751 Core Principles of Zero Trust
751 Core Principles of Zero Trust
IT Business Podcast
Uncle Marv emphasizes the core principles of zero trust as essential strategies for safeguarding your business against cyber threats. Learn…
Choose your favorite podcast player
Nov. 27, 2024

751 Core Principles of Zero Trust

Uncle Marv emphasizes the core principles of zero trust as essential strategies for safeguarding your business against cyber threats. Learn how to proactively protect your client's networks and mitigate risks.

Apple Podcasts podcast player icon PocketCasts podcast player icon Overcast podcast player icon Podcast Addict podcast player icon Spotify podcast player icon Amazon Music podcast player icon iHeartRadio podcast player icon YouTube Channel podcast player icon PlayerFM podcast player icon TuneIn podcast player icon Castbox podcast player icon Podchaser podcast player icon Goodpods podcast player icon Pandora podcast player icon Audacy podcast player icon Spreaker podcast player icon Audible podcast player icon Deezer podcast player icon

Listeners will be engaged by Marv's storytelling as he recounts a recent incident involving a $300,000 ransomware attack faced by a client due to poor security practices. He discusses how the lack of proper protections led to devastating consequences and stresses the significance of adopting a zero-trust framework. 

Marv outlines three core principles: 

  1. never trust, always verify
  2. least privilege access
  3. assume a breach.

He also shares insights from his own client interactions, illustrating the challenges of implementing these principles in real-world scenarios. Additionally, Marv provides updates on upcoming shows, including Black Friday and Cyber Monday previews, encouraging listeners to explore valuable tech products for the holiday season

Websites and Links: 

People Mentioned for Shout Outs

  • Eric Pinto
  • Dawn Sizer
  • Erin Lawrence

=== Show Information

=== Music: 

  • Show Intro:  Upbeat & Fun Sports Rock Logo, By AlexanderRufire
  • License Code: 7X9F52DNML - Date: January 1st, 2024
Transcript

What is up MSP, Uncle Marv here with another episode of the IT Business Podcast. Yes, we are here the day before Thanksgiving, because like so many of you, I had to work. But I wanted to give you one last show before I headed out.

But I had a couple of thoughts, and I've tried to let you guys know that I'm going to do these little mini shows to get these thoughts out of my head so that they're not banging around up there. But I had an interesting situation with a call yesterday that focuses on zero trust. And I'll share that story, I'll also share a story about a customer issue that I had this morning.

And then I want to go into my Black Friday videos. I know that some of you don't watch on YouTube or the Facebook or anything like that. So I want to reference you to the holiday shows that I did, the Black Friday previews, as well as an upcoming show on Monday.

And then I want to give you some big news about the year-end holiday show. Thanksgiving is late this year. So that holiday show is going to come up much quicker than usual.

So I'll give you some information about that as well. I do want to say thank you to Super Ops. They are the presenting sponsor for these audio shows.

And along with our presenting sponsor, NetAlly and TruGrid and others, I want to thank you all for your support over the year. So this all started yesterday. I was actually pulling into a client that was having a network issue.

And as I pulled into the parking lot, I got a call from a consultant friend of mine. She has been a friend of mine, I think, going back to 1998 or 1999. She was one of the first consultants that I worked with and helped connect me to a lot of the law firms that I worked with.

And we still do some stuff together. And she called and her comment was, I have a story for you. And I said, well, let me get in and take care of this client and I'll call you right back.

So did that. And she basically proceeded to tell me that she had gotten off the phone earlier with one of her clients that she wasn't sure if they were complaining or bragging that they had just been a part of a $300,000 ransomware attack. Now, when I say that this is her client, she does software consulting.

So she would basically sell and help set up and provision and configure and train on legal software. She does not maintain the networks. That's usually left to somebody like me or some of our friends that we know.

And in this particular case, this is an external IT company that is not one of her usual friends. So it's not within our circle. This is a tech company that she works with them because of the client, but she, I don't know if she doesn't like working with them or what.

