are we spending on IT versus how much money is IT making us?

Speaker 1 | 14:42.028

Correct. Yeah, 100% agreed. And so it is highly essential, as I talk to some of my colleagues and my peers, they’re more or less leaning towards, when it comes to hiring a new person, they’d rather have someone. with the necessary soft skills, and they’re willing to teach those hard skills rather than having someone with all the technical know-how, but, you know, they can’t, they don’t know how to talk to customers, because at the end of the day, those hard skills can be taught, but people skills, those are a lot harder to teach, takes a little longer to teach, and you could end up, you know, suing yourself in the foot, for lack of a better phrase, by hiring someone. that doesn’t know how to talk to people as you could end up losing clients. Yeah. You know, so soft skills are very important. And being able to develop and fine-tune those soft skills on the help desk has definitely helped me get to where I am today. And I was able to develop and fine-tune my hard skills along the way.

Speaker 0 | 15:56.895

For example, ransomware attack. Tell me about it.

Speaker 1 | 16:04.194

Yeah, so ransomware. I’m sure everyone is aware of what ransomware is. Yeah,

Speaker 0 | 16:11.916

we haven’t covered it on the show yet. I don’t think I’ve covered a big ransomware story yet on the show yet, but yours is pretty impressive.

Speaker 1 | 16:20.078

Definitely. So ransomware is a really nasty form of malware. And just FYI, ransomware is actually a $2 billion industry. or someone that wants to put some ransomware out there and they actually have a ransomware help desk you can call. You don’t even have to know how to create the ransomware. You can call this ransomware help desk on the dark net and actually have them create you a package, give you an instruction on how to deploy it, and there you go. Boom. That’s the first. Yeah, I’m a hacker now. Do you know any numbers?

Speaker 0 | 16:58.312

What are these numbers that we can call? Can I? Not that we want to advertise these numbers, but you know, it might be fun to just throw them on an automatic dialer or something just

Speaker 1 | 17:10.618

Exactly but yeah ransomware is a very It’s a very lucrative industry, you know, but it’s very nasty and it can do major damage for business

Speaker 0 | 17:22.844

So what what’s the story? What happened?

Speaker 1 | 17:25.945

So Two different stores. I’ll give you the first one first. So the first store, this healthcare company, they have about 10 to 20 offices. They had a ransomware attack. Over 1,200 PCs were encrypted. So they were down. They decided to go ahead and pay the ransom. I can’t remember the exact dollar amount. for this particular instance. But they paid the rent from the decryption he was sent, and it took about a week and a half to get all of those PCs decrypted. So they were good to go up and running. So there was about a week and a half of downtime, loss of revenue, but it’s better than the next door. So next door, this is actually a technology company. They got a ransomware attack. It took down all of their servers, and it also encrypted their backup. So we had to essentially start over from scratch. All right, so the initial, you know, the initial…

Speaker 0 | 18:45.023

Now,

Speaker 1 | 18:45.163

did you come in,

Speaker 0 | 18:46.883

were you already in, like, existence here, or, like, what happened? Like, so if you encrypted the backups, how did that happen? How was there no… you know, like bare metal backup or how is there no backup that wasn’t encrypted? That like

Speaker 1 | 19:01.490

I see. Yeah, this was a design flaw or an infrastructure flaw on their end. The way they had their network set up, they more or less, you know, let themselves open to it. So once something was able to get into the network, it was able to take them down completely.

Speaker 0 | 19:23.806

Now, did you come in after the fact? So where do you come into play here?

Speaker 1 | 19:28.249

Yes, I came in after the fact. In this particular case, I came in as a consultant. Okay. Yeah, I had no dealings with this particular client prior to this incident.

Speaker 0 | 19:40.197

Okay. Go on.

Speaker 1 | 19:43.219

All right. So the first thing we did, we got two options. We can either go ahead and start from scratch, or you can pay the ransom. I sold the rent. Yeah. The ransom started out at around $500,000, somewhere up in there.

Speaker 0 | 20:01.970

And they were like, we’re going to pay $500,000. Yeah, sure, we’ll pay $500,000.

Speaker 1 | 20:05.511

That’s a good time. Well, at first, but they weren’t intense about it. So after about the third day, they were like, okay, we’ll pay the rent. Well, they go and pay the $500,000, and the hacker was like, no, we doubled the price. You know, you waited three days. So they were like, okay, so a million dollars? Really? We’re going to have to pay a million dollars? At this time, they’re down for a week.

