Today we are joined by security expert and host of the Secure Talk podcast, Mark Shriner, to discuss information security. We talk about it from a personal perspective, as well as for organizations. Mark, Curtis, and Prasanna talk about what are the bare minimum things you should be doing as an individual to protect your personal information and data, both from a security and backup perspective. We then move on to talking about it from a company perspective, and how very important things like MFA (while good) do not solve everything, and then we talk about many other things you could be doing. Then there was the moment that created the title of the podcast, where Prasanna disagreed with Curtis – but not quite. When it comes to information security and data protection (and many things in life), perfect is the enemy of good. Try not to be overwhelmed with all the things you could or should be doing; just pick something and do something. Something is always better than nothing when it comes to these areas. This episode is jam-packed with good information you won’t want to miss.
Video
Transcript
[00:00:00] W. Curtis Preston: I prefer a cloud-based system that will backup the most important stuff for you. Um,
[00:00:06] Prasanna Malaiyandi: I’ll disagree with Curtis here
[00:00:08] Mark Shriner: Okay,
[00:00:09] Prasanna Malaiyandi: I am.
[00:00:10] Mark Shriner: here we go.
[00:00:11] Prasanna Malaiyandi: Right. I agree that to some extent, yes. SaaS based is good.
[00:00:16] W. Curtis Preston: I just muted your microphone Prasanna.
[00:00:20] Prasanna Malaiyandi: Thanks, Curtis.
[00:00:24] W. Curtis Preston: I’ve never done that. That was fun.
[00:00:46] W. Curtis Preston: Hi and welcome to Backup Central’s Restore it All podcast. I’m your host, W. Curtis Preston. AKA Mr. Backup and have with me, my close personal friend, but a guy who’s impossible to get an actual date with Prasanna Malaiyandi. How’s it going Prasanna.
[00:01:02] Prasanna Malaiyandi: oh, Curtis, I’m good. I know the fact that you came all the way up to Santa Clara to visit the office and we didn’t get a chance to meet.
[00:01:12] W. Curtis Preston: And how many times has that happened? Just saying,
[00:01:15] Prasanna Malaiyandi: We didn’t. No, no, no. I think last time you came up, we did meet because remember we did the photo shoot.
[00:01:21] W. Curtis Preston: okay. All right. That doesn’t count. The photo shoot doesn’t count.
[00:01:23] Prasanna Malaiyandi: it does. I think so. And then the time before we met twice, so
I
think that I get to carry over one of those, but you were also
busy. You were
[00:01:34] W. Curtis Preston: still feeling a little butt hurt.
[00:01:36] Prasanna Malaiyandi: but you were also busy with
your
[00:01:38] W. Curtis Preston: get a date with my friend, by the way, my friend whose wife isn’t even in town, like who, who took, who took priority over hanging out with me? What entity I want you to say publicly, what entity took priority over, hanging out with me.
[00:01:57] Prasanna Malaiyandi: The dog.
[00:01:58] W. Curtis Preston: The dog. Yeah. Yeah. The dog, you had something to do with the dog. And so that was more important than hanging out with me, but whatever, I’m not hurt. I’m clearly I’m
not hurt.
[00:02:09] Prasanna Malaiyandi: I love you.
[00:02:11] W. Curtis Preston: whatever. All right. So our guest is like, what have I wandered into, uh, so,
[00:02:19] Prasanna Malaiyandi: Yeah.
[00:02:21] W. Curtis Preston: so, uh, we actually have a, this is one of the few times where I was on our guest’s podcast, and now he’s on my podcast.
Mark Shriner is the strategic sales director for a memo Q a leading translation management system and host of the secure talk podcast, which is how we came to meet. I got to go over and talk about backups on his podcast, and then he got to come here.
He’s now on my podcast to talk about security. He graduated from Penn state university with a bachelor’s degree in liberal arts and sciences. In 2022, he completed Harvard cyber security, managing risk in the information age, diploma program. welcome to the podcast Mark Shriner.
[00:03:05] Mark Shriner: Thank you, Curtis. And thank you persona. It’s a actually, I’ve had fun kind of watching you guys with the intro there. You seem like an old married couple or something too,
[00:03:12] W. Curtis Preston: We’re an old, married couple that never sees each other. I’m
[00:03:15] Mark Shriner: right?