But the short version of the story is the client had a cloud server that they basically did not want to upgrade an old version of one of their software packages. And instead of forcing the client to upgrade, the IT company said, oh, well, we'll just throw it in the cloud and we'll do it as a virtual server. You guys can do it, blah, blah, blah.

That was about as much as she understood, except for the fact that when the server first went into the cloud, they actually had it set up with security. They had only certain IP addresses that could connect to it. But of course, that got too cumbersome.

And the IT company did not want to deal with people asking for permissions to connect from here or whatever. Basically, they turned off all the protection. And to me, it sounds like they were running basically RDP naked where there was no protections, no multi-factor, just anybody could get to that server.

And of course, it got hacked and they got files encrypted. They got a ransom. Now, the $300,000, when I asked for clarification, she said, well, the ransom was probably around $100 to $120 or something like that.

The rest of it was mitigation. So all of the work that had to be done to restore and do all those stuff sounds like a weird high number, but that's why she didn't understand if this person was complaining or bragging. But it was funny because they had called her because the software package that she helped them with, something was not working.

And she said, well, I really can't help with that. She could take a look at it and do some stuff. But most of this falls on the onus of the IT company.

And shame on them. She didn't say that. I'm saying this.

Shame on them for leaving this customer that open and protected. Yes, it's a law firm and lawyers are tough to deal with. And when they say take it off, usually people take it off.

But we will follow up with that story more later because I'm hoping that she finds a way to get me in there or not. Although I did tell her that I probably don't want them if they don't want to spend the money to protect themselves. And that wouldn't be a client for me, but we'll see where it goes.

Now, that leads me into today's story where one of my clients, and this is a client that has AJ. And for those of you that know my juniors, this is Admin Junior. And yesterday, he ended up having to send me a request in ThreatLocker to install a driver.

They were installing one of the check machines. It was a Panini-style check deposit machine. That wasn't the actual brand.

It was another brand. But of course, AJ was like, I want this thing off. I got to be able to install drivers, blah, blah, blah.

And I said, no, that's not happening. So I ended up giving them the ThreatLocker permission and it actually came back with another request because of a DLL driver. So I ended up putting that station in learning mode for about an hour and they got their stuff installed.

Now, what I left out of this story is this is a Windows 7 machine. It is the only Windows 7 machine left in this network because they too have a legacy piece of software that only works on Windows 7. They weren't going to upgrade it because they only use this, I don't know, once or twice a year. But they wanted to put this check deposit machine on there as well and utilize that.

Well, lucky for me, the check deposit machine would not install and it literally had the checklist of requirements. And the very first thing on here is that this machine must be Windows 10 or higher. And then, of course, they had memory requirements and all this other stuff.

So it was failing the requirements. So today they moved around one of their machines that wasn't in use because of employees leaving, but they haven't replaced them. So they ended up moving a Windows 10 machine in there.

And, of course, when they went to go do the installation, it was a different version of the program because it was Windows 10 and they actually got the machine model wrong. So it was a much different version. Of course, the ThreatLocker notice came up and he, of course, screamed and he's like, I can't work like this.

Now, luckily, I was able to show him through ThreatLocker other things that were being blocked. And, you know, just in the last, I don't know, hour or so before he and I were talking, I went through the logs and I was pulling IP addresses that were getting blocked, that people were trying to either click something or whatever. And some of them were from Athena, Greece, Stockholm, Farina and Serena.

I don't even know what that is. Italy. And I was letting him know that, listen, we put this in place for a reason to block these kinds of threats.

Yes, it's inconvenient. Yes, it's frustrating just as much for me as it is for you. But I'm not turning off these protections because who knows what people are clicking and what bigger issues you would have for that.

So he finally started to understand that, but he just didn't. He's like, well, why do we have to block stuff? And so I had to go into this situation where I explained to him again, because I've done it multiple times, what zero trust means. And that's the situation that I, you know, explain to people.

