Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Be RansomWARE... Booooo
18 Plays1 month ago
In Episode 23 of the CodePlay Culture Podcast, Chris, Rui, and Logan dissect the ever-present threat of ransomware attacks, particularly the vulnerabilities of on-premise data storage compared to cloud solutions. The episode delves into real-world scenarios where businesses face extortionate demands to unlock encrypted databases and the practical steps they can take to mitigate such threats. Our discussion spans the effectiveness of cloud services like Azure, GCP and AWS in safeguarding data, the importance of offline backups, and strategic data synchronization to prevent catastrophic losses. Tune in to learn how to fortify your digital defenses against the scariest of digital threats.
Recommended
Transcript
Introduction & Main Topic
00:00:00
Speaker
Welcome to the Codeplay Culture podcast, where we discuss tech, gaming, health, and the world around us.
00:00:10
Speaker
Welcome back to Codeplay Culture. ah Logan, Rui, and Chris, we are back at it again after a small hiatus, having fun, changing the world, one person, organization, and group at a time.
00:00:25
Speaker
Uh, Rui, how are you, sir? I'm doing good. I'm doing good, man. Chris. What's up? Awesome. Sorry. I cut you off there, Rui. No, no, I was, I was just gonna go on like I usually do, but Chris, go ahead. Hi, how are you? Great day. So what are we talking about today? ah Ransomware. Cause it's close enough to Halloween. By the time this airs, it might be exactly on the scary day. That's a scary day anytime you hear about it, but yeah.
00:00:55
Speaker
Yes, so it's been a reoccurring theme for people that are not in the cloud.
Impact of Ransomware on Businesses
00:01:01
Speaker
If you have, let's say, SQL data on-prem, let's say you have a lot of databases on-prem, they can encrypt that and then say, okay, we will decrypt it for you for 20 grand. Some companies pay the 20 grand right away.
00:01:19
Speaker
okay But then sometimes it gets really bad where they encrypt the databases, many of them, the local files like you know shared drives, and they also say, okay, now 500,000, half a million.
00:01:33
Speaker
And at that point you check backups and you're like, Oh, all the backups online have been like, you know, messed up too. If it's virtual machines, sometimes they completely take those offline. This is a scary thing. And I have not seen ransomware of the cloud more than I have seen ransomware on-prem.
00:02:00
Speaker
That's interesting. so You're suggesting the cloud is more ransomware, I guess. Proof? yeah or it's It's easier to hide behind the SLAs of Microsoft but than it is to say, I'm going to have my own data center, secure it as if I was Microsoft.
00:02:19
Speaker
but people can't afford to lift and shift the entire server closet.
Cloud vs. On-Prem Security: A Debate
00:02:23
Speaker
What I'm saying is it's probably a good idea to synchronize some of your data to like, and you know, Azure or to keep some of your backups offline disconnected yeah from any existing systems that can access them.
00:02:38
Speaker
Well, so you you get what you pay for. And if you're using Azure or AWS or any of the other Oracle or something, I mean, yeah they're just, they've got the highest level of training. They're in the know on this stuff because any type of attack like that is going to be very high profile and really undermine their entire business. Right. So, you know, they're going to be on the ball with that stuff. So yeah, you you have to pay for those services and they're not cheap, but but they can still be effective.
00:03:05
Speaker
Hmm. Yeah. They can still be affected by this, um, by ransomware. I think too, like, and you guys are more experts. than I love you. I'd love your take on this, but it's one thing to just unlock your database, but like they still stole all your crap and they're going to use it to their advantage.
Data Theft Challenges
00:03:20
Speaker
Like they they're not like we're not, we're never going to use your data. We're going to be nice from now on. Oh, I mean, they clearly went and screwed you over. Like they're going to still maximize that data. It can make it available to competitors or, you know,
00:03:32
Speaker
if your company is up to anything illegal, they can report it to the government and and create a lot of downstream effects. Yes. um Yeah. The cost of having your servers in your server closet really are higher than 20,000 typically. And ransomware starts around that 20 to 50 grand. and And it's definitely worth paying.