[00:03:17] W. Curtis Preston: cause cause Prasanna lives in and you know what it is. It’s a Santa Clara Yeah. He lives in Santa Clara. I live in San Diego and you live a little bit farther north, as I recall up in Seattle.
[00:03:28] Mark Shriner: Yes. Yes. And I’m envious of both of your weather. Um, I actually, to be honest with you, I just spent the last three months traveling between Arizona, uh, St. George, Utah, Las Vegas, and San Diego and Los Angeles all in that area for three months for business and for some personal business. And in three months we had like five cloudy, rainy days.
And I got back here at the beginning of may thinking like, Hey, it’s safe to come back to Seattle wrong.
[00:03:54] W. Curtis Preston: Yeah, it’s funny to see. Seattle is one of those places where, when it is sunny, it is just one of the most beautiful places on earth. Right. I remember. And I think I told you on when I was on your podcast, that I did some work for Amazon back in 1998, I put in for the record, I put it in their first enterprise wide backup system.
And, um, I was there in the summer. Right. And not a single cloudy day for three months. And it was like I said to them, you know, going up to Mount Rainier and going out on the sound and watching them throw the fish there it’s a pike place market, of course, hanging out at the bubble gum wall. I’m just saying, I like, I like Seattle,
the original Starbucks.
[00:04:39] Prasanna Malaiyandi: Yeah. I went up for a trip, I think like four years ago around this time in may. And like, the weather was gorgeous, like perfectly sunny. And I was asking everyone, I was like, what are you guys complaining about? The weather is gorgeous. They’re like, you just ended up being here on like the perfect week.
[00:04:53] W. Curtis Preston: Yeah.
in contrast right now in Seattle or in San Diego, we are in the middle of what we call may gray. And then next, next month will be June loom. Uh, this is the worst time of the year to actually visit San Diego. I mean, you can get sunny days, but there will be, you know, multiple days in a row where it’s just a hundred percent overcast.
[00:05:14] Mark Shriner: Is it, is it because of the fog that comes in or is it just overcast and gray?
[00:05:18] W. Curtis Preston: It’s overcast and gray. Um, it’s not, it’s not. So the fog we call that the Marine layer, uh, the Marine layer generally burns off after around nine or 10. If you have, if you have a strong Marine layer and it’s just weird because there’s no rain connected with it, it’s just sort of gloomy, you know?
Um, and, uh, it just is what it is and, you know, and I
talk to people all the time. They’re like, yeah, yeah. Um, and it, and it just. Uh, people will come here. So I thought you guys were sunny. I’m like, you know, to tell you it’s it’s may gray man. Welcome to
[00:05:51] Mark Shriner: Whenever I’ve been in San Diego, it’s always been sunny and I come down there three or four times a year. I’ll be there twice, this summer for soccer, for my son’s soccer tournaments. Uh, but I love it.
[00:06:00] W. Curtis Preston: So I I’m curious. What drew you to cybersecurity?
[00:06:06] Mark Shriner: Well, a couple of different things. I think. In 2017, we were moving back from a nine year stint in Asia, moving back to the states and a good friend of mine, uh, had. A company that would be with becoming a Microsoft cybersecurity compliance partner. Um, he was looking for some help on the business development side.
And, um, and I, and I started taking a look. The more I researched, the more interested I became because, you know, cybersecurity is something that can go a mile wide. And, and, and then also a mile deep in any one of those things. If you want to talk about, you know, pen testing, uh, backups, um, encryption, different, you know, compliance organizations, you can just go in so many, uh, data loss prevention, endpoint protection.
I mean, you can go so many different directions and then each one of those, you can go down these super deep rabbit holes. And I like learning. The other thing I, that I find interesting about cybersecurity back then, and now is. Before, I think we thought that this is the cybersecurity. There was a couple of people in the back, in the corner of the it department that, that their job is cybersecurity, but everybody in an organization needs to have some type of awareness and responsibility for security, but beyond that.
Us as individuals and consumers, we need to be aware of some security best practices. And so it affects everybody’s life. And it’s something that, you know, 30 years ago, nobody was talking about because there was no internet. And now it’s hugely important with the internet, social media, everything. I have three children.
And they need to know some best practices about, you know, what does a phishing campaign look like or a phishing attack look like? What w you know, how do they protect their passwords? What should they shouldn’t do with their, with their mobile devices, et cetera. So it affects everybody. And it’s this, this like new field that was created partially based upon the explosion of the internet in IOT.