It's like, look, we have to understand the core principles of zero trust. In this world where everything is internet connected; we never trust. We always verify.

So that's the first part of it. So we operate on the principle that no user or device should just be trusted by default. Anything coming into the network, we have to verify what it is.

We have to verify every single request, every piece of software that comes in, because we know how many links come in that look legit and aren't. And they're going to get past the firewall. They're going to get past the antivirus.

They're going to get past, you know, EDR, you know, and yes, people will say, well, EDR will catch it. Well, that catches it after the fact. I want it stopped before.

So that's one of the reasons that I put ThreatLocker in. You may disagree with me, and that's fine. Let me know why you do, and maybe we'll talk about that on another show.

But that's the concept that I brought to them. I said, we are going to, one, never trust, always verify. Number two, the concept of least privilege access seems to be an issue with this company.

So we all know that we, you know, should have users with the least role that they need. Nobody should be an administrator. And this company has a habit for many years of making local users, administrators, to get around whatever program issue they're having, whatever problem they're having.

Well, you know, if I can't work it as a user, I'll just make them an admin. So that was another way that I could put this in and lock down whether or not people can install stuff. So even as an administrator, they're going to get that ThreatLocker prompt that they can't install something.

I've also got other stuff in place where we now have a much more locked down Active Directory. And I had a program that would go out and scan once an hour to see if people were added to the administrators group and then get them removed. So that the only people that should be admins is, you know, the local admin text that I did for AJ.

And then there's a TJ in that office as well. So they're set up as local admins in that group. Now their profiles themselves, their Active Directory accounts are not admins.

They're not domain administrators, which was, you know, something I did for a long time. I would just make a tech, a domain admin. I don't do that anymore.

So I make them a local admin. I'll give them, you know, network operator rights. I'll give them account operator rights and do all of this stuff.

But that takes care of the fact that if they're going to try to, you know, elevate somebody to an administrator, ThreatLocker blocks that as well. And a good way to minimize, you know, potential attack surfaces. And then, of course, number three is we're always going to assume a breach.

And I know that some of you out there don't like that word. You want to call it an incident. I don't care what you call it.

You know, it's basically an issue that we shouldn't have to deal with if we're protecting our networks properly. Now, that's not to say it'll never happen. There's always going to be an incident.

There's always going to be a breach that we're not prepared for. But we have to assume that that's going to happen. Things are moving too fast in this world.

And so the security measures that we put in place should be designed with the assumption that breaches can and will occur. And therefore, having, you know, these necessary, robust monitoring and response capabilities is something that we're going to do. So yesterday, you know, she had that incident with her client.

I was able to parlay that into today's discussion to AJ and let him know that not only am I using these core principles of zero trust, here's another client that's similar to you that just had to deal with a $300,000 ransomware event. So that kind of slowed him down. I'm sure I'll have to deal with it again.

But I just wanted to kind of throw that out there for you guys. If you, you know, are having, you know, difficulties in explaining some of the things that we have to do for security, just three core principles of zero trust. One, never trust, always verify.

Two, least privilege access. And three, assume a breach is going to happen. All right.

The second thing that I wanted to talk about was, I just got done this week doing Black Friday previews. So again, if you don't follow the show on, you know, YouTube, LinkedIn, or the Facebook, you probably didn't see it. So I'm going to put links in the show notes to the shows that I did, just in case you, you know, may want to find some great ideas for holiday gifts.

You can tune in to the episodes. I did one on Monday with Eric Pinto from SocSoter, the original person that co-hosted with me on the Black Friday show. And then I had a show with Dawn Sizer from Third Element Consulting.

And both of them had some great items on their list. And these were things that either were on their wish list or things that they had purchased in the last year that were good enough to share. I'll just mention some of the products, but I'll have links in the show notes.

And of course, links to the shows, Stanley French Press, Keurig Smart K-Supreme, Two Tire Inflators, the Etinwolfe Vortex, and the Halo Bolt Air Plus. Don talked about this Roborock and Whoop Band. And then of course, Plod.

