Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

How to Identify & Mitigate Signs of Trickbot and Ryuk Attacks in Your Environment Transcript

Watch On-Demand Now
Download the TrickBot and Ryuk White Paper

Lindsey Watts [00:00:02] Good afternoon, everyone, and welcome to our panel discussion. 

Lindsey Watts [00:00:06] My name is Lindsay Watts, I am the Director of Solutions and Marketing at True Digital Security, and we are happy to have all of you with us. 

Lindsey Watts [00:00:15] We have a number of health care professionals, technologists. And we also have some industry peers joining us today. 

Lindsey Watts [00:00:23] We shout out to you all, we're happy to have you, and, and, uh, join you all in the fight to protect our clients against the trick bot and rock attacks recent way we have seen. 

Lindsey Watts [00:00:37] Today, just a matter of housekeeping, I would love to let you know that we will have time for Q and A at the end. 

Lindsey Watts [00:00:46] So feel free to submit your questions as we go at any point, and we will answer and facilitate those at the end. 

Lindsey Watts [00:00:53] We will also be sending out a follow-up e-mail with a link to the recording of the webinar, so you can go back and watch it again, as well as a handout that our expert panelists have been kind enough to put together, to help guide through some of the more detailed points of our discussion today. 

Lindsey Watts [00:01:12] So, without further ado, I would like to introduce our panelists. 

Lindsey Watts [00:01:18] Mehgan Hochmuth is the Critical Asset management co-ordinator and Global Service Desk Supervisor. She's been a true going on five years. 

Lindsey Watts [00:01:28] Mehgan entered the IT industry as a way to contribute her expertise to support organizations looking to operate and grow securely. 

Lindsey Watts [00:01:37] Diana Hutcherson is the True guaranteed networks, a True guaranteed networks engineer, obviously not our only one. 

Lindsey Watts [00:01:45] She is essentially working with a three network server and systems administrator role for our clients, before coming to True. 

Lindsey Watts [00:01:56] She was the distinguished honor graduate for her class of IT specialists, for the US Army and continues to serve with the Oklahoma National Army, Army National Guard. 

Lindsey Watts [00:02:07] We appreciate your service. 

Lindsey Watts [00:02:09] Kerry is carrying the query is an incident response engineer with over 20 years' experience spanning systems and network engineering, security and IT leadership. 

Lindsey Watts [00:02:20] Before coming to True, Kerry was the Director of IT systems at CBS as Pop TV. 

Lindsey Watts [00:02:27] Curious currently, I'm not sure how Kerry you say this guy, GIC, certified, Forensic Examiner, and an AWS Certified Solution Architect associate. 

Lindsey Watts [00:02:39] You can correct me on that later. 

Lindsey Watts [00:02:41] Jenna Waters is a True cybersecurity consultant, who specializes in PCI DSS compliance and assessments, cybersecurity program development, cloud security controls, and threat intelligence. 

Lindsey Watts [00:02:55] Before coming to True, Jenna began her career as a crypto logic technician and team leader under the United States fleet cyber command at the Naval Intelligence Operations Center, that's in IOC and with the National Security Agency, otherwise known as the NSA in Hawaii. 

Lindsey Watts [00:03:15] Afterwards, she graduated with honors from the University of Tulsa for the Bachelor of Science in Computer Information Systems. She works hard everyday to give her dogs the best life possible. I know it's difficult to imagine somebody could achieve that much before graduating, but just imagine what she's done since then. 

Lindsey Watts [00:03:35] So, I will hand over to our experts now, and let them walk you through our content for today. 

Lindsey Watts [00:03:48] Kerry McQuarrie. 

Kerry McQuarrie [00:03:50] Hello, everybody. I'm going to talk through a little bit about that.

Kerry McQuarrie [00:03:54] The suspects in the recent bout of health care targeted ransomware incidents. 

Kerry McQuarrie [00:04:01] TrickBots, it's a Trojan modular, and it's usually disseminated from, like a phishing e-mail campaign. 

Kerry McQuarrie [00:04:11] Somebody clicks on the wrong document. It's generally something like, oh, here's your very important banking document, or, you know, something like that. 

Kerry McQuarrie [00:04:23] They click on a link, or they click into a document that enables Macros. 

Kerry McQuarrie [00:04:31] And once that happens, the back geyser away. 

Kerry McQuarrie [00:04:34] They start communicating with a command and control center and letting them know what's your public IP addresses, what's your network looks like, what your important assets are. 

Kerry McQuarrie [00:04:48] And once they figured out all that information, um, then it drops in the riot ransomware. 

Kerry McQuarrie [00:04:56] Ironic is that it's a version of ransomware that started with Hermes. 

Kerry McQuarrie [00:05:03] It's tailored towards more enterprise systems so they're really good at finding out which systems are the highest profile and which systems that are of the highest value. 

Kerry McQuarrie [00:05:16] Um, once Riot starts moving laterally to all of your machines and to the assets that they've defined as, as your high value targets, then it starts encrypting your files, encrypting your backups, deleting your volume shadow copies, and, um, then they present you with a nice little ransomware note. 

Kerry McQuarrie [00:05:39] So Brian was hibernating for awhile in between April and August during the kind of the beginning of the global pandemic. 

Kerry McQuarrie [00:05:48] We were actually seeing a lot more of the exfiltration type ransomware like maize and dopamine, toppled Amer. 

Kerry McQuarrie [00:05:55] Um, But now it's back and it's a I don't think it's a coincidence that it's back in the middle of a global pandemic, that's just my opinion. 

Kerry McQuarrie [00:06:05] But, um, and according to ... 

Kerry McQuarrie [00:06:10] 878, which is one of the groups that tend to target, using certain types of ransomware and stuff, they are all have characteristics that are similar. They're responsible for about one fifth of the Ryuk contusions. 

Kerry McQuarrie [00:06:29] Slow, here's a little bit of an overview, how the attack works from delivery. 

Kerry McQuarrie [00:06:36] Now, a lot of times it's a phishing e-mail, sometimes it's a remote desktop vulnerability, in fact, we see quite a bit of that in our investigations. 

Kerry McQuarrie [00:06:44] Somebody left the port open on their firewall, or a VPN tunnel, ah, was left vulnerable. 

Kerry McQuarrie [00:06:52] Or, No, you just didn't patch. 

Kerry McQuarrie [00:06:56] Once the

Kerry McQuarrie [00:07:00] TrickBot, deployed, then it installs itself and starts a conversation with the command and control center, where it sends information to a list of URLs, HTTP, URLs, where it says, here's where I am, here's read and get hold of me, and then since Trick Bot is modular based, you know, there's a lot of little secondary payloads that can drop in there that'll cause lateral movement via SMB. 

Kerry McQuarrie [00:07:29] Or no X filtrate your data, exfiltration sensitive data. 

Kerry McQuarrie [00:07:35] So once that happens, then they start looking at your credentials. 