So, um, I think we’re just getting started in both in terms of understanding the threat landscape, but also the, um, the best practices for prevention. Does that make sense?
[00:08:18] Prasanna Malaiyandi: Do you see that a lot of this, I know it’s an interesting point. You made that it’s rolling into consumers. Like everyone has to start caring about this. Like every day. Do you start to find that that’s actually happening or. Or are people sort of like, yeah, that’s just something that a company has to worry about or a business has to worry about, or like this large CEO has to worry about not necessarily.
[00:08:42] Mark Shriner: Well, yeah, let me answer that by backing up even farther. I think in companies right now, where it used to be the perception of the. Part of the it teams or the, you know, the CISO’s job there, is an a growing or increasing awareness that it’s everybody’s responsibilities. And so you’ll have not only do you have like structured educational, um, programs, but you’ll have like simulated phishing campaigns and things like that.
So go enterprise wide. And if you get the CEO and he clicks on the wrong thing and boom, guess what you got to go to training you’re in a you’re you’re doing timeout. Um, and companies try to make that. So in companies it’s becoming, uh, I guess increasingly common for people to accept that everybody has a responsibility.
If you find a thumb drive in the parking lot, don’t just walk in and stick it in your company’s device. Right. You know, and, and, and sharing those stories, you know? I remember growing up and listening to my, my grandparents, tell stories about this accident, that accident, this person who did something good, did something bad.
And we learn from those stories. And I think when we share these stories about hacks or, you know, the famous story about somebody finding a thumb drive and then putting it in their device and then, you know, downloading some malware inadvertently, we learn from that and those stories are important. So that’s one method of, uh, or one, I guess, data point.
Come people in organizations are becoming increasingly where individuals I think are also becoming extreme, increasingly aware, let’s start off with high net worth individuals, where they are very much in the sites of, um, targeted phishing, spear, phishing campaigns, right? And so there are certain tools and methods and processes out there to help these people at least become aware of what’s what the threat looks like.
But beyond that, I think, um, just the general public, you know, if I look at my kids, they are pretty suspicious and kind of cynical and almost jaded, uh, in terms of like, look at this, they’ll show me stuff. They’re like, look at this, you know, it’s just, and because it’s obviously it’s a scam. And so I think.
Um, people are becoming increasingly aware at the same time you still hear of consumers every day, you know, for example, they’re, they’re, they’re transferring money to a title agency and somebody spoofs the, uh, the address, uh, that w where they’re supposed to they’re there, the account information, that kind of stuff is happening in.
So, um, yes and no, to answer your question, I think people are becoming more aware, but there’s, we have a long, long ways to go.
Yeah.
[00:11:07] W. Curtis Preston: that there was a study back in 2016, uh, from the university of Michigan where they left a series of USB drives that had, that had an HTML in there that if you open up an HTML, it had an image tag. So they were able to identify, um, how many people actually clicked on the thing. What do you suppose the percentage was of the people that.
[00:11:33] Mark Shriner: Well, you know, university of Michigan, that’s a, that’s what? Big, big 10. Uh, those guys probably I’m west coast, so I I’m, I’m afraid to guess. W what was it?
[00:11:46] W. Curtis Preston: It was half,
[00:11:48] Mark Shriner: That was in what year?
[00:11:50] W. Curtis Preston: uh, 20 16, 297 USB drives around the Urbana champagne CA these are college kids. These are,
[00:11:59] Mark Shriner: At the one of the best universities in the country. Wow.
[00:12:02] W. Curtis Preston: They said they found that 48% of the drives are picked up and plugged into a computer. Some within minutes of being dropped.
[00:12:11] Mark Shriner: yeah.
Well, Hopefully, hopefully the situation or the, the awareness is getting better. I mean, I look at little things like, um, turning on MFA’s or multi-factor authentication two factor authentications for just any, any, obviously any bank accounts, but any, any of your online, um, tools or apps, just turn it on, you know, uh, it’s a simple thing.
That’s going to stop 99%. But some people that, well, it’s a hassle.
[00:12:39] W. Curtis Preston: Yeah.
[00:12:40] Mark Shriner: If you’re, if your account gets compromised, then that’s going to be a hassle. So.