00:04:00
Speaker
that, like when you do the math on it, you're like, okay. And really, and I've been at some places where the first attempt, the, you know, person in charge of, um, finance pays right away and then they get the data back right away. Right. And if you don't, there's like a scaling tiering escalation for, if you don't respond within 48 hours, then it will double like it's better to just, and they got back, I would say,
00:04:30
Speaker
80%, 90% of the data. um Offsite storage that's disconnected from the current network um sometimes saves the day. Yeah, but if you're like a busy business, you kind of do that every day and have a process, right? Correct.
00:04:50
Speaker
Yes. And a documented process and hopefully an audited documented process that is compliant with, you know, socks and ISO and other standards that have gone through this rigmarole and have like, you know, here's what you do. Like grandfather, father, son, at least is like a great backup. Um, I guess algorithm, but this will take resources and small businesses can't afford that kind of a process, right?
Targeting Small to Medium Businesses
00:05:15
Speaker
Sorry about ISO standards. I mean, yeah.
00:05:19
Speaker
Are you seeing it more, you again you guys see this a lot more professionally, but are you seeing it affects small businesses more than large or just an even, and he across the board? It seems to be affecting small businesses more than large.
00:05:35
Speaker
It affects small, it affects medium sized business. So I would classify medium as over 10 million annual sales. And if you have an AR and AP department, that's how I'm classifying medium sized business. classification i like that It seems to hit them the most. It does not seem to hit enterprise the most. And it does not seem to hit enterprise public, publicly traded companies.
00:06:03
Speaker
Do you think that's that's part of the targeting algorithm that these ransomware attackers use? like they They're not going to have to look at it because they're not going to have the money to pay, but the mid-sized company doesn't have the organizational maturity and those extra layers and processes and certifications, but does have the revenue where they can make that payment.
00:06:22
Speaker
100%. Never thought about that. The way you said that was so succinct and 100%, that's one of the reasons why. like You don't go after the big guys because they probably got a process to mitigate such. so You don't go after the small guys because you can't afford it. Yeah, Rui, I want your take on this. like To that point, they if you if you're a company and you have a public-facing website, something like that, let's assume somebody's going to do a little research on you. you know Are there ways of maybe like the bully in the playground, right? you you pull yourself up, you look bigger than you really are, maybe like the term, right? If you have certain statements or things in your you know header that show good data security practices that might push them off a bit. You still wanna have, I mean, if you don't have the actual protection layers, you gotta work on that, but.
00:07:15
Speaker
So I think you're asking about a publicly facing website. I think that's what of who he was he was asking, right? Yes. um Yeah. So what would be? Ways to mitigate risk.
Best Practices for Security
00:07:29
Speaker
Yeah. Like ah especially, let's say you have some older versions of, but let's be honest here, majority of the internet public facing websites are like. PHP. PHP and WordPress. Like WordPress dominates Right. The market, right. jQuery is still pretty high in terms of, you know, what's out there. Like, but what would you do to like secure and make sure that those things are maintained at update, like for PHP? Yeah. Yeah. So stuff like that, you would of course, follow best practices when it comes to security and always, um, and always stay up to date, right? Like PHP goes out of date pretty frequently.
00:08:13
Speaker
I mean, not that as frequently as other technologies, but it goes out of date and things get deprecated. So always stay up to date with but the latest frame framework or or a platform, right? So that is the probably the best way to stay stay secure, stay up to date. If you're a like low tech and what you're hearing from like when nerds like us speak. I'm not loving you in that. Yeah. Yeah. Algorithm soup is like, they're like, Oh, we had, what ah we had, we have websites, we have internet websites and that person no longer works for us. Every business as usual continue on and then they lose everything. They didn't even see it coming. Yeah. How do you, how do you get through to people that are maybe older, maybe just maybe same age, but just low tech? Yeah.
00:09:07
Speaker
and they run big organizations. I found that outlining the risks, like just making sure where the risk even exists, right? You know, you may say ransomware, you might think of all the stories of like, you know, the gift cards, scams, things like the phishing attacks, and they're very different things. Like, ransomware is a very direct attack on your server or your data. Whereas, you know, the other ones are just taking advantage of, you know, someone making a mistake and clicking the wrong link. It's a big difference.