Kerry McQuarrie [00:07:39] They use tools like Mimi Katz to harvest credentials and a lot of times you'll see them creating new domain accounts or new local administrator accounts. Or just recycling the ones that you already have. 

Kerry McQuarrie [00:07:53] And once all that has happened and they've got the keys to your kingdom, then they drop the Ryuk down in there. 

Kerry McQuarrie [00:08:00] And delete backups, if they're available, and deletes your volume shadow copies as well, and then. 

Kerry McQuarrie [00:08:09] And you gotta call somebody. 

Kerry McQuarrie [00:08:13] Absolutely. 

Kerry McQuarrie [00:08:15] So, we'll go into the next one with Jenna here. 

Jenna Waters [00:08:20] Yeah, so, I guess it says you have to call someone, she means her, you have to call Kerry. So, I'm gonna cover real quick how this will affect HIPAA compliance switch. 

Jenna Waters [00:08:31] Obviously, especially in this case, it's going after the health care industry, and health care providers, and covered entities, Um, and that's an issue about, honestly, I think Kerry is really on point with the fact that we're seeing this during a global pandemic. It's the perfect, you know, vulnerability meets threat situation meets circumstance. 

Jenna Waters [00:08:54] But for HIPAA compliance, so the first question we've been receiving is, does ransomware count as a breach for HIPAA? And the answer is, the simple answer is yes. 

Jenna Waters [00:09:09] The more complex answer is only if you exceed 500 health records that are essentially compromised. That means yes. Even though they're encrypted, they're now out of your control. If there's more than 500 of them, you have to report yourself to the Health and Human Services, Department of Health Human Services, which will then turn you over to the Office of Civil Rights, who will conduct the investigation. 

Jenna Waters [00:09:37] And this also applies to covered entities. So it's not just hospitals, it's not just providers. This includes insurance companies. 

Jenna Waters [00:09:43] This includes anyone that has a large amount of HIPAA data. 

Jenna Waters [00:09:49] So, yes, simple answer, yes, If it's more than 500 records and you suffer ancillary those grants and that ransomware affected those records, then, yes, you suffered a breach. You have to make a report to HIPAA. You have to make our report. 

Jenna Waters [00:10:05] And it's unfortunate. No one wants to do it, but you do. 

Jenna Waters [00:10:10] Now, what do you have to actually notify? Will you have to notify within 60 days? 

Jenna Waters [00:10:15] That's the requirements as per OCR. 

Jenna Waters [00:10:18] You have to make a list of all the PH II that has been made available. So all the PH either has been encrypted by ransomware. 

Jenna Waters [00:10:28] You have to give an incident description entity, and a timeline. So you have to actually perform incident response. 

Jenna Waters [00:10:34] I think that's why they give you those 60 days, is they want you to be able to, to the best of your ability, investigate the occurrence, and include that in your reporting.

Jenna Waters [00:10:46] So, and also, you also have to be able to determine to the best of your ability, who viewed or he will encrypted the EP, who encrypted your health records without authorization. 

Jenna Waters [00:10:58] Lastly, you have to submit proof that the records were infected, and that appropriate mitigation steps were taken. 

Jenna Waters [00:11:06] So, this is the kicker, if you do not take appropriate mitigation steps prior to being hit with ransomware and you make a report to us to the Department of Health and Human Services who goes to OCR, gotta love the bureaucrat bureaucratic step by step red tape. 

Jenna Waters [00:11:23] They give you if you did not take those mitigation steps. 

Jenna Waters [00:11:27] You could be heavily fined, but it just might take awhile, so I just checked the stats this morning and OCR currently has 600, and, I think, 18 cases open, still, Backdating, all the way to 2018. 

Jenna Waters [00:11:45] So my guess is we're going to see that number grow exponentially in the next few months, particularly if, like some medical experts are predicting no, the colder months, perhaps, may cause an influx of covert 19] cases in certain areas. 

Jenna Waters [00:12:02] So just keep in mind take those mitigation steps, because that is what's going to help you in the long run, if you have to report to OCR after a breech. 

Mehgan Hochmuth [00:12:16] All right. I think it's my turn. 

Mehgan Hochmuth [00:12:19] So we're gonna get into Diana and myself, and ladies we're gonna get into a couple of steps that you can take, kind of a best practice to mitigate. 

Mehgan Hochmuth [00:12:30] Please keep in mind, this is just a roadmap of items. It's not the complete list. It's not a promise. So, one of the first ones we want to talk about is education. 

Mehgan Hochmuth [00:12:41] And with user education, the reason that's the most important, probably here, other than backups, is because the e-mails tend to be the reason that they got it in the first place. 

Mehgan Hochmuth [00:12:53] So, they're clicking on links, or they're opening up attachments, and from there, it drops, you know, that E X T file, or you are redirected to the web. Now you've infected your PC. It can move laterally in the network. So one of the things you can do to train your employees about security awareness, there's tools out there, you can create simulated phishing attacks. We tend to do that with our clients a lot. And we've gotten to the point now where a lot of our clients are so on their toes, they're so aware now that just to be sure. Sometimes they'll send tickets, which is, you know, my realm. They'll send tickets in saying, hey, is this safe? I'm not sure can you double check for me? 

Mehgan Hochmuth [00:13:37] And they're just they're being super aware, and I really think those campaigns have helped them acknowledge what to look out for, you know, e-mail spoofing. You know, they'll see their boss's name and the e-mail, but they'll look at the e-mail address and go, hmm, that's not my boss's e-mail. 

Mehgan Hochmuth [00:13:54] So the kind of campaigns I think are really important. 

Mehgan Hochmuth [00:13:57] You can also encourage the use of strong passwords for your employees. 

Mehgan Hochmuth [00:14:02] Use two-factor authentication, wherever you can and enforce the use of secured company devices for VPN access. 

Mehgan Hochmuth [00:14:10] And limit VPN used to valid business reasons. Especially, you know, I know that's a lot more difficult. Now, with the pandemic, you know, a lot of people are working remotely, so, also, avoiding the use of public insecure Wi-Fi networks. I don't know if you've ever been to the airport, maybe you just connect to that one network and you're like, it's fine, nothing's gonna happen this time. 

Mehgan Hochmuth [00:14:33] Well, you never know, and you don't want to play that game. 

Diana Hutcherson [00:14:37] Definitely. Something else that I want to add, you know. 

Diana Hutcherson [00:14:41] None of my clients are in the healthcare industry, and we do absolutely want to emphasize that because of the opportunity that a lot of these bad actors have right now because of the pandemic, the health care industry. Those are the big targets, Those are absolutely the ones that you're going to see on the news. 

Diana Hutcherson [00:15:03] And, and especially if you're in that industry, please be aware. 

Diana Hutcherson [00:15:09] Please come retracts know that you are a big target right now, but if you're not in that industry, don't think that that means that you're safe. one of my biggest clients was actually in emergency takeover after ransomware. 