Speaker 0 | 20:31.898

Yeah, that’s crazy. A week.

Speaker 1 | 20:33.278

As far as revenue, they’re losing anywhere from $150,000 to $200,000 a day at this point. So they’re down for a week. All right, so at this point, they decide, okay, after another three to four days, okay, we’re going to just pay the million so we can get back up. All right, so they co-tax the hacker, and the hacker has raised the price again. At this point, okay, we’re losing money. We cannot afford at this point to pay over a million dollars to decrypt it. And, you know, we. still be down for another week so at this point um they’re scratching the data so i actually uh sat down with them and we um built a brand new network infrastructure for them from the ground up and uh you know i basically along the way you know i was able to um you know use it for educational purposes as well that was an expensive lesson to learn but you know

Speaker 0 | 21:30.358

Was the data just like, hey, forget it. We’re just going to start building from scratch. Like, was the data just gone and that’s it? Goodbye?

Speaker 1 | 21:37.001

Exactly. Yes. Okay.

Speaker 0 | 21:38.562

So all the customer database information and stuff like that, just poof. Goodbye.

Speaker 1 | 21:43.785

It was gone. It was gone.

Speaker 0 | 21:44.906

We’ll just start talking with people and rebuilding it and have some data entry people.

Speaker 1 | 21:51.169

Yep. Okay.

Speaker 0 | 21:53.230

Wow.

Speaker 1 | 21:53.491

That’s exactly it. And with that being said, that’s… Probably the worst case scenario of ransomware. It takes everything down, all your data, and you have to start over from the correct. That is the worst case scenario for ransomware.

Speaker 0 | 22:12.899

That’s a sad story, but crazy. So there it is. That was just a complete disaster. There was no paying. The fact that people pay a million dollars for ransomware is a real thing. It happens.

Speaker 1 | 22:25.744

It does.

Speaker 0 | 22:27.505

Like regularly. Um, I kind of like your, so, you know, just for everyone else out there listening, uh, any, any best practices or, or, or tips here, uh, just in general, um, you know, just kind of as like a, like a final message or anything like that out there that you’re saying, like you have any, uh, any best practices or anything that you want to share with anyone listening?

Speaker 1 | 22:50.243

Um, sure, sure. Um, when it comes to, uh, security, you know, uh, user education. I can’t stress that enough. There are a lot of tools and mechanisms that we as IT professionals have in place that we can stop, you know, a lot of the nasty stuff, man-in-the-mill attacks, that type of stuff. But social engineering, a.k.a. human hacking, definitely needs some help here. So it is vital that we educate our end users on different things to look out for, how to protect themselves and protect the company.

Speaker 0 | 23:27.378

What do you think is the best way to do that? Other than, you know, software and like, you know, stuff that sits within like an email inbox and shows you like, this is a potential threat. This is coming from a weird DNS or this is coming, you know what I mean? Other than that stuff, just like, what’s the best way in your opinion to communicate the message?

Speaker 1 | 23:45.185

So what I like.

Speaker 0 | 23:46.145

Or to get people to care. How about just to get people to care? Because I mean, I would say like, you know, a lot of employees might just not, might just not care. Hey, it’s the company, you know? I mean, a lot of people just have bad attitudes when it comes to. stuff like that and might just be careless and not care enough.

Speaker 1 | 24:00.428

Well, and I feel like if you get the right people to start caring, in my case, the owners of the company, I feel like it’ll kind of slow down from there. You know, when I share stories like the ransomware attacks, those type things, and this is a small business. Another fun fact, for small businesses rather. If they get a ransomware attack or a malware attack that has them down for any extended period of time They generally have to close within six months. That’s how bad stuff can get especially for small businesses That’s a good So when you have about when you um, you know Fresh user education, I’ll send out a fun fact little newsletter, you know every week, you know, just putting out some fun facts of different, you know, in regards to IT security. Yeah, yeah. I randomly have a, um, running an email security test. And basically what it is, I’ll send out an illegitimate email and I can get a report on who clicked on it. They don’t know it’s illegitimate, you know, but I’ll get a report on who clicked on it.