[00:12:44] W. Curtis Preston: Yeah. I I’ve mentioned on this podcast a few times that I went from being kind of an MFA newb, I don’t know, four or five years ago to. Slowly. And then, and then it sorta, it was sort of a snowball situation. Right. I ended up rolling MFA anywhere it mattered. Right. Um, and the cause I have, oh Lord, I have like 800 accounts.
At, I’m not kidding. I have a password manager, so I, you know, I can pull it up and see it. And I have, uh, just, just hundreds and hundreds of accounts at random places where
[00:13:23] Mark Shriner: What are you doing, man?
[00:13:25] Prasanna Malaiyandi: Hey,
[00:13:25] W. Curtis Preston: I just, well, it’s just stuff. Anyway.
[00:13:28] Mark Shriner: Persona persona. You going to tell me Curtis’s into some shady stuff, man. If he’s got 800 accounts,
[00:13:33] Prasanna Malaiyandi: well, I just hope he talks about his experience with MFA.
[00:13:36] W. Curtis Preston: Yeah. Yeah. So, and so I, I, don’t my point, my point of mentioning how many accounts I have. I don’t have MFA on most of those. Right. Because they’re just stuff where I don’t, there’s no information I’m just anyway, but I did roll out MFA, uh, everywhere. And I, I use Google authenticator and wherever I could, because of what I knew about that using Google authenticator.
Uh, text-based MFA and, and by the way, I, I, I dunno, well, I’d like to come back to that idea, but, but here’s what happened. Um, I got a new phone and I got locked out of all my accounts. So, because I didn’t know. I didn’t know what I didn’t know. And so I, um, I, when I re when I rolled that out again, uh, I switched to authy as an app, which allows you to back up the stuff and try, you know, anyway.
Yeah. So, um, I’m a huge fan of MFA. And I, and I’ve mentioned before that, I went from kind of being a newb to being very angry. If there’s a, if there’s a company that I’m interacting with where things matter and they don’t have. Uh, the authenticator style of, of, uh, MFA.
Prasanna you’re, you’re you’re up on this stuff. So here’s, here’s the thing I’m wondering if there’s a company that offers multiple methods of authentication. Um, like my, my, my credit union, uh, they have my phone and, uh, they, they use a, they have an authenticator method where you get, uh, you get the little six digit code.
If you, uh, pull up their app on your phone. I prefer that method. I use that method whenever I can, but should I be bothered by the fact that they also support SMS? Like there’s no way to disable the fact that they have
[00:15:28] Prasanna Malaiyandi: I would be a little worried just because the number of sort of SIM swap attacks that are happening these days, like you hear it all the time when it comes to crypto, right. With all these acts where someone SIM swaps with someone else gets the authenticator code, cleans out their wallet, right. They’re a Bitcoin wallet.
So I think it is common. Right. And even T-Mobile right. Was accused of allowing a porting out of numbers as well. Right. That’s another thing that can.
[00:15:55] W. Curtis Preston: right. So, so you, so you think I should be worried? I don’t know what I could do.
[00:16:00] Prasanna Malaiyandi: Yeah. And it also depends to what extent, like some random person going after you specifically Curtis, right.
[00:16:09] W. Curtis Preston: I’m a big deal.
[00:16:13] Prasanna Malaiyandi: exactly. Right. But I think there are cases like if you’re a high net worth user or even you have sensitive data or things like that, that you care about. Right. That I think, yeah, you should be worried about even email, right.
Multi-factor authentication. Sometimes it’s worrisome as well. Right. It’s things which you can’t completely secure on a.
[00:16:35] Mark Shriner: Yeah. That’s what I’m seeing that most of the organizations that I’m F MFA with, um, offer an option could be, for example, a token that you have, um, uh, it could be the authenticator app could be a text, could be an email and they offer the consumer the choice at this point. Uh, probably just trying to make it easy for somebody to opt in with something.
But there are obviously some that are more secure than others. And I, I spoke earlier about the, the awareness of some consumers, especially high net worth individuals, um, becoming more cyber aware. And the specific attack that I was thinking about is SIM swapping. And it’s be, I, you know, I know a gentleman that’s been, um, SIM swapped three times.
You know, um, and it’s, you know, he, he described it as he was on an airplane. He got out the airplane, his phone wouldn’t work. Right. And it is took him days to get back online. It was maddening, scary, um, and primarily done through social engineering where they contact the, the, the mobile carrier and convince them that they are you and that you need a new SIM.