Diana Hutcherson [00:15:24] Not in the health care industry, but it was a lot of the same sort of thing where people didn't necessarily have that user education to know, not to click on the bad e-mail. 

Diana Hutcherson [00:15:35] We, with that particular client we service called KnowBe4. I really like them. Allows me to use, to create different campaigns, but I know there's other services out there as well. 

Diana Hutcherson [00:15:47] And yeah, a lot of my job has been increasing, use your education, and with any network, no matter how good a job that your network admin does, or your server admin, everybody, you can make the network super secure, and ultimately, what a lot of these bad actors figured out is that the weakest link is always going to be the people. 

Diana Hutcherson [00:16:05] So that's why we put employee education first, because that is ultimately probably where things are going to crack. 

Diana Hutcherson [00:16:12] And again, if that same e-mail got sent out to 100 employees, it only takes one of them to click on that bad link to get your network infected and start this whole process. 

Diana Hutcherson [00:16:22] So definitely focus on, on user education, wherever you can, and everything else that we're talking about. 

Diana Hutcherson [00:16:28] And know that, you know, and I've heard a lot of other people say this, you know, as well, that, you know these ransomware attacks there. 

Diana Hutcherson [00:16:35] We're in this new era now of ransomware as a service, which I think that curious can talk a little bit more about, but yeah, like anybody can buy these services from different places, they're modular like Carrie mentioned, and just because you haven't seen small businesses on the news, they probably wouldn't be. But they're still getting hit with ransomware. So it's still important to be on your toes no matter your size. 

Diana Hutcherson [00:17:00] Let's go to some other mitigation tactics. 

Diana Hutcherson [00:17:06] Um, As far as Effective Patch Management, I guess I'll start here and Megan can pick up, but patching is one of the most important things that you can do with your systems. 

Diana Hutcherson [00:17:17] Jenna already mentioned, You know, or an inquiry mentioned, like just having your system not be patched. That's an easy way. 

Diana Hutcherson [00:17:24] A lot of times, there is, there is evolution in how bad, I guess, I guess malware, or even just even just like how trick might work, So there's different things. 

Diana Hutcherson [00:17:36] They evolve new ways, new modular ways, of attacking different things. And so what those patches do when they come out, what it is, is fixing vulnerabilities, newly discovered vulnerabilities, zero day vulnerabilities as you find them. 

Diana Hutcherson [00:17:51] And so, yeah, the patch that you had three months ago or one month ago patched everything that was known at the time. 

Diana Hutcherson [00:17:58] But, time has passed since then, and so, now there's new patches that have to cover new vulnerabilities that have been discovered. And so, it's actually really hard. 

Diana Hutcherson [00:18:07] I know, especially in the healthcare industry, um, because you have a lot of software that only works with some older operating systems. Or, I know with one of my clients, like, they have some line of business software that only works with Internet Explorer. 

Diana Hutcherson [00:18:25] Which is depreciated and Microsoft's no longer supporting there's no longer patches for it. 

Diana Hutcherson [00:18:29] And so, we understand that it is kind of a case by case basis, and you kinda do the best that you absolutely can, but when there are patches, please patch your system. 

Diana Hutcherson [00:18:40] And if you have a company, like True, you know, we work really hard to patch your system for you, but we do require a little bit of co-operation from you, you know, please don't put your systems to sleep and things like that so that we can do those patches overnight, because it really does protect you as much as possible. Mehgan Hochmuth. 

Mehgan Hochmuth [00:18:58] Again, one of the things I wanted to touch on as well as, you know, ransomware attacks do rely on unpatched vulnerabilities to access your network, but it's important to also test those patches before releasing them out into your environment first. You don't want to break anybody's line of business applications, because they will be mad at you. So, take a no, cherry pick a couple of users, test those athletes, or the patches on there that make sure everything's running smoothly and then roll it out to everybody else. But try to do that as fast as possible, to make sure that you're covering your assets. 

Mehgan Hochmuth [00:19:34] Hmm, hmm, hmm. 

Mehgan Hochmuth [00:19:39] Miss Diana. 

Diana Hutcherson [00:19:40] Sorry, I forgot to unmute myself. 

Diana Hutcherson [00:19:42] Forget for effective backups, and the reason why I really want to emphasize this one as well is because, you know, Let's say you do everything right or as much as possible, and, and your network is as good as it can be. 

Diana Hutcherson [00:19:58] And you get those phishing attacks in that one person, who's like the new guy, clicks on the link, and you get ransomware. 

Diana Hutcherson [00:20:05] That does happen sometimes, and effectively, when we come in to help recover from a ransomware attack. This is something I don't think a lot of people understand. It's not like we're going to encrypt your files, that's not how it works. 

Diana Hutcherson [00:20:20] The encryption is very secure and you're not going to get those files on encrypted without paying the ransom. So, effectively, what we do is we wipe your system and replace it with the last known good point, which means you have to have backups. If you don't have backups. 

Diana Hutcherson [00:20:36] We can't, we can't really help that much, we're starting from scratch. 

Diana Hutcherson [00:20:40] We can't save that data, So, please do backups. 

Diana Hutcherson [00:20:45] I know that a lot of companies I've worked with didn't have the, the, the full system that we recommend, which I'll let Megan talk about the 3 to 1 rule of backup. But I will say, one of the most important things, when you have backups, not only keep them, but also test them every now and then. And Mehgan can speak more on our 3 to 1 rule. 

Mehgan Hochmuth [00:21:05] Yep, absolutely. So, one thing I want to start off with saying though, is roughly 70% of companies are found to still be using antiquated backup systems for protection. 

Mehgan Hochmuth [00:21:15] So, the 3 to 1 rule that you see on your screen there, if you're not familiar, that's three copies of data to different storage, such as storage type, and then one copy of offsite. 

Mehgan Hochmuth [00:21:27] And I know a lot of people are moving that, that other storage to the cloud, you know, we see that's where ultimately ends up in that said, that's inappropriate for the second media type. 

Mehgan Hochmuth [00:21:39] You also want to validate the security controls around the backups, like Diana said. 

Mehgan Hochmuth [00:21:44] So you want to make sure that you're testing those systems that you're not getting sales backups, that if you do get filled backups, that you're jumping on it, to make sure that you have that appropriate time to go back to should something happen. 

Mehgan Hochmuth [00:21:58] And Jenna, I know is the queen of backup. So I know you want to talk. 

Jenna Waters [00:22:04] I do. I'm straying. That's it. 

Jenna Waters [00:22:07] The only thing I would say is, if you are backing up to the cloud, particularly, you'll want to make sure that those backups are completely segregated from your production environment. And, I mean, everything from, it needs to be a completely separate access account. 

Jenna Waters [00:22:23] You might want to even make a hole, you know, like AWS. 

Jenna Waters [00:22:27] Like, it's, like, off to the side, like, only certain people have access to those backups, because, especially with Ryuk and with TrickBot, What we've seen is, they're getting access to these backups, because they're able to get access to the credentials for backups. 