00:09:35
Speaker
so But but yeah again, it can happen anywhere, right? You're talking like physical, no problem, right? They can they can install ransomware and, um you know, ransom your data, but cloud storage or cloud, it's the same thing, right? Any kind of misconfigured settings opens you up for attack, right? So it all comes down to knowing what to do and knowing how to prevent this, right?
00:09:59
Speaker
Yes. Yeah, but it just goes back to the, with regards to the cloud, like if you're, if your root database is in a secured Azure AWS, I'm going with the big guys, but yeah, you know, it didn't there. I mean, do you need to put additional layers on top of that for your organization? It's only as secure as the person securing it. That's how I see it. Yes. And they recently kind of started biasing and saying the people that are securing,
00:10:27
Speaker
Azure SQL are now Microsoft, not the people that own the instance. and This was fairly recent where if you go to Azure right now and say new Azure SQL database, maybe this is the past three years, it automatically sets up ah like geospecific redundant daily backups. You don't have an option. It automatically sets up TDE or you know data encryption at rest. So if someone gets the database file itself and they open it on i don't know their own computer, they can't because the file at rest, you know a resting file, it can't be opened. So they created some bias defaults that you have to go pretty out of your way to turn off the backups and to turn off TDE or data encryption.
00:11:16
Speaker
um It used to be more like that, Rui. And now they're saying, you know what, people are stupid. And to I would agree with Microsoft's opinion on people setting up and securing servers because they see all of this stuff at a massive fire hose level. And they see all of these different things happening all the time and all these people affected and data leaks and stuff. So they know that, okay,
00:11:44
Speaker
90% of the things happen from this, we're gonna make that the default. And they buy us in the install of things now, which is great. Takes the thinking out of setup, you know? Yeah, right. It's not all stupidity, though. I think to you made a good point before, Logan, about like, how do you educate the people that don't understand or can't read the algorithm suit, right? You may not just understand these things. so a smaller company or a mid-sized company as we defined it before, like so maybe doesn't, can't afford the resources to even know or parse all this. you know Are there resources or ways that they can educate themselves at a basic level at least, or or you know they go to this website and they can judge happen or or yeah hire a service that can assess it without having to break the bank. like How do you vet a company like that too? Yeah, exactly. It's a trust with security.
00:12:40
Speaker
is um yeah And then if that security company gets hacked, pen tests or penetration tests are extremely expensive, 20 grand a pop or whatever, at least.
Cost and Necessity of Security Testing
00:12:51
Speaker
Then there's all sorts of different layers from you know network to file storage, to cloud, to usernames of passwords being stored in plain text on people's sticky notes directly on their laptops so I can log into my banks.
00:13:06
Speaker
or whatever, um security versus convenience is always a, you know, a battle. So penetration testing, go ahead, whereie sorry. No, no, go ahead, Chris. No, I was just like, is it what else, ah what other options besides penetration testing? So if you go to security headers.com and you type in your website, I'll give you do chriscroyder.com in security headers.com, it'll tell you if you have good security in terms of security headers. All of the websites um you know we set up is like A+, which is higher than Walmart. It's higher than all the other companies. It's literally just a tiny little bunch of config lines that you have to set up when you're setting up websites. That's a free service out there, securityheaders dot.com. Type in your website and see what letter you get.
00:14:04
Speaker
um other free resource. The, I think the other point that, you know, Chris raises, like, how do you inform the low tech of this? Like yeah they wouldn't be searching for this topic, right? Right. That's like, I think, how do you even tell them you have to like, almost like run into random companies, run all the way to the top floor and say, Hey, you don't know me, but here's the cost of losing everything. And I did this all for free. And here's a piece of paper. I don't want anything. Um,
00:14:35
Speaker
You could ignore it or you could do something about it. Either way, you're informed because I feel like Chris's point is CEOs that are low tech will not be looking yeah until it's too late. I know we talked about like small, small companies or, or you know, medium sized companies where they're targeting, but a few remember back maybe six years ago, seven years ago, there was a ransomware called WannaCry.