And it’s just that.
[00:17:41] W. Curtis Preston: Yeah.
[00:17:42] Prasanna Malaiyandi: They made it so easy to port numbers as well. That that’s also another common vector.
[00:17:49] Mark Shriner: What does that mean to port a number? Does that mean to change carriers?
[00:17:52] Prasanna Malaiyandi: To change carriers.
[00:17:53] Mark Shriner: Okay.
[00:17:53] W. Curtis Preston: And so basically instead of just doing a SIM swap, they just pretend to be you and port your number to another carrier.
[00:17:59] Mark Shriner: Wow.
[00:18:01] W. Curtis Preston: Yeah. That’s not good.
[00:18:03] Mark Shriner: These bad guys are really bad mint.
[00:18:06] W. Curtis Preston: I think that’s something we can all agree on. Um, yeah, so, so like I have multiple accounts where, so like goo like Gmail. Okay. Gmail. It’s very specific on what authentication. Systems that you use and you can disable ones that you don’t want to use specifically. You can disable SMS authentication, but my credit union, uh, it supports all of them.
And I suppose the only way to disable SMS based authentication is to delete my cell phone from the account. But that’s just weird,
[00:18:37] Prasanna Malaiyandi: But Change it to like a mobile number or, sorry, to the home number,
right. If your credit union allows you to say, is this a cell phone or. Or a mo or a home number.
I’m sure if you select a home number, it won’t send you SMS, but
[00:18:51] W. Curtis Preston: a ho what’s a home number
[00:18:52] Prasanna Malaiyandi: a landline a landline and old school. Like, I, I know I’ve seen places where it’s like, is this a home number or is this a cell phone?
[00:19:02] W. Curtis Preston: Interesting. Uh, so, so I’m curious, mark, what do you, if you’re, so I know, you know, as a person dedicated to backup, there’s, you know, I have sort of my top five of like, these are things and by the way, on your podcast, the first, like my biggest one, you and I talked about was the, the, the, the idea that cloud stuff is automatically backed up.
Which it isn’t. Um, if somebody were to say, you know, what are the top five things that I need to be concerned about, uh, as a, you know, either personally or, or it sounds like personally you’re thinking MFA,
[00:19:38] Mark Shriner: All right. I would say that’s just a best practice personally or for, for companies and companies have a little bit more sophisticated tools at their disposal, so they can push an MFA depending on, you know, the user behavior. Are they logging in from. A new location. Are they logging in from another country?
Is there some kind of, some kind of anomalous behavior, this, you know, mark never accesses these files now he’s downloading gigs, downloading gigabytes of finance records. Uh, I think we’re gonna force an MFA on that. Right. Um, so I think MFA is kind of a foundational thing, uh, for individuals or organizations.
I think some other best practices for, for individuals again, would be backup to ensure that your information is backed up. I don’t know if you guys have seen these, uh, Mr. Backup gives me a thumbs up
[00:20:34] W. Curtis Preston: I’m very, very excited
[00:20:36] Mark Shriner: thumbs up from Mr.
[00:20:36] W. Curtis Preston: Very excited
[00:20:37] Mark Shriner: Backup.
Yeah. Um, the, you know, you have, you guys get these emails that say, Hey, you know, I’m sorry to tell you, but I’ve been spying on you for the last couple of months.
And, uh, you know, and if you don’t send this money to whatever, I’m going to release this stuff, this, you know, this thing of you going into these inappropriate websites and they send these emails out to. Thousands of people and some people, cause they know that some people will be like, oh my God, I should pay this.
Right. Well, you should, you should. For one, if you get that email. Delete it, I don’t care what sites you’ve been going through. It’s just a, they’re just phishing. Um, and too, if you’ve got your stuff backed up, you don’t have to worry about anybody encrypting anything. Now, if they’re going to release stuff, that is another thing from malware is if they take your records, even though you’ve backed them up.
If they’re going to release something that you don’t want released to the public, that’s a whole nother discussion, but definitely you should back up, um, antivirus, running an antivirus is, is, is, you know, super important. Um, what else? As a, as a consumer. Just being aware and pausing. When you see something that looks a little off any time somebody says, Hey, um, there’s a problem with your account.