Jenna Waters [00:22:40] And that can be really damaging. So, you definitely want to do that. 

Jenna Waters [00:22:44] I mean, it's a really great rule of thumb is, even if you decide, yeah, we're going to do cloud, it's also perfectly fine to backup just your sensitive data, so they'd be ... or cardholder data or tokens, or whatever data is incredibly important to your business. 

Jenna Waters [00:23:03] Also, on, like a tape or a disk offsite, as sort of that tertiary like, end of the world, ransomware hits, you know, your sensitive data. 

Jenna Waters [00:23:14] The data that's critical to your business is protected and you have access to it. 

Jenna Waters [00:23:19] Even if when someone like Diana, or Kerry come in and re-image your system and get you back into operating mode. It doesn't matter that they have encrypted it, because you still have that copy. 

Jenna Waters [00:23:31] Though, you don't have you don't feel stuck having to pay. 

Jenna Waters [00:23:35] However, many thousands or millions of dollars these guys are trying to charge you or what's already rightfully yours. 

Kerry McQuarrie [00:23:43] one of the other common things that we see during our investigations is, like for Windows based backups, people are leaving that backup server on the domain. 

Kerry McQuarrie [00:23:52] So, their on-site backups are still accessible as long as you get, you know, once they harvest credentials, that's usually one of the first things I tell people when I see they're see their systems, is make sure those backup servers are completely off domain. Which kind of gives them another level of air gabbing before you even go to the cloud or tape or whatever. 

Jenna Waters [00:24:14] Yeah, and that's going to include federated cloud logins as well. 

Jenna Waters [00:24:18] So if you're federating your cloud logins to a Windows active directory on premise, that's going to include those as well. 

Diana Hutcherson [00:24:26] You know, we just had a webinar yesterday talking about some of our services that we use, and one of the really cool things that I was learning about Sentinel one, which is the Endpoint Protection that we use with our clients, is it actually becomes the VSS broker for Windows machines. 

Diana Hutcherson [00:24:50] And so lot of times, what happens with Grants ... was saying is it will, they'll immediate the backup. So the first thing that they go for it. 

Diana Hutcherson [00:24:56] Because they don't want you to be able to recover, they don't want you to be able to not pay the ransom. Obviously, that's bad for their business model. 

Diana Hutcherson [00:25:04] So one of the first things that they'll do is they'll go for their shadow copies in those backups. 

Diana Hutcherson [00:25:08] And so in addition to having lots of different backups totally separated from the network, if you have something like sentinel one, it actually protects your shadow copies as well, because it will, Sentinel one becomes the VSS writer. 

Diana Hutcherson [00:25:25] So our broker, so it only, it doesn't allow anything that it's, it's unknown. There's no way for malware to go into the shadow copies. 

Diana Hutcherson [00:25:34] So, if you don't have something like that, there's tools like that out there. 

Diana Hutcherson [00:25:38] And we also use Veeam for our backup servers, as well, which has been a really awesome tool. I enjoy working with that. 

Kerry McQuarrie [00:25:45] Well, I think we're gonna talk a little bit more about the ETR solution, you know as a whole, beyond just, I mean, there's other products besides sentinel one. But that's, that's what we use, but I think we have a slide where we talk about that as well. Am I right, Diana. 

Diana Hutcherson [00:26:00] Yeah, I'm sorry for getting ahead, I don't know. 

Diana Hutcherson [00:26:03] Yeah. 

Mehgan Hochmuth [00:26:06] So, the next one I'm gonna go into Lockdown Remote Access, obviously, this is very important. One, you want to keep the bad guys from getting in, also, you want to keep them from moving within your network. Like Kerry said, once they're in, they start to move laterally through your network. So they're connecting from workstation, workstation, workstation to servers. So some of the things you can do, turn off RDP if you don't need it. 

Mehgan Hochmuth [00:26:32] If you're going to use RDP, I put the access behind a firewall, so it's not directly accessible. 

Mehgan Hochmuth [00:26:37] Use a Remote desktop Gateway Server that'll give you some additional security and operational benefits, like two-factor authentication. 

Mehgan Hochmuth [00:26:45] And you can change the RDP port, so port scanners can't find you. 

Mehgan Hochmuth [00:26:50] You know, generally it listens for 3, 3, 8, 9 for both TCP and UDP. 

Mehgan Hochmuth [00:26:56] This can potentially stop you from showing up and becoming an easy target. If you are going to use a firewall, which I hope you are, make sure configure your firewall to permit connections to the new port number. 

Mehgan Hochmuth [00:27:08] If you do change that, understand that every open port is a potential point of entry for ransomware, non essential open ports should be eliminated. 

Mehgan Hochmuth [00:27:18] Rather than using port forwarding, use VPNs to access remote sources and network segmentation. 

Mehgan Hochmuth [00:27:25] And, Kerry, I'm going to let you jump in there. 

Kerry McQuarrie [00:27:30] Yeah, we've seen, in some of our incident investigations, we see, like, external assets, sitting on the same v-lan as all the rest of your data. 

Kerry McQuarrie [00:27:41] And that's a, that's definitely a big no-no. We definitely recommend having your externally facing assets on its own v-lan, with some nice tight firewall rules. 

Kerry McQuarrie [00:27:51] Controlling access. 

Kerry McQuarrie [00:27:53] Yeah, and of course, like, sensitive data shouldn't reside on the same server network segment, like as your e-mail environment separate. You can create user groups that we allowed, create a user group that allows your remote access and limit those users. Not everybody probably needs it, so just make sure the users that you're giving remote access actually do meet. 

Kerry McQuarrie [00:28:21] Next slide. 

Kerry McQuarrie [00:28:31] Who's got that one? 

Mehgan Hochmuth [00:28:33] That is Miss Diana, but I think we just skipped one OK. Oh, Active Directory, OK. Cool. 

Diana Hutcherson [00:28:39] So one of this, this one is near and dear to me, because I've had to do a lot of Active Directory cleanups. So, obviously, there's starting with this concept of, you know, the principle of least privilege. 

Diana Hutcherson [00:28:55] You want people to have enough privilege to be able to do their jobs and not a whole lot more. And that's not because you don't trust them, but if their accounts got compromised, you don't want somebody after being able to come in and use their account to do more than they should be doing. 

Diana Hutcherson [00:29:12] So, you know, do an audit of all of your administrator, level groups and remove anybody who doesn't need to be there. 

Diana Hutcherson [00:29:21] Make sure that they are using some really strong security precautions. 

Diana Hutcherson [00:29:28] I always follow the NIST guidelines for passwords and the big thing that they've been pushing lately is, you know, Yes, complexity is good, you know. uppercase letters, lowercase letters, numbers, and special characters. But the really, the biggest thing as computers are getting more, powerful is long passwords. That's, like, the big thing and people get annoyed when you say, you know, 12-character password, fortunate, hairdresser this ridiculous and, no, but you if you have something like, you know, ‘I hate long passwords’. Amazing that fits the requirements. 