Speaker 0 | 25:15.402

What’s your percent? What’s your highest win rate? What’s your highest percentage of click rate? I’m just curious. Is it over 10%? Is it over 10% of the people that click on it? Oh,

Speaker 1 | 25:26.428

yeah. It was. It was, brother. Yeah, it was, but at this point, it’s definitely gotten to the point where if they see anything that’s questionable, they come to me about it first and foremost, and that’s what I want, you know. Insider attacks are by far the leading cause of malware attacks, and most of the time, they’re inadvertent.

Speaker 0 | 25:48.013

So the best way to prevent attacks and phishing attacks is to be better than the majority of the people that are trying to phish your company anyways, or at least, you know, really. get your people completely paranoid about everything.

Speaker 1 | 26:03.625

Yeah. Yeah. The more paranoid they are, the safer you are.

Speaker 0 | 26:07.008

Spread paranoia, I guess is the message. That’s awesome. So, hey, really appreciate you taking some time to be on the show today. Been a lot of fun talking with you. Any of the final messages, man, anything else you got to share?

Speaker 1 | 26:25.222

The number one rule for security. Make sure you have good, secure backup. Yeah. I don’t think it gets any simpler than that.

Speaker 0 | 26:38.622

A backup that’s not a backup is not a backup,

Speaker 1 | 26:41.024

if that makes sense. Exactly. Make sure you have good backup.

Speaker 0 | 26:46.466

All right. Joshua, man, hey, thanks for being on the show.

Speaker 1 | 26:50.028

I appreciate the time, sir. Thank you

32. From Getting Shot at in Iraq & Afghanistan to 1.5 Million in Ransomware

Speaker 0 | 00:09.626

Welcome everyone back to Telecom Radio 1. We’re continuing our series, Dissecting Popular IT Nerds. Today we have Joshua Stroud on the call from, he’s IT manager at Kelly Road Builders. So Joshua, welcome to the show, man. Thanks for being on.

Speaker 1 | 00:25.397

Thanks for having me.

Speaker 0 | 00:26.678

Yeah, man, you’ve got a really good… uh, it history and, uh, interesting how you got into it as well. I mean, I know you did some time, you did some time in Iraq and Afghanistan, so I don’t know where you want to start off, man, but maybe just give us a little background story on, on a, how you got into it to begin with. Maybe what was your, what was your first computer? That’s always a fun one too. Sure.

Speaker 1 | 00:49.677

Sure. So coming up, I, uh, sporadically, um, very sporadically dealt with computers. With that being said, I grew up in the country, so it wasn’t like I had access to someone, you know, in the same era.

Speaker 0 | 01:10.289

I’m in the country right now, man. I grew up in the country, too. I’m still in the country. I had to pick some ticks off my kids, let’s see, this week. But at least we had an Apple II. We had an Apple IIc with some flop, you know. Single floppy drive that was our first computer, but but keep going man.

Speaker 1 | 01:31.629

Oh, yeah, definitely though I would think With the with computers, you know here and there But I initially started out going to UAB under the electrical and computer engineering program That particular program really put more focus on the electrical engineering side versus the computer engineering side So my initial focus was actually engineering.

Speaker 0 | 02:00.441

And that’s University of Alabama, right? For anyone out there listening.

Speaker 1 | 02:04.942

Yes, University of Alabama at Birmingham, yeah.

Speaker 0 | 02:07.523

Awesome. All right, so electrical engineering, very exciting for some people. Some people would say not too exciting, but you kind of went down a different pathway.

Speaker 1 | 02:19.366

Definitely, definitely. So beginning in the UAB, I actually joined the OAS. Alabama Army National Guard. They actually paid for school. What I didn’t expect was to not be able to finish school, having to go overseas.

Speaker 0 | 02:39.995

How long were you overseas?

Speaker 1 | 02:43.617

The first time, so I left Iraq in January, or December, rather, of 2009, and I returned in February of…

Speaker 0 | 02:55.104

thousand a living so just out of curiosity man uh how was that well first of all i have a lot of friends i do a lot of jiu-jitsu i have a lot of friends that that uh served a lot of friends that were overseas some like to talk about some don’t i mean it’s completely up to you man i’m just curious man if you want to talk about it great if not no big deal um

Speaker 1 | 03:14.069

we can move on but i wanted to ask you what it’s like over there if you’re all right with that oh sure so it is definitely a um a different world world than what I would used to here. With that being said, there’s a lot that we take for granted. It is a third world country, so the resources that are available to us aren’t really available to them. Just as an example, clean water. It’s a guarantee that they’re going to have clean running water. Electricity. Having a comfortable home to go to there’s not really a middle class over there you either Have a lot of money or you don’t there’s not a lot of in-between, you know You either live in a palace or you live in a any other thought out, you know

Speaker 0 | 04:07.140

What about conflict you see I mean, did you see a lot of conflict or?