We need you to log in and can now just stop or, oh, your, your order for $15,000 from Amazon is on its way, you know? And you’re like freaking out, dude, just, yeah.
[00:22:02] Prasanna Malaiyandi: Like if you didn’t expect it don’t click it.
[00:22:05] Mark Shriner: Exactly. That’s a, that’s a perfect way to say it. I like that. Didn’t expect it. Don’t click it. And I mean, you know, obviously you can, you can, you know, cause you can look at the, uh, the sender’s real, real address and see, is this something real read? It is a lot of this stuff, you know, they’ve got shoddy grammar, you know, fuzzy images, but people get worked up.
I mean, yes, but I’m sure you’ve seen the ones where you get an email from the CEO. Hey mark. I need you to run out and buy 50 gift cards for target and send, you know, Uh, it’s happened to one of my boys, uh, who was working as an internship for the cybersecurity committee that I was working with before, which the is Adaquest the CEO of Adaquest, his name is Hiram Machado.
And, um, it was like my son’s third day into his internship. And he got an email saying, Hey, um, you know, Makai. I need you to run out and buy, um, $500 worth of gift cards from target. And I need you to, once you have that, just let me know, and I’ll tell you what we’re going to do with them, but I need this for this event we’re doing this afternoon.
And so Makai again, again, telling you the kids are getting smarter these days. Hopefully not the ones in university of Michigan, I guess that was 2016. Um, he emailed me and he goes, what should I do with that? And I said, send it. I said, we’re going to use this as a case study in a learning example, don’t do anything with it.
You know? Um, but yeah, I don’t. What, what advice would you guys give.
[00:23:28] W. Curtis Preston: Uh, I mean that stuff’s all all good. I think, um, the, you know, you talked about hovering over the site to see the site. What I generally say is if you get an unexpected communication from somebody you actually do business with. Right? Because I get stuff like that. My Citibank card has been compromised. I’m like I haven’t had a Citibank card in like 20 years.
So I think I’m pretty good, but I get, um, I I’ve gotten phished from like PayPal, um, you know, stuff like that or not from PayPal. You know, as
[00:24:02] Mark Shriner: Pretend people pretending to be PayPal.
Yeah.
[00:24:05] W. Curtis Preston: pretending to be PayPal, um, is if you are actually concerned, if it sounds like something that, that might be real, go to paypal.com.
Don’t interact in any way with that email, go to PayPal.com or contact PayPal’s phone number, not anything listed in that, in that email. Um, would, it’s interesting though. There are times when I, in fact, just a couple of days ago. I got contacted by a company that I do business with. And there was a credit card company and they, they were like, you know, we’re such and such from such and such credit card company.
And we want to call to verify charges. And I’m like, well, how about I freaking verify you? Like, you’re just random nude
[00:24:53] Mark Shriner: Show me your badge.
[00:24:54] W. Curtis Preston: show, you know, they will, well, we want to authenticate. We want to authenticate you. Uh, before we talk to you about account, I’m like, well, how do I authenticate you? Like, why do you people still think this is like Lee?
I will call. Thank you. Thank you for calling. I will call the 800 number on and by the way, it was a real thing. Um, I will call the 800 number on my credit card and I will ask for the fraud department and it was real thing. Th that that’s annoying that that happens, right. Uh, because that is a, that is a phishing way, right?
Um, yeah.
[00:25:29] Mark Shriner: I mean, in, in people, people think that, um, all cyber attacks are through email or somehow somebody is getting into your network. Some of them are just a phone call. Uh, you know, I’ve, I’ve been called by. The IRS, the texts, whatever. And yeah, this Mr. Shriner. Yes. We have an urgent matter that we need to talk to you about.
Um, uh, really, and I, I, sometimes I just like, well, where’s this gonna go? Cause I know at one point they’re going to ask me for social security date of birth, blah, blah, blah. I’m like, okay. Yeah, yeah. What’s going on? They’re like, well, uh, before we can go any further, we need to get some information. And typically the smart ones, they won’t go right to social security.
But just say like, they’ll say, like, I just want to confirm that your name is blah, blah, blah. They got your name. Right. I’m like, yeah, that’s me and that you’re living at. Yeah, yeah. Yeah. And so now I’m starting to respond to them. Right. And then as sooner or later they’re like, okay. And then, so, um, can we give us the year of your date of birth, you know, and you’re like, and, and, and they just start to the good ones, start to tease it out of you because they’re not gonna, if they come in first, first thing to ask you is social security people like.