Diana Hutcherson [00:30:00] And that becomes, like one of the best, most secure passwords you can have as a long password. 

Diana Hutcherson [00:30:07] You can also get into some fine-grained password policies and blacklist some common passwords like password, one or you know, court 1 2 3.

Jenna Waters [00:30:20] Your username. Don’t.

Diana Hutcherson [00:30:21] Yeah. 

Diana Hutcherson [00:30:24] Yeah, exactly. 

Diana Hutcherson [00:30:27] Definitely. 

Diana Hutcherson [00:30:29] There's actually a really good website that I have cracked password, where you can actually type in, you know, your desired password, and it'll tell you how good it is, and it'll actually even comb the Net or wherever it's been in any like confiscated passwords that have been that have been found like have already been compromised will tell you if it's one of those. 

Diana Hutcherson [00:30:55] And so, yeah, it's like password check. It's, like, super great. If I put the check dot password ping dot com and it's super great. And I like to use that and tell people, use that as a measure. What your password should be getting back into specifically. 

Diana Hutcherson [00:31:10] Your Active Directory, You should be careful, like, actually look at who's in what groups try to clean it up if. If it. 

Diana Hutcherson [00:31:19] If it's complicated for you as the network administrator or the server administrator to look at and understand who is where, then re-organize it in a way that makes sense for you. 

Diana Hutcherson [00:31:29] Um, don't. Oh, yeah, and also on passwords is a note here. 

Diana Hutcherson [00:31:34] Like, if someone is gonna write down their password, like, have them, keep it in their wallet, or on their person, not with the computer, because, obviously, no. 

Diana Hutcherson [00:31:45] Then, if they're not at their computer, you don't want someone to be able to come up and find a password. 

Kerry McQuarrie [00:31: 52] Or show them, one of the password keeper utilities out there. Get rid of paper managers.

Mehgan Hochmuth [00:31:54] Screenwriting. So Yeah, Absolutely. Yeah, and definitely don't keep in an unsecure. locations. 

Mehgan Hochmuth [00:32:05] Like people will put word docs and they'll name password on their computer, you know, and that's the first thing that somebody's going to look for. So yeah, like a pass, a secure password vault for your users. 

Mehgan Hochmuth [00:32:18] If they're having trouble remembering their passwords because they know they should belong, they should be secure and also enforcing two-factor authentication for your users. I'm going to say that, like 10 times throughout this whole thing. 

All [00:32:31] Yeah. 

Diana Hutcherson [00:32:31] Yeah, amazing, that cuts down. 

Diana Hutcherson [00:32:35] I think I've heard the statistic it cuts down on like 70% or 75% of them, I guess, Haque, logins smoothing. 

Mehgan Hochmuth [00:32:47] So this one is pretty self-explanatory, you know, two-factor authentication. 

Mehgan Hochmuth [00:32:53] And then also most ransomware starts with an e-mail, like we talked about earlier, training your users. So they're not clicking on links, they're not opening e-mails that they know from people that they don't know. They're not opening those documents. It says invoice. 

Mehgan Hochmuth [00:33:07] You know, it must be for me, just, you know, make sure that you're using a good spam filter for protection, and, you know, something that can also sandbox and double-check those links. 

Mehgan Hochmuth [00:33:20] And so, when you, if you do, click on it, it can give you that layer of protection there, and then enforce enforced password complexity, like what we talked about, directory, and then just, you know, review existing e-mail accounts if you ladies want to. 

Kerry McQuarrie [00:33:39] Yeah, it's basically a lot of the same rules that apply to Active Directory, pardon me. 

Kerry McQuarrie [00:33:44] Also, apply to your e-mail system, with the caveat that most e-mail systems are externally facing, so, you know, you want to, do, you want to enforce multi factor authentication, especially with administrators. 

Jenna Waters [00:33:57] It also helps, is, using, like, where you essentially scan attachments as they come in, You might not care that, you won't catch everything, but you might catch something, and it's always better to catch those low hanging fruit that you know, for a fact. 

Jenna Waters [00:34:13] It's just ridiculous, so that your security teams can focus on the more rigorous or robust attacks that are coming in. You don't want them responding to something like, no, I don't know a Nigerian Prince asking for money. 

Jenna Waters [00:34:26] You want them responding to the ransomware and you want them responding to the really important things. 

Jenna Waters [00:34:30] So definitely scanning your attachments. 

Jenna Waters [00:34:34] Definitely using e-mail filtering and spam filters is going to go a long way. 

Kerry McQuarrie [00:34:39] Yeah because it's not typically the Nigerian Prince. 

Kerry McQuarrie [00:34:41] It's that, oh, can you look at this wire transfer and confirm it or they are document, it's urgent. 

Jenna Waters [00:34:50] They're definitely more target and they're definitely smarter nowadays. 

Jenna Waters [00:34:54] That's just what everyone knows. 

Diana Hutcherson [00:34:57] One of the things that I've had to learn, too, is like if someone at one of my clients does send me an e-mail that they think is suspicious and I'm like, yeah, that is that. That definitely looks like spam to me. I go back to that e-mail filter and looking at, OK, why was this allowed through the filter? 

Diana Hutcherson [00:35:11] And like in one case, I found out that there's actually a threshold that if mail, if, if a mail e-mail, I guess, is larger than a certain size, than the filter, doesn't scan it at all. 

Diana Hutcherson [00:35:22] And so I've had to increase that defaults, that size from the defaults. So to just catch some of those things. So, it's just, you know, again, as the administrator privileges. Vigilant. 

Diana Hutcherson [00:35:36] What else? 

Diana Hutcherson [00:35:40] Awesome. 

Jenna Waters [00:35:42] My favorite as it's going to say my favorite. 

Jenna Waters [00:35:49] I think every cybersecurity person learns out over monitoring and audit logging.  

Kerry McQuarrie [00:35:56] Yes. I definitely think it's one of the more overlooked things and the IT industry, because it's fairly difficult to do well. 

Jenna Waters [00:36:05] I think that's difficult to do well, because it requires that industry level knowledge and experience to recognize anomalies right off the bat. 

Jenna Waters [00:36:15] But if the log forwarder like you are a good SIEM like Splunk, or like sentinel one, it really helps and goes a long way. 

Kerry McQuarrie [00:36:25] Right? And your environment can generate a lot of chatter. 

Kerry McQuarrie [00:36:28] It does take some, some time to filter through what's important and what's not. 

Kerry McQuarrie [00:36:33] So, but we definitely recommend ensuring that your maximum block sizes and stuff. I've seen, especially with Windows security logs, like the default. 

Kerry McQuarrie [00:36:44] I think it's 20 mags, and depending on your group policies, it'll be an hour or 15 minutes of what's happened in the past, and that's just not enough data to figure out where things went wrong. So.