That is, she is really excited about this Plod AI voice recorder. So those are some of the things we talked about. The links that I'm going to put in the show note are actually going to be to the Amazon Live videos.

It was the first time that I had tried this in promoting my Amazon links. I thought, let me try to do this on Amazon Live. It's one of the features that they offer where we can do product videos and shows and stuff.

And it actually will give the links in Amazon to the items that we talked about. So those are the links that I'm going to put in the show for you to go to experience the live. Or you can go to the traditional YouTube and watch there as well.

I used a platform where I could put up QR codes of the products as we talked. Most of them worked. Some of them didn't because of the translation.

If I took them out of Amazon and put them into the stream, even though it popped up with the right thing, the link didn't work. So in the show notes for each of those videos on YouTube and Facebook, the proper links are there. So if you are watching the show and think that this crappy thing doesn't work, well, the proper link is listed.

And of course, we will be doing one more show. I'm going to be doing a Cyber Monday show with my friend Erin Lawrence. And she is the Tech Gadgets Canada person.

She has a great YouTube channel. And we're going to talk about some more products and come from them, uh, come from a Cyber Monday perspective. And it'll be a similar thing.

We'll talk about some of the things that she has purchased. Now, she is a YouTube reviewer. So she gives some very great insight.

That's a little bit more than what Eric, Don, and I do. Because she actually reviews these things and tests them out and gives super, super deep product reviews. I'll have the link for her website and her YouTube channel as well.

But Monday, 12 noon, come join us. We'll be live on all the platforms again. Like I said, YouTube, LinkedIn, the Facebook, and on Amazon Live.

And you can join us there. Finally, the year-end holiday show. That has been set for December 18th.

And if that feels early, yes, it is. Because of the way the calendar shakes out this year. Of course, we're doing Thanksgiving.

You know, it feels a week later for most people. Because it's, you know, it's so late in the month. And then the Christmas holidays.

The way that the schedule falls. Christmas is on a Wednesday this year. So of course, I can't do a show on Christmas.

So that leaves the week before to do it. Because I cannot do it basically the 23rd through the 27th. We're going to be off.

And we're off through the rest of the year. So I won't be doing any shows during that. So that left the week before.

So we're basically only going to have two more live shows. I will have a couple of audio shows. But December 18th will be the holiday party.

And in preparation for this year's holiday party, we will be doing what we always do. Giving you a chance to vote for the podcast awards for 2024. And of course, what we vote for is what you guys think was the best swag item of 2024 that you saw at a conference.

You're going to vote for best episode and best guest. And the way that you can do that is you go to itbusinesspodcast.com slash survey. So it looks a little different this year.

But the survey will pop up. And you'll be able to walk through all of the things there. But let's see here.

So yeah, itbusinesspodcast.com slash survey. And as per usual, every entry that I receive will be put into a giveaway bucket. And we'll be giving away some prizes at the end of the year.

Mostly Amazon gift cards. But I'm working with some vendors to maybe get some other stuff here. So we're going to have multiple giveaways this year.

So mark that on your calendar. December 18th, holiday show. We will be looking back at some of the best and worst things that happened this year.

I'll have my usual core of friends hanging out. And we'll probably be having some eggnog and stuff like that. And it'll be a fun time.

And that will be the last show of the year for 2024. So hope that you guys fill out the survey and can join us that night. But that's going to do it.

So we're going to wrap up this episode. And I want to take a moment to wish all of you a happy Thanksgiving. This time of year, of course, is not known for eating well.

But I'm going to try to encourage you to eat well. Enjoy those delicious meals and treats. Of course, stay safe as you travel.

Many of you drive and stuff. Stay safe out on the road. And remember that these are times spent with family.

This is what's supposed to truly matter. Cherish every laugh. Cherish every story.

And share with each other around the table. I want to thank you for tuning in. I will see you on the other side.

Enjoy your holiday. And until next time, Holla!