00:15:03
Speaker
Do you remember that? oh no yeah haven't hear It was a ransomware and I think it cost something around like $8 billion dollars globally. So it targeted windows machines, users, windows machines. I found an exploit and demanded Bitcoin for everybody's machine that was locked. So I'm assuming they targeted companies, servers, but the point is windows allowed this to happen. The exploit was not on the user at this time, right? It was.
00:15:32
Speaker
It was on Windows. The security should have been patched before ransomware got there, right? Yep. And there was a recent one, uh, with the airports, right? All the windows, all right? Yeah. That was cloud strike, resonant. Yeah. Yeah. Yeah. I think, I think that there's always going to be a path where like, listen, that there are always going to be maybe one step ahead. There's going to be these global outages and it's not like we're going to come up with a situation that's going to be secure forever. Yeah. I think we're, we're I think collectively now we're as much ransomware is out there. I think we're more secure now than we were 10, 20, 30 years ago.
Balancing Security with Simplicity
00:16:05
Speaker
to some extent, I mean, there's something to be said about like the old school, like missile silos that are like five and a quarter disks that like don't connect to the internet. Like go you go, almost super low tech is better than in the cloud. But yeah besides besides from that, like extreme example, I mean, I think things for the most part are more secure, more redundant. People are more savvy to this stuff at a basic level than they were 10 years ago. yeah But I think the pace is still outstripping, maybe even IT departments at a lot of companies.
00:16:36
Speaker
While you think about it, companies don't want to make cars that run forever. You don't want to make a car that just keeps on running. What you want is a car that periodically breaks down so you can make money from service. So in other words, who knows where these ransomware exploits came from? They came from the engineers who built that in the first place, created you know a path to the exploit to be exploited, and then created a workaround to fix it.
00:17:03
Speaker
It's like the people who make antivirus software make the virus viruses right? Yes. that like and but John McAfee style kind of craziness, but it's true a lot of the times and a lot of the times like but what Buddy of ours, Dimitri said is like, um they'll always find a way if they want to. You can't really secure anything. You can just make it difficult enough.
00:17:25
Speaker
that they're they kind of like, oh, well, they got like these four layers. I'll move on to the next one. But if they want to get in, like if they don't like it's good point you or what you did, they will find a way. This this stuff is not, this is a Jenga house of bits and bytes.
00:17:41
Speaker
It goes back to the the de first deflecting the bully on the playground before he punches you in the nose. right its yeah i'm not I'm not the guy yeah know you want to you want to mess with. The kid picking his nose right over there is a better target. yeah but and Now with the advent of AI, good luck, man. that's It's going to be a lot easier to um to get into these things. right but You don't need humans now to process that. and yeah ruy I liked your point before, but at the same time, like you know the the car example. right Yeah. The new cars now have more bells and whistles and features and greater safety than the cars that were made 10 years ago, 20 years ago, right? So there's also improvements that come along with that. So have to I just say that to say that I think that there's a need for companies. Yeah. Oh, yes. Okay. So I can, we can finish him off is, uh, cause, cause he,
00:18:32
Speaker
the The new cars now have more features and bells and whistles, so they're more complex. Therefore, more things can go wrong. Allah, the response to that is simplicity, reduction, minimalism, tech minimalism, removing things, not adding. When you get a code review and you're like, oh, there's like five files added, maybe it should be five files removed. like What is the net effect of the change? Have we reduced the technical debt?
00:19:01
Speaker
Reducing technical debt is often more secure than increasing technical debt. Oh, for sure, man. A hundred percent. I agree with that. ah That right there sums everything up, right? Reducing technical debt. Yes.
Budgeting and Managing Security
00:19:14
Speaker
So do you really need to have five different social medias that could all get hacked? Like right you could have one, you could have none. Yeah, you could have none. Hey Chris, so you were saying about cars, bells and whistles.