But you down there and then, you know, they build a rapport and that’s, that’s what they’re all looking for.
[00:26:32] Prasanna Malaiyandi: Yeah, it feels like they have that information already. So it’s like, okay, what’s this one more piece of information.
[00:26:38] W. Curtis Preston: we’re doing, we’re doing it. Just to verify that we’re talking to the right person,
[00:26:41] Mark Shriner: Exactly.
[00:26:42] Prasanna Malaiyandi: Well, and it’s funny. Cause I remember when my dad retired, like he’d always get all these calls from. Scammers or salespeople. Right. And I’d be like, you guys should just chat with them.
It’s like, what do you have to lose? Just don’t give them any information. But at least you’re
[00:26:54] Mark Shriner: You retired, they’re willing to talk to you,
[00:26:57] Prasanna Malaiyandi: And at least you’re saving someone else from having to get a call. Right. So,
[00:27:01] Mark Shriner: right?
[00:27:02] W. Curtis Preston: Don’t click on the emails. Like just, just again, if you think it’s actually from PayPal, then go to paypal.com. Not anything with that. Go
[00:27:11] Prasanna Malaiyandi: and one of the points mark made earlier around social engineering, I think people also just, it should just be careful what they post online. Right. If you’re like putting Facebook messages or tweets, right.
[00:27:24] Mark Shriner: Hey, we’re leaving tomorrow for a three week vacation to The Bahamas, you know? Yeah. Sorry. I’m.
[00:27:32] Prasanna Malaiyandi: no, no, no, no. That’s totally the case. Right. Or it’s like, oh yeah. Or you start inadvertently being like, Hey, it’s my birthday. Or it’s like, oh, my mother is so and so right. And, or a favorite dog’s name. Right. And all the rest of this and people can take that information and they could use it for social engineering to extract other information from you.
[00:27:53] W. Curtis Preston: I know, I know what your favorite dog’s name is. Well, I, because he was more important than me. I’m sorry, I I’m going to let it go.
[00:28:03] Prasanna Malaiyandi: you a
[00:28:03] Mark Shriner: I think he’s, he’s really hurt, man. He’s damaged, man.
[00:28:09] W. Curtis Preston: I went to il fornaio without you. That’s some really good food. Um, yeah. So what about, what about companies? So we talked about, we talking about have MFA, so there’s two ways to talk about MFA. You should, as a company, be offering MFA when people are interacting with your service online, right. Uh, and then you should, as a company, I like what you were talking about earlier.
Um, cause obviously, um, by the way, I haven’t thrown out our, our disclaimer, so Prasanna and I work for different companies. I work for Druva, he works for Zoom and this is not a podcast of either company and the opinions here are all ours. And, um, be sure to rate us by the way, at a ratethispodcast.com/restore.
And then, um, you know, if you want to come on. You know, listen to me, complain to Prasanna yourself life. Um you do that
[00:29:05] Prasanna Malaiyandi: We
[00:29:06] W. Curtis Preston: that, just it just @wcpreston it on Twitter or wcurtispreston@gmail. So, um, yeah, so, you know, with Druva, for example, you know, we’ve supported, uh, third-party MFA for awhile, and now we support native MFA.
Uh, if you’re a company. If you’re a cloud company, or if you’re a company that has, that has information that is important like that, and people are logging into your system without MFA. Then bad, bad company. And, and, and, and it should also not be SMS based authentication you should offer, um, you know, authenticator method and, um, uh, and I’m gonna throw out, I’m going to throw out, please.
Don’t be a, website that is hard to use a password manager with, right. Don’t be complaining about one or two of the character. The special characters that my password manager came up with, or I had, I had one this week that complained. They’re like, Hey man, your password’s too long. It was 20 characters. And they said, you can use a maximum 17 characters and I’m like, you suck.
Yeah, 17. Um, and, uh, the, uh, So based on that, I no longer interact with the IRS. I’m not.
[00:30:28] Prasanna Malaiyandi: But I also want to go back to a point mark made earlier, which was that MFA. I don’t think solves everything. You still need those, especially as a business, you still need those other things to look for anomalies, right? For look, to look at the behavior of the user because MFA will protect you to a certain extent, but it’s not the only line of defense.