Speaker 1 | 04:11.261

Yeah, I was uh, I was in transportation. So I stayed on convoys a lot. So there was a Definitely a lot of different things that happened outside. And this is combat related and non-combat related. One of my favorite memories, actually, is in Iraq, they had what they call a floating bridge. And essentially, the bridge kind of sits on top of the, as you read, it actually dips below the water. So, um, until you get across it, you don’t even see the breed, you know, you’re on it. So, uh, the running joke was, uh, once you get on the bridge, do not turn the steering wheel or otherwise you may, you know. You end up with the river. So it was very, very exhilarating. Glad I made it through that. But, yeah, they had a lot of neat little sports and whatnot. Another interesting thing about their environment, their culture, they don’t really have power lines. So there’s no height limit when it comes to, you know, loads. there would be some unbelievable cargo that’s being carried by, you know, just whatever. I’ve seen a…

Speaker 0 | 05:40.905

I see what you’re saying. In other words, maxing out. There’s no weigh stations.

Speaker 1 | 05:44.367

Oh, yeah. Oh, yeah. Well, weigh stations and then the height, the total height period.

Speaker 0 | 05:50.351

Yeah, yeah. I got you. Oh, yeah.

Speaker 1 | 05:54.734

I’ve seen a cargo bus with two of the metal content containers on top of it. and it had two cars on top of the connect fingers all this how they got it up there i have no idea uh it’s it feels like that that you would never see um you know here in the us nice man but yeah even with with all of that being said um the only i’d see exposure i had overseas was dealing with our uh communication system uh yeah we use long range radio systems um i was uh in charge while we were out outside the wire you know by outside the wire i just mean not on base we’re running missions yep uh while we’re outside the wire i was in charge of um making sure our radios were uh stayed in working condition uh maintaining our comp six and uh all that good stuff though um Well yeah, in Iraq and Afghanistan, the difference is, I’m not going to say like night and day, but they are vastly different. Iraq is more spread out, more flat. You have your desert areas, but you also have your areas of lush vegetation, surprisingly. But still, it was really flat for the most part. Of course, if you get to the northern part of Iraq, around Madul, It’s a little more hilly. Versus Afghanistan, even our bases, everything was a lot more compact. Everything was closer together. I ran more missions in Afghanistan, but they were shorter missions. In Afghanistan, I actually did more convoy security than actually running the convoys themselves. But it was very mountainous. I was a little more comfortable. And it was significantly colder in Afghanistan.

Speaker 0 | 08:00.942

Let me ask you this. Have you been shot at?

Speaker 1 | 08:06.066

Definitely. That kind of comes with the territory. Anybody that’s been outside the wire over there, that’s not something you can avoid, to be honest with you.

Speaker 0 | 08:18.734

What was that like the first time you had gunfire coming at you?

Speaker 1 | 08:24.738

Yeah. Definitely, definitely. And that was in Iraq. And you would, you know, gunfire, you know, it kind of became, we kind of got desensitized to it, I guess you could say. You know, kind of just part of the deal, part of the day. Yeah, gotcha. Yeah, definitely. And again, I spent 13 months in Iraq. I live in Wisconsin, Afghanistan, and definitely an experience that I’ll, you know, be able to kind of reflect on here and there throughout the rest of my life.

Speaker 0 | 09:04.727

I’m sure, man. I’m sure.

Speaker 1 | 09:07.408

With that being said, I don’t have any desire to go back.

Speaker 0 | 09:11.929

I gotcha. I gotcha. So, so thanks, man. Thanks for sharing that. I appreciate it. So, hey, so moving on to IT stuff, though, you come back, you get into IT. Um, and I, you know, I don’t know where we want to go from here. What was kind of like the biggest, uh, what was kind of like the main thing that got you to where you’re at right now? What was kind of like the biggest stepping stone?

Speaker 1 | 09:38.150

Biggest stepping stone. I’m sorry. I said that one more time.

Speaker 0 | 09:42.273

What was the biggest stepping stone?