00:19:28
Speaker
Yeah, no, it's the the cars now are better than they were 10 years ago. And they'll be better 10 years from now, you know, greater safety features and things like that. But I get your point, too. It's it. You don't want to have to keep buying a new car. But I think we're at the point now, because these technologies are going to be ever evolving. I think companies have to make sure that they budget a certain amount to continuously improve. yes You can go and pay $20,000 to get that um penetration testing done. You can hire an outside firm or do a one-time consultation, but you know you're fixing the problem at that point in time, but you I think continuously
00:20:06
Speaker
budget for this now in this day. And if you do business using computers or be online, you should be doing this or make a regular investment in that, and in cloud storage and cloud tools. Yep. It'd be better to hire someone that does, let's say someone that does penetration tests, looking for a job. um You hire them.
00:20:28
Speaker
at one hour a day, like but full-time you have like a 10-year commitment, whatever, and they're actively doing what they do for an hour a day. Because your example's perfect, Chris. Imagine you just cleaned your entire house.
00:20:42
Speaker
Okay, the first of January, and then you completely destroy the place for a year. By the time you get to the end of the year, you're gonna be like, well, we just cleaned it at the beginning of the year. That's like a penetration test, so to speak, because this stuff evolves like crazy. Like at the time, it was great. But because we didn't actively invest in continuous improvement into security, IT, t and We didn't keep up with the trends. Therefore, we lost X amount of millions of dollars due to Y amount of reasons. Yeah, but if you clean a room and then and you open the door and let this let let the child back in, it's going to be messed up by January 2nd. Yeah. Yep. Sorry, I had to use the example. Yeah, that's true. And the child would be like, I don't know, people that are uneducated and just clicking links and emails. Hey, do you want to like eliminate phishing attacks? Just eliminate emails from your company.
00:21:38
Speaker
I know it sounds radical, but there's books written on it. Good books, and Chris gave me one, and you could just send all the emails to Teams, and then you can triage as tickets. Yes, you can respond in Teams, and a workflow picks it up and sends an email, but you don't have a low-tech clicking a link with admin access to their Windows machine downloading ransomware. The ransomware looks in my computer, it looks at the shared drives,
00:22:07
Speaker
Oh, this person has admin access to this. I will encrypt all of this. And now I send an email with that person stuff. And now you pay 20 grand. Fishing can lead to ransomware. I think it's probably the very high. Sorry, we were talking about ransomware and fishing and everything else, but there's also corporate espionage here.
Corporate Espionage and Phishing Threats
00:22:28
Speaker
mo yeah I think it's safe to assume that every company has had their information stolen by somebody or has sitting on a server somewhere.
00:22:36
Speaker
may not be getting exploited or you may not be aware it's getting exploited, but this has got to be a real thing, not just at the government level for you know CIA and wherever you have in Canada, right? This is happening at a corporate level, whether you think it is or not. It may not be happening to you, but I think it's fair to assume you are.
00:22:55
Speaker
hu I agree. It's just 10 times bigger, more complicated, and more money in the US compared to Canada. And you guys are way more advanced in many different ways. However, to our advantage, we have this framing we can to do things more simply.
00:23:13
Speaker
like the processes are more mature and evolved and backed by several different layers. Assuming you're not doing business in multiple countries too. Yeah. Then you're just, it's crazy cause then you deal with, okay, I don't know. It's,
00:23:30
Speaker
Before, when you um recently, when it cut out, we talked about um minimizing tech or reducing things that you use, technical debt. If you minimize technical debt, you minimize your footprint for security risks. yeah You don't have five different accounts for whatever. You don't have you know, multiple computers would have a different password on every site. And how do you do that? And remember, take the first three letters of whatever you're logging into, then whatever you typically have as a password, and then five symbols at the end, because length of passwords
00:24:06
Speaker
it trumps complexity. So Entropy ah trumps complexity. like You can look at Haystacks, which is from security now, Steve Gibson. He kind of like proved in a white paper-ish website kind of thing that the longer your password, it does trump complexity. Length trumps complexity. So there, now you have a different password on every single site.