Kerry McQuarrie [00:36:58] Configuring the maximum log size and rollover policies, or whatever you need to do to, to keep that data somewhere that you can look at it later. It's there's always best practice. 

Jenna Waters [00:37:11] Yeah. 

Jenna Waters [00:37:12] I think recommended you should have a minimum of a year of audit logs. 

Jenna Waters [00:37:18] Because, like we're seeing with ransomware, sometimes they are there for days and then more, new ransomware. But what we're also seeing is they're there for weeks,

Kerry McQuarrie [00:37:26] right.

Jenna Waters [00:37:27] And we need to be able to see that to do a proper investigation, because it's the only way that we're going to be able to say, from start to finish. This is what we believe happened. And again, if you're a health, if you're in healthcare, you have to report that that has to go to OCR. 

Jenna Waters [00:37:43] So you want to keep a minimum of a year, if not more, and it doesn't have to be active storage. You can forward it on an inactive or cold storage. Where it just hangs out that you want it. That's the point. 

Diana Hutcherson [00:37:56] Right, can you have some examples of when it, when audit logging didn't go well? 

Jenna Waters [00:38:02] I'm sorry, you said you had some examples of when people didn't have the right money? Yeah. 

Kerry McQuarrie [00:38:07] I've been on investigations where something happened yesterday, you know, You. 

Kerry McQuarrie [00:38:12] you're looking for things like Remote Desktop Access, or, know? 

Kerry McQuarrie [00:38:17] The 44, 684 is a 46, 25 for somebody logged in or logged off that kinda thing, and if, if you've only got an hour's worth of data, we don't have any way to figure out what happened yesterday. Let alone a week ago work, or how long somebody has been in your system. 

Jenna Waters [00:38:33] and it's really important to know the system you're on, because when Office 365 came out, it wasn't audit logging anything, by default, It still doesn't bite. 

Kerry McQuarrie [00:38:45] That looks like 10 days of data, unless you explicitly turn on unified audit logging. 

Jenna Waters [00:38:53] And it was only logging specific things, and one of those was not e-mail. 

Jenna Waters [00:38:58] You know, at least, the first it was ridiculous, I think, Wow, They've changed it a little bit. 

Kerry McQuarrie [00:39:02] It's really good idea. Turn it on.

Jenna Waters [00:39:06] Yeah, you still have to turn it on. It's like, why is this not on by default? Right? 

Jenna Waters [00:39:11] I could rant about that all day, but know, the systems are working with, and understand that your audit logs, those logs, those activity logs, if you can get them narrowed down to what's really important for your organization. So you know, those early matter, if someone opens like a Word document, that's just an object change, right. 

Jenna Waters [00:39:31] What we do care about is if someone's accessing audit logs and changing them, right, Sullins, logging on with an administrative password all the time, for no reason. 

Kerry McQuarrie [00:39:44] Care about folks, I mean, if you really want to be proactive, SM or centralized, log collector is a really good way to go, because you could be proactively monitoring the data that's coming in. 

Kerry McQuarrie [00:39:54] You can even put some automation behind how you're reacting to the data that's coming in, and you kinda got an air gap between you, and anybody who might want to get rid of all your, log data. 

Jenna Waters [00:40:06] Exactly. 

Jenna Waters [00:40:07] And as it doesn't have to be perfect at the beginning, it should be holistic. 

Jenna Waters [00:40:11] You're going to grow as an organization. And that means or logs are going to become more specific. You're going to understand your threat vectors more over time. 

Jenna Waters [00:40:19] This isn't a setup one and done. 

Jenna Waters [00:40:22] It's a process, and it's going to be a process. 

Jenna Waters [00:40:24] But if you approach it like that and you approach it with a strategy, you can do it really well. 

Jenna Waters [00:40:30] It just takes some forethought organization and like I said, really good strategy of how are we going to narrow our security team's focus so we can optimize the limited resources we have as an organization to catch these attacks. 

Kerry McQuarrie [00:40:45] Yeah, because there is a resource cost with logging for sure. 

Mehgan Hochmuth [00:40:57] I skipped ahead to this one. 

Mehgan Hochmuth [00:41:02] So, we've got, know, having a great endpoint detection and response solution as opposed to an E Pepe solution, which is your Endpoint Protection platform. And that just covers, like, traditional anti malware scanning. Whereas the EDR is going to give you a couple of more advanced capabilities and by a couple, I mean a lot. But it's going to detect and investigate security incidents. It's gonna give you the ability to remediate those endpoints to a pre infection state, but you also want to consider and MDR service. That way, you're having real people review, and oversee, and it, you know, consider that service, because you need those people to actively threat hunt, and respond to those intrusions on your behalf. 

Mehgan Hochmuth [00:41:49] And, plus, you need them to have the resources and the time that it costs to do that, 24/7, or maximum benefit. 

Diana Hutcherson [00:41:59] This, kinda, I guess, is where I was supposed to bring up our sentinel one. 

Kerry McQuarrie [00:42:04] There's lots of, I mean, there's many products. On the crowd strike is one product carbon black, the other product. But we do do, BDR services and we do MDR services as well. 

Kerry McQuarrie [00:42:18] But there are a lot of great products out there to allow everybody to do that. 

Diana Hutcherson [00:42:24] Kerry works with most of those products, I'm pretty sure is the incident response person, you were good more than me, I think. 

Diana Hutcherson [00:42:30] And, you know, as a managed services, you know either the network, server admin systems have been everybody. You know, I'm, I'm using sentinel one predominantly as my main tool within my client's networks. 

Diana Hutcherson [00:42:43] But, yeah, we do have phenomenal amount of power and I'm very excited about it. 

Mehgan Hochmuth [00:42:51] And before we go to the next slide, one thing I wanted to add that we didn't add into our slides is keeping a list of your assets, which I think agenda would agree, because I see the smile growing her face a little more. But you also have to update that information regularly. Like, ideally, as soon as you put that equipment on there, you should be updating that list. And you need to be able to quickly locate in case there is an infection, you need to patch it, you need to pull it offline. 

Mehgan Hochmuth [00:43:17] You need to replace it. Make sure you have an inventory of your equipment. 

Mehgan Hochmuth [00:43:24] You know, this is especially appointment. And I think hospitals, as well, because there's a lot of equipment. So you need to know where it all is, so that you can hunt it down and located as fast as possible. 

Kerry McQuarrie [00:43:43] Next slide. 

Jenna Waters [00:43:47] So this is where we're going to kind of wrap up what we've been talking about in terms of all of these strategies to respond to something like ransomware, particularly checkbox and Ryuk. 

Jenna Waters [00:44:00] Having that holistic security program that grows over time that matures over time. 

Jenna Waters [00:44:05] And that can adapt two different threats as they arise because they are. 

Jenna Waters [00:44:11] It really is the Wild West out there. 