Speaker 1 | 09:45.115

Um, the biggest stepping stone was, um, coming off the help desk. Um, what I found initially is. that a lot of professionals that go in through the health care crowd. kind of sit there, I guess, because there is a comfort level associated with it. You’re sitting behind a phone the whole time, you know, so there’s not really a face-to-face interaction. Yep. But it came to a point where I just desired to, you know, be more involved. I wanted to expand my knowledge base when it comes to IT. I wanted to get a better understanding of systems, how systems are being used. you know with businesses across the board uh not just when something isn’t working you know so um in addition to maintaining and improving and building on my reactive knowledge i also wanted to start to build on my proactive knowledge yeah so you know i took a leap and that kind of landed me in my role where i uh worked up in a hunt still it was uh well no defense contracting jobs and that’s really where i um kind of started expanding beyond um the help desk um i got exposure to managing uh fiscal work systems for example um managing uh certificates uh these were specifically dod certificates but tickets nonetheless it gave me a big plan of uh of the importance and the use of certificates in internet. So from there, I worked with a non-profit where I was the desktop support person. It was only myself and the system administrator there, so we more or less handled everything. That’s when I got exposure to physically running cable, terminating those Terminating those Ethernet ends, getting exposure to the physical side, you know, hands-on. We built a few servers. First time getting into a split, configuring a split.

Speaker 0 | 12:09.749

So what do you think, I mean, what’s the big difference between that and just, you know, a help desk technician? I mean, what’s the big difference there? Is it dealing with end users? Is it more of an expansive knowledge of, you know, I don’t know. database admin or servers or actual physical hands-on, you know, what’s the, what was the big leap?

Speaker 1 | 12:30.439

Yeah. The big leap was going from sitting on a phone to hands-on. That was the biggest difference. Yeah.

Speaker 0 | 12:40.508

So then we, we fast forward, you know, so now you’re an IT manager and I, I know we’ve got a good ransomware story to talk about too, which is really cool, but you know, What do you think the key difference is between help desk? Do you think you got more experience dealing with end users from the system admin side? And then it was just a matter of expanding your actual physical experience or experience with IT knowledge in general, or do you think you got more end user experience when you moved up?

Speaker 1 | 13:12.264

I feel like I got more end user experience on the help desk side, to be honest. And it’s really more from a soft skills standpoint, learning how to, you know, how to talk with it, how to, you know, deescalate situations and that type of stuff.

Speaker 0 | 13:32.577

So I think that’s a key, I think it’s a key point though. So for like anyone, like any system admin guys out there listening or anyone that wants to, I don’t know, eventually move into, to, you know, CIO, CTO role or IT director role. really, you’re getting your most important skill or one of the most important skills, which is talking with people and how to deal with people right at the beginning. So if you can be successful with end users from a systems admin standpoint, then it’s just a matter of time. If you can’t be successful with end users at the very beginning, then you might as well just kiss goodbye.

Speaker 1 | 14:07.298

Definitely. And as you know, over the last five, 10 years, the role of the IT, in general is steadily changing. We’re starting to come to the forefront of the business. IT is the backbone of most businesses anyway.

Speaker 0 | 14:27.624

Yeah, and IT cost center versus IT as a revenue generator. Like back in the day, I think people are still stuck in the IT as a cost center. How much money are we spending on IT versus how much money is IT making us?

Speaker 1 | 14:42.028

Correct. Yeah, 100% agreed. And so it is highly essential, as I talk to some of my colleagues and my peers, they’re more or less leaning towards, when it comes to hiring a new person, they’d rather have someone. with the necessary soft skills, and they’re willing to teach those hard skills rather than having someone with all the technical know-how, but, you know, they can’t, they don’t know how to talk to customers, because at the end of the day, those hard skills can be taught, but people skills, those are a lot harder to teach, takes a little longer to teach, and you could end up, you know, suing yourself in the foot, for lack of a better phrase, by hiring someone. that doesn’t know how to talk to people as you could end up losing clients. Yeah. You know, so soft skills are very important. And being able to develop and fine-tune those soft skills on the help desk has definitely helped me get to where I am today. And I was able to develop and fine-tune my hard skills along the way.

Speaker 0 | 15:56.895

For example, ransomware attack. Tell me about it.

Speaker 1 | 16:04.194

Yeah, so ransomware. I’m sure everyone is aware of what ransomware is. Yeah,

Speaker 0 | 16:11.916

we haven’t covered it on the show yet. I don’t think I’ve covered a big ransomware story yet on the show yet, but yours is pretty impressive.