00:24:29
Speaker
And a lot of these, they limit the length of your password. So you can't even get back home. You're just telling them how, how you're giving me 16 characters. That seems to be the common trend. Yeah. Like let me do 50. Like what, what, how much more is it really adding to your server load to have have to change the the database? Um, what is it? The, um, the field size. Yeah. But how much does that impact the the company providing the service? Right. like Right.
00:24:57
Speaker
Probably nothing. like there's motivations for but It's a great point. like There's motivations for the companies supplying these platforms to keep their costs down. For sure. If you're logging into a website and it says your password must be shorter than this, I'm pretty safe to say that you shouldn't be using that service. yeah but if you're ah and If you're auditing your company, let's say you get the penetration testing, right? Yeah. They're not doing the testing on all of your other providers, whether that be a cloud-based tool. Yeah.
00:25:27
Speaker
You could be doing ah um sort of the popular you have a chat program. You could have a database program. You could have an online collaboration space. They're not going to test all these different ones. and one A breach in one, and that's the infection vector for everything.
00:25:42
Speaker
Yes, and like log4j, I'm not sure if you heard about that. It was like a dependency of dependencies, meaning like, I would say like majority or more than 50% of all the JavaScript libraries out there on NPM had like a reference or a dependency on log4j. And then it was because everything had a dependency on that thing, and that thing had the exploit, everything was exploited.
Minimizing Risks in Tech Dependencies
00:26:11
Speaker
So the other ah reducing technical debt is try to not have dependencies. It's ah like a human example would be if you're going to go into um corporate espionage, like Mission Impossible style with like guns and stuff, you probably don't want to have a family because if you have dependents, they come for your family. You got to be like a solo person.
00:26:33
Speaker
and in the world of computing, you shouldn't rely on so many different packages because if one of those packages has an exploit, then your code has an exploit and you get blamed. So try to write all the code yourself if it's cost-effective and you have the time and the support from management and IT t and its best practices and so on and so forth. There's no right answer because they'll still find a way. Just minimize.
00:27:01
Speaker
What do you think about like, um, that kind of security ransomware and outsourcing jobs to outside of your location location? What do you think about that? Is there any correlation? Like you're outsourcing to overseas, maybe, you know, thousands, thousands of miles away, um, to places where the the law is not, you know, up to par.
00:27:24
Speaker
Um, yeah, but you know, like some Cisco routers and stuff, they block like certain countries by default because they just get inundated with like DDoS attempt and traffic from certain IP ranges. Yeah. But I think it's a practical, a lot of times you're outsourcing and the main reason for that is cost, but you need to do a full assessment of the hidden costs, right? Or the risk.
00:27:50
Speaker
If you're comfortable saying, okay, we're going to save a million dollars on and labor doing this, but there's going to, you're going to create this much technical debt, which would cost us this much to fix it or have this damaging impact because of the dependency as as Logan had put it. I don't think people are using, are going to that level of depth and understanding when they're making these decisions. yeah Plus like no one wants to to talk to that person at a party. That's like the risk assessment person.
00:28:16
Speaker
They're like, this guy's boring, right? He's not cool. He's not like saying, we're going to save a million in labor. Like sales rep that saying that they're like, yeah, you know? Yeah. it was hard your on If you're, if you're a corporate communications person and you're, you're going through an earnings report, it's all about short
Value of Security Investments
00:28:36
Speaker
term. Like here's, here's how much, how many widgets we sold. Here's our revenue. Here's our profit. But, you know, there could be another company B could be saying, well, we didn't make as much revenue and profit. and profit but we're this much more secure. right We've invested in this and and where our risk is a lot lower. like We don't value that, I think, as a society as much as we probably should. yes You only get the high profile breaches after the fact and then, oh man, the stock price is 10 plummets. yep yeah so If you're making investments too, you know consider that when you meet ah on a personal level or as a business. right
00:29:08
Speaker
yep So um for a company that happened to tune into Ransomware podcast out of nowhere, really what would be the top three things before we end today's episode for, okay, random medium-sized business tunes into the podcast, skips to the end.