Jenna Waters [00:44:13] They're going to come out of the woodwork at any given time. 

Jenna Waters [00:44:17] And it's 2020, So who knows what we're going to see? 

Jenna Waters [00:44:22] But what I really, really want to stress is, as a security program, you have to have leadership buy in. 

Jenna Waters [00:44:28] That's the issue we see a lot in organizations, is security is not the priority, it is a support function. 

Jenna Waters [00:44:36] And while that can create some difficulty, is a little bit of tension, and no security wants to hear everything, IT wants to make sure things work, and the organization has a business to run. 

Jenna Waters [00:44:48] Well, getting leadership buy in, in your organization for your security teams, it's really, really important. 

Jenna Waters [00:44:55] Or partnering with someone like, TRUE, I don't really care who you partner with. 

Diana Hutcherson [00:45:00] But someone who specializes in this, who, this is what we do every day, and we understand the threats that are out there, and how to help your organization tailer itself to best respond to. 

Jenna Waters [00:45:14] Also, being able to evaluate your program, and evolve over time, and educate your personnel, I mean, Meighan really covered it. 

Jenna Waters [00:45:24] Your people may be the weakest link. A lot of us, security people, we like to go well, people are the weakest link. 

Jenna Waters [00:45:32] Always. They can also be your strongest asset. 

Jenna Waters [00:45:35] If you educate your people, if you educate them, you make it personal. You make it so that it is valuable to them to protect not only the organization but themselves. 

Jenna Waters [00:45:46] Then you now have frontline defenders and every department in your organization and that's why you want leadership buy in. Because that enables you to provide that education and help. 

Jenna Waters [00:45:58] Create well educated employees in cybersecurity. 

Jenna Waters [00:46:05] Also, you want to be conducting security assessments and testing. We really, especially for HIPAA, it's important to do an annual risk assessment. 

Jenna Waters [00:46:15] These risk assessments really need to be driven, again, by, you know, from the top down. Because the risk assessment is going to go by the scope that you define. 

Jenna Waters [00:46:26] If an organization divine like, is really restrictive and the scope that's, say, a consult a third-party consultant can look at, or the security team internally, can look at, that's not exactly as useful as if we look at the organization as a whole. Because that's the only way we're going to be able to identify, during a risk assessment, all the threats, all the vulnerabilities, and the likelihood of each. 

Jenna Waters [00:46:51] Which again, is going to help the organization determine the cost and benefit of the cost of a breach, versus the cost of the mitigation. That would prevent that breach in the first place. 

Jenna Waters [00:47:05] There's a lot of resource cost monitoring to education. 

Jenna Waters [00:47:09] to backups. 

Jenna Waters [00:47:11] So if you can help, if you can use a risk assessment to help make those cases, especially to your leadership, that's been a long way in helping your organization in terms of cybersecurity. 

Jenna Waters [00:47:22] Another one is penetration testing. That's going to help evaluate your security controls. 

Jenna Waters [00:47:27] And if you have no idea where to start. I really suggest, particularly for healthcare organizations and for covered entities is to look at the Hitrust CSF 9 version 9.1 was released in 2018. 

Jenna Waters [00:47:40] And it's a lot more in depth as to what HIPAA and Hitrust expect. Do you go look at HIPAA? 

Jenna Waters [00:47:48] It's very bland and broad. It's a law was written high. 

Jenna Waters [00:47:54] No, it was written by people who work in government who to legislate. So there's not a lot of no bread in there for you to really dig into. 

Jenna Waters [00:48:04] But Hitrust CSF helps you do that. 

Jenna Waters [00:48:07] It helps you determine the important security controls that are going to be put in place to protect electronic health data. 

Jenna Waters [00:48:16] Other control, other, any other kind of framework you're going to use to permit ransomware, the CSF is really great, PCI if you have financial data.

Jenna Waters [00:48:25] It's a little bit rigorous If you don't say, I don't recommend it for the normal organization, but or ISO is another great one. 

Jenna Waters [00:48:32] So there are tons of frameworks out there for you guys to use. 

Jenna Waters [00:48:37] Lastly, it would be your data security. 

Jenna Waters [00:48:39] So, this is going to fall in everything I've talked about, falls under a holistic security program, but data security, no. You are identify your data. What do you have that's critical? 

Jenna Waters [00:48:50] What are your assets or which ones are important? 

Jenna Waters [00:48:53] And, you know, like Mehgan said, you want to have an inventory, you don't have an inventory of your data, your sensitive data, your assets, hardware, software, your service providers, that your inventory should include your service providers. It should include every port, and protocol and service you have open. 

Jenna Waters [00:49:12] It's not just about what desktop do I have, or what laptop do I have. 

Jenna Waters [00:49:16] It is about knowing every threat vector, or every potential threat vector in your environment. 

Jenna Waters [00:49:23] It sounds like a lot, but as you suffer from an attack like Ryuk, it can go a long way to helping you recover. 

Jenna Waters [00:49:30] Lastly, restrict your user access and your object access ability to those to sensitive data. 

Jenna Waters [00:49:39] We see a lot of times, like, we've all said before, Ryuk, they try to get at the data. They try to get at your backups. 

Jenna Waters [00:49:46] You're strictly access to those backups, so significantly that only select members of your IT organization or your management can access specific types of data backups that can really help your organization in terms of recovery, especially for sensitive or critical data like no cardholder data, ..., Things like things that are regulated and highly scrutinized by other third parties. 

Jenna Waters [00:50:15] That's really all I had to rant about in terms of security. 

Kerry McQuarrie [00:50:21] Oh, OK. 

Jenna Waters [00:50:24] I just parroted everything you guys said, it was great. 

Diana Hutcherson [00:50:28] Let's see, what other questions do we have? 

Diana Hutcherson [00:50:30] Do we have questions? 

Jenna Waters [00:50:32] Oh, my gosh, we actually have time for questions. Yeah. 

Lindsey Watts [00:50:35] We actually do, and we've had a couple of questions submitted already, but I would just encourage anyone who's been thinking of something, feel free to submit those. 

Lindsey Watts [00:50:47] The one I really like, because a lot of the recommendations that you all have made may take a little bit of time. Right? Use your education, and things like that, so I really appreciate this one. What is the most immediate, high impact step I can take to protect myself? 

Lindsey Watts [00:51:04] So, I assume that means just, right now, how do I immediately stop the bleeding or make sure I'm not going to suffer too much here? 

Kerry McQuarrie [00:51:14] Patch. For sure, that would be my opinion. 

Diana Hutcherson [00:51:17] I can be backups. 

Mehgan Hochmuth [00:51:20] Yeah. 

Lindsey Watts [00:51:23] Would have guessed that you all would have said you know MDR or it, but you know patching and vulnerability management. That's a that's a big can of worms, right? 

Kerry McQuarrie [00:51:34] So I mean you can I mean an immediate first step. 