Speaker 1 | 16:20.078

Definitely. So ransomware is a really nasty form of malware. And just FYI, ransomware is actually a $2 billion industry. or someone that wants to put some ransomware out there and they actually have a ransomware help desk you can call. You don’t even have to know how to create the ransomware. You can call this ransomware help desk on the dark net and actually have them create you a package, give you an instruction on how to deploy it, and there you go. Boom. That’s the first. Yeah, I’m a hacker now. Do you know any numbers?

Speaker 0 | 16:58.312

What are these numbers that we can call? Can I? Not that we want to advertise these numbers, but you know, it might be fun to just throw them on an automatic dialer or something just

Speaker 1 | 17:10.618

Exactly but yeah ransomware is a very It’s a very lucrative industry, you know, but it’s very nasty and it can do major damage for business

Speaker 0 | 17:22.844

So what what’s the story? What happened?

Speaker 1 | 17:25.945

So Two different stores. I’ll give you the first one first. So the first store, this healthcare company, they have about 10 to 20 offices. They had a ransomware attack. Over 1,200 PCs were encrypted. So they were down. They decided to go ahead and pay the ransom. I can’t remember the exact dollar amount. for this particular instance. But they paid the rent from the decryption he was sent, and it took about a week and a half to get all of those PCs decrypted. So they were good to go up and running. So there was about a week and a half of downtime, loss of revenue, but it’s better than the next door. So next door, this is actually a technology company. They got a ransomware attack. It took down all of their servers, and it also encrypted their backup. So we had to essentially start over from scratch. All right, so the initial, you know, the initial…

Speaker 0 | 18:45.023

Now,

Speaker 1 | 18:45.163

did you come in,

Speaker 0 | 18:46.883

were you already in, like, existence here, or, like, what happened? Like, so if you encrypted the backups, how did that happen? How was there no… you know, like bare metal backup or how is there no backup that wasn’t encrypted? That like

Speaker 1 | 19:01.490

I see. Yeah, this was a design flaw or an infrastructure flaw on their end. The way they had their network set up, they more or less, you know, let themselves open to it. So once something was able to get into the network, it was able to take them down completely.

Speaker 0 | 19:23.806

Now, did you come in after the fact? So where do you come into play here?

Speaker 1 | 19:28.249

Yes, I came in after the fact. In this particular case, I came in as a consultant. Okay. Yeah, I had no dealings with this particular client prior to this incident.

Speaker 0 | 19:40.197

Okay. Go on.

Speaker 1 | 19:43.219

All right. So the first thing we did, we got two options. We can either go ahead and start from scratch, or you can pay the ransom. I sold the rent. Yeah. The ransom started out at around $500,000, somewhere up in there.

Speaker 0 | 20:01.970

And they were like, we’re going to pay $500,000. Yeah, sure, we’ll pay $500,000.

Speaker 1 | 20:05.511

That’s a good time. Well, at first, but they weren’t intense about it. So after about the third day, they were like, okay, we’ll pay the rent. Well, they go and pay the $500,000, and the hacker was like, no, we doubled the price. You know, you waited three days. So they were like, okay, so a million dollars? Really? We’re going to have to pay a million dollars? At this time, they’re down for a week.

Speaker 0 | 20:31.898

Yeah, that’s crazy. A week.

Speaker 1 | 20:33.278

As far as revenue, they’re losing anywhere from $150,000 to $200,000 a day at this point. So they’re down for a week. All right, so at this point, they decide, okay, after another three to four days, okay, we’re going to just pay the million so we can get back up. All right, so they co-tax the hacker, and the hacker has raised the price again. At this point, okay, we’re losing money. We cannot afford at this point to pay over a million dollars to decrypt it. And, you know, we. still be down for another week so at this point um they’re scratching the data so i actually uh sat down with them and we um built a brand new network infrastructure for them from the ground up and uh you know i basically along the way you know i was able to um you know use it for educational purposes as well that was an expensive lesson to learn but you know

Speaker 0 | 21:30.358

Was the data just like, hey, forget it. We’re just going to start building from scratch. Like, was the data just gone and that’s it? Goodbye?

Speaker 1 | 21:37.001

Exactly. Yes. Okay.

Speaker 0 | 21:38.562

So all the customer database information and stuff like that, just poof. Goodbye.

Speaker 1 | 21:43.785

It was gone. It was gone.

Speaker 0 | 21:44.906

We’ll just start talking with people and rebuilding it and have some data entry people.