AI and Security Risks
00:29:27
Speaker
um What's the top three things that they can do today that low barrier entry said simply and they can do today?
00:29:36
Speaker
man top three top three i can't think of three but i can tell you one and that is keep ai out of the business keep it away as much as you can because once they start kind of allowing that to you know take root it will um the exploits are going to come and on top of that it it will eventually be ai exploits versus ai ai versus ai it's going to be a war of attrition basically they'll be people manning that it'll be insane, but keep it away. Keep a AI away from your business is my only advice. and Chris, what about you from a business perspective and a technical perspective? I would bring the entire company together and say, Hey, we need to make a concerted effort to reduce our technical debt and and
00:30:31
Speaker
build up a better protection against ransomware, malware, all you know the phishing attacks. This is gonna be a long process, but one the company's committed to. It's going to cost us time, energy, money, and we're all gonna have to educate, but here is why we're doing it. I think the why is just so important in that.
00:30:52
Speaker
yeah On the technical side, i would I would come up with a complete assessment. like who are your Who are all your event you know but your technology vendors? i mean you can get You can go very deep with this, as you should, but at a surface level, like what programs, what software are you using? Make a list. Just in the making of a list, you're going to see just how bad the problem could be. How many dependencies do you have? i Go count your kids. How many are you letting into the house?
00:31:16
Speaker
If they, and they're bringing their friends and then they're, they're going to bring their friends. And before you know it, you've got a complete rager and you've got all your alcohols gone. So you got to kill the analogy enough for you. No, that's perfect. i That reminds me of a party. I didn't know it was hosting in Meadowvale when I was a kid.
00:31:30
Speaker
um um so um That story on the next episode. of Exactly. it ah I was like, my parents get home and they're like, all the all the booze is gone. I was like, did someone have a party? It was like, it was just you here. It was like, must have been a good party. It's like, it like stop joking about something serious, Logan. youre but but bla you Go to your room.
00:31:50
Speaker
et cetera.
Tools for Better Security Management
00:31:51
Speaker
My, I guess three tips if I could, or just one tip to complete the three um would be the, maybe I'll try for three, the password algorithm everyone can do today. You can have a different password at every single site today and you will not forget get it. It's easy. I use one password and highly recommended and that's a really great tip. If you're tech savvy enough, use 1Password or Bitwarden, which is a better version of LastPass. Don't use LastPass, use 1Pass or Bitwarden. Just don't store your passwords in a place where people can see them, Sticky Note or digital Sticky Note text file. ah Number two would be to keep backups um in the cloud if you're on-prem.
00:32:42
Speaker
and offsite disconnected as a third. So you have, you know, you have offsite cloud and then you also have offsite disconnected. So if there's let's say a natural disaster at your organization, the offsite one will work if the, or the cloud offsite will work. And the third one would be just echoing Chris's point of minimizing technical debt and coming up with a list of things that you have.
00:33:10
Speaker
and maybe sort those lists of things um based on what people like using as well, I would say. um Because if you can create a happy work environment that has less dependencies, you're going to have less turnover, higher retention, higher profits, and lower security risk score.
00:33:31
Speaker
And he ah yeah, you know, I realize that my my advice was a bit lackluster But I did a video on how to encrypt files and keep the key in a cold storage So if anybody who wants to watch that um Basically demonstrates how you keep you can secure the files on your machine in case you do want to have your passwords in a file and just put the key in a cold storage USB and nobody can access that and Yeah, we'll put the link in the show notes. that's great Yeah, absolutely. And if you happen to see this on YouTube, we'll put the link in the description. We'll also link back to Chris's channel on YouTube and Rui's written pixel channel on YouTube where you can find these resources.
00:34:11
Speaker
I'm Logan Dunning. This is Chris. And really, we thank you for your time today and wishing you the most secure and safe world out there. The only thing you should be scared of is kids still calling on your door, asking for candy at midnight. It's like, aren't you supposed to be in bed? Not losing everything about your business. Thank you very much. See you guys.
00:34:37
Speaker
say yes way