Kerry McQuarrie [00:51:37] You can take is deploy patches to your workstations and your servers and take a look at the firewall. 

Kerry McQuarrie [00:51:45] See if it's due for any updates or if there's any vulnerabilities. 

Kerry McQuarrie [00:51:48] I mean, those are things you can do without leaning too heavily on outside resources and whatnot. 

Mehgan Hochmuth [00:51:56] And if you are going to lean on resources, then yes, MDR. 

Jenna Waters [00:52:03] Multi-factor authentication. 

Mehgan Hochmuth [00:52:06] Yeah, oh, there you go. Yeah. 

Lindsey Watts [00:52:08] I say, how many times it was said today. I was sort of gambling. I was predicting it's going to be somewhere around in the eighth. 

Diana Hutcherson [00:52:24] If you have sent anywhere on your network, even if you don't have time for some super fancy backup option, like, you can take a thumb drive and backup certain data. 

Diana Hutcherson [00:52:34] I mean, I wouldn't.

Kerry McQuarrie [00:52:40] I mean, Yeah, and I don't want to see it again.

Diana Hutcherson [00:52:43] I'm not saying its a permanent solution. 

Diana Hutcherson [00:52:45] Don't think that that's OK, or the substitute for proper backups, but, you know, if there's something that your company would, you know, go under without that information, like, have it somewhere, at least. 

Jenna Waters [00:52:57] Yeah, your critical data, knowing what it is that's gonna go a long way and protecting it. 

Diana Hutcherson [00:53:03] But, also, I think, part of the reason why Kerry upset about that, is that like, if you have a thumb drive with critical data on it, don't lose the thumb drive. 

Kerry McQuarrie [00:53:09] So, I've actually participated in an investigation where somebody was using a USB based backup and neglected to unplug it the night before they got hit. 

Kerry McQuarrie [00:53:21] So, yeah. Yeah. Yes. He doesn't have to do what you have to do it in the budget confines that you have, you know. 

Jenna Waters [00:53:32] Yeah, effort. It should always be rewarded. 

Jenna Waters [00:53:35] Yes, they tried. 

Lindsey Watts [00:53:38] However, it seems like, it seems like most healthcare organizations would have no dedicated budget for backups. And just simply, because you're working with HIPAA compliance and whatnot, I don't know. 

Jenna Waters [00:53:51] Um, I would say that yes, most of them do. 

Jenna Waters [00:53:55] But, again, remember, security is a support function. 

Jenna Waters [00:53:59] It is something that is a cost, and not a, like, not a financial benefit, technically. So a business, or a hospital, and hospitals are busy saving people's lives.

Jenna Waters [00:54:14] And I think that's, again, why we need leadership buy in, in those types of organizations, because doctors shouldn't be worrying about cybersecurity, the built part of it. 

Kerry McQuarrie [00:54:25] A lot of times nobody gets to buy until after the breach has happened. And then there's some value attached to having security in your environment. 

Diana Hutcherson [00:54:36] Pupils learn from other people's mistakes. 

Lindsey Watts [00:54:40] I mean, ideally, right? Ideally, OK, so that kind of you, you mentioned firewalls and not actually, as is our next question. Do you have any recommendations for my firewall strategy? 

Lindsey Watts [00:54:56] I know, I mean, you have about 2.5 minutes. 

Jenna Waters [00:55:03] I would say standardize configurations for your firewalls if you have multiples so definitely making sure you standardize rule sets across different layers within your network. 

Jenna Waters [00:55:15] If you're working with subnets or you're working with v-lans, you'll want to be able to easily deploy Harland Firewall as well as have a standardized way to make sure you are deploying new firewalls. 

Jenna Waters [00:55:28] So you're not spending a lot of time customizing each firewall, depending on how many you have. You only have one. 

Kerry McQuarrie [00:55:35] Also, if you have the budget for it, the more advanced features like intrusion detection and intrusion prevention, you know, send those logs over to your log collection. 

Kerry McQuarrie [00:55:45] That kind of thing. That an assessment of your firewall is always a good idea. 

Jenna Waters [00:55:50] Always. 

Diana Hutcherson [00:55:51] Something else that I want to add, because I know a lot of people think, you know, if I have the best of the best firewall of doom, then I'm not gonna get ransomware. 

Diana Hutcherson [00:56:00] And that's not, it's unfortunately, not the case. 

Diana Hutcherson [00:56:04] A lot of the Ryuk, good tax use, common ports, like HTTP, HTTPS, that like, you can't really block those ports. And so, yes, have a good firewall that really does help, but it's not going to replace good Endpoint protection as well. 

Jenna Waters [00:56:19] Yeah, and it's not going to stop someone from clicking on an e-mail.

Mehgan Hochmuth [00:56:39] And there's always the option of outsourcing that so that someone else can sit on your firewall, look at the review logs. Make sure they see the alerts and jump on it faster than you ever could. 

Jenna Waters [00:56:36] Just be really like picky about who you do, outsource that to. 

Jenna Waters [00:56:43] I don't recommend outsourcing it. So like, you know, some guy who like just works out of his house. I'm just saying look at the organization. 

Diana Hutcherson [00:57:04] Credentials. That's a good question. 

Diana Hutcherson [00:57:06] Is that a company should have the, you know, if you know, If not TRUE, you know what other company would you trust based on certifications or credentials? 

Kerry McQuarrie [00:57:18] I mean, I would just do my due diligence on whoever I choose. Word of mouth's always great. 

Kerry McQuarrie [00:57:27] Yeah, you just want people that offer 24 by 7 monitoring. 

Kerry McQuarrie [00:57:30] They've got somebody in there see all the time, and it's ready to look at all those advanced feature sets that we talked about. 

Jenna Waters [00:57:37] And another thing you can look for if you're looking at if you're looking at like a third-party in your bigger organization, medium sized, maybe not smaller, like super small businesses, but is looking for like a SOC II. 

Jenna Waters [00:57:51] That's a good one to look at. 

Jenna Waters [00:57:53] Look for, know someone who can do PCI. 

Jenna Waters [00:57:56] someone who can do HIPAA, someone who understands what compliances are out there. I mean, if you're international, GDPR is going to be a really big one. 

Jenna Waters [00:58:07] It's unfortunate, because HIPAA doesn't have like a certification, so it's not like we can like sloppily able, and be like, Hey, We know HIPAA. 

Jenna Waters [00:58:13] But if it's brought up, if they talk about it, that's really important. 

Jenna Waters [00:58:17] They obviously understand the issues facing you and your specific industry. So you definitely need to ask them a lot of questions. 

Jenna Waters [00:58:25] But us for blink at certifications or ..., good to look for? 

Lindsey Watts [00:58:35] Well, thank you, ladies, so much for your expertise and your time. And thank you to all of our attendees. 

Lindsey Watts [00:58:42] We will be in touch with you with the link.

Contact Us Today!

Let us know your business needs and we will make sure to get back with you promptly!

* denotes required fields