Speaker 1 | 21:51.169

Yep. Okay.

Speaker 0 | 21:53.230

Wow.

Speaker 1 | 21:53.491

That’s exactly it. And with that being said, that’s… Probably the worst case scenario of ransomware. It takes everything down, all your data, and you have to start over from the correct. That is the worst case scenario for ransomware.

Speaker 0 | 22:12.899

That’s a sad story, but crazy. So there it is. That was just a complete disaster. There was no paying. The fact that people pay a million dollars for ransomware is a real thing. It happens.

Speaker 1 | 22:25.744

It does.

Speaker 0 | 22:27.505

Like regularly. Um, I kind of like your, so, you know, just for everyone else out there listening, uh, any, any best practices or, or, or tips here, uh, just in general, um, you know, just kind of as like a, like a final message or anything like that out there that you’re saying, like you have any, uh, any best practices or anything that you want to share with anyone listening?

Speaker 1 | 22:50.243

Um, sure, sure. Um, when it comes to, uh, security, you know, uh, user education. I can’t stress that enough. There are a lot of tools and mechanisms that we as IT professionals have in place that we can stop, you know, a lot of the nasty stuff, man-in-the-mill attacks, that type of stuff. But social engineering, a.k.a. human hacking, definitely needs some help here. So it is vital that we educate our end users on different things to look out for, how to protect themselves and protect the company.

Speaker 0 | 23:27.378

What do you think is the best way to do that? Other than, you know, software and like, you know, stuff that sits within like an email inbox and shows you like, this is a potential threat. This is coming from a weird DNS or this is coming, you know what I mean? Other than that stuff, just like, what’s the best way in your opinion to communicate the message?

Speaker 1 | 23:45.185

So what I like.

Speaker 0 | 23:46.145

Or to get people to care. How about just to get people to care? Because I mean, I would say like, you know, a lot of employees might just not, might just not care. Hey, it’s the company, you know? I mean, a lot of people just have bad attitudes when it comes to. stuff like that and might just be careless and not care enough.

Speaker 1 | 24:00.428

Well, and I feel like if you get the right people to start caring, in my case, the owners of the company, I feel like it’ll kind of slow down from there. You know, when I share stories like the ransomware attacks, those type things, and this is a small business. Another fun fact, for small businesses rather. If they get a ransomware attack or a malware attack that has them down for any extended period of time They generally have to close within six months. That’s how bad stuff can get especially for small businesses That’s a good So when you have about when you um, you know Fresh user education, I’ll send out a fun fact little newsletter, you know every week, you know, just putting out some fun facts of different, you know, in regards to IT security. Yeah, yeah. I randomly have a, um, running an email security test. And basically what it is, I’ll send out an illegitimate email and I can get a report on who clicked on it. They don’t know it’s illegitimate, you know, but I’ll get a report on who clicked on it.

Speaker 0 | 25:15.402

What’s your percent? What’s your highest win rate? What’s your highest percentage of click rate? I’m just curious. Is it over 10%? Is it over 10% of the people that click on it? Oh,

Speaker 1 | 25:26.428

yeah. It was. It was, brother. Yeah, it was, but at this point, it’s definitely gotten to the point where if they see anything that’s questionable, they come to me about it first and foremost, and that’s what I want, you know. Insider attacks are by far the leading cause of malware attacks, and most of the time, they’re inadvertent.

Speaker 0 | 25:48.013

So the best way to prevent attacks and phishing attacks is to be better than the majority of the people that are trying to phish your company anyways, or at least, you know, really. get your people completely paranoid about everything.

Speaker 1 | 26:03.625

Yeah. Yeah. The more paranoid they are, the safer you are.

Speaker 0 | 26:07.008

Spread paranoia, I guess is the message. That’s awesome. So, hey, really appreciate you taking some time to be on the show today. Been a lot of fun talking with you. Any of the final messages, man, anything else you got to share?

Speaker 1 | 26:25.222

The number one rule for security. Make sure you have good, secure backup. Yeah. I don’t think it gets any simpler than that.

Speaker 0 | 26:38.622

A backup that’s not a backup is not a backup,

Speaker 1 | 26:41.024

if that makes sense. Exactly. Make sure you have good backup.

Speaker 0 | 26:46.466

All right. Joshua, man, hey, thanks for being on the show.

Speaker 1 | 26:50.028

I appreciate the time, sir. Thank you

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code