[00:30:50] Mark Shriner: Oh, yeah. I mean, at, at the corporate level again, The complexity of the problem and the P the, the complexity of the solutions available are much greater, um, at the corporate level. I mean, you, you have things like, um, device management, for example, and these days everybody wants to BYOD, uh, but you also have corporate devices.
And, but on my B my own device, I’m going to have access to company apps and data. How does the company manage that? Well, there’s mobile device management tools out there that can, if I lose my phone, I can tell the company, Hey, I lost my phone. They can remote wipe their data. Um, you know, they can do remote backups, all of that stuff.
They can, they can check for anamolous behavior on a phone. Mark just logged in from Bellevue, but, but he’s also logging in from romania. Hmm. Something’s wrong here. Right? So, uh, yeah, I mean all that stuff and it’s, you know, depending on the size and the shape of the organization, it can be, you have SEIMs to, to monitor all types of activity to collect your logs.
Um, so that’s, again, it comes back to that original point of why cybersecurity, cause it’s such a broad field and there’s so many different. It’s constantly evolving. It’s it’s pretty cool.
[00:32:03] W. Curtis Preston: Yeah. Um, I, I’m curious what you think about, so one of the things I’m pushing outside of the backup space, one of the things that I’m pushing people to do or companies to do is to look into a couple of different types of tools. One is we’ve we’ve had, we had somebody on here from a company that does a DDI, right?
So what, what did we decide that was DNS DHCP?
And IPAM. Yeah. Um, and so th that, those one group of tools, which is like, they can do things of like, why is somebody going to this really? Why is, why is something looking at a DNS address that is a. You know, a DNS name that is, that is like 57 characters long, and it doesn’t make any sense.
Right. That, that is, that is a, you know, a, um, uh,
ransomware thing, reaching out for command and control. Um, that’s number one and number two, the type of software or system or whatever that can identify data leaks. Right? So that, so that you it’s like, there’s a general level of outgoing. Uh, you know, traffic and then suddenly there’s this giant spike from Fred’s desktop.
[00:33:20] Mark Shriner: And Fred’s no longer in the company.
[00:33:22] W. Curtis Preston: And the company exactly. Fred’s on vacation. Cause he posted on Facebook that he’s in Maui this week. Um, and you know, his laptops doing that. What do you think about those two types of tools?
[00:33:36] Mark Shriner: I think, uh, depending on the situation, I mean, it’s, every tool has its appropriate usage. And I think for, for most companies, both of those make sense. Um, I mean, for both those tools make sense for a lot of companies and organizations out there. Um, and I guess the question, I mean, I, again, I’m not technical more at the kind of higher level understanding what the, trying to understand, what the problems are putting together.
Some solutions. One of the challenges is, is that you have so many different vendors of so many different tools. And so do you look for these custom bespoke kind of solutions and tools, or do you, do you work with a platform provider, for example, Microsoft 365 has a lot of DLP tools in there. They have, uh, advanced threat protection.
Um, they have antivirus, you know, uh, anomaly detection, all of that’s built in there. Um, so do you, and then device management as well. Or do you say no, we don’t want to put all of our eggs in the Microsoft basket and we want to go for best in breed. And I don’t know. I mean, you know, Prasanna, like at, I don’t know how much you can talk about at Zoom, but like, you know, how do you guys decide, you know, what kind of a tool are you going to go with a, an integrated approach or do you look for best in breed?
[00:34:54] Prasanna Malaiyandi: So I can’t talk specifically about Zoom, but in general, right? I think it’s going to come down to. The need for a tool, as well as the expertise. If I’m looking at sort of small, medium businesses where maybe they don’t have specialized it admins, we face the same thing in backup as well. Right? There is no one who could go learn everything and anything about security tools.
And so you’re going to probably want a single tool that allows you to solve everything. Just like in backup. You sort of have those issues as well, but once you get to larger companies, or if you have specialized problems, you might start to. Uh, rollout into, okay. I now need a specialized tool, a best of breed tool because I have this special need, or I now have the skillsets to be able to address some of these issues.
And therefore I’m going to pick different tools based on my needs. And I think it’s sort of hard to say one is better than another. I think it depends on where you are and what your needs are.
[00:35:48] W. Curtis Preston: Yeah, I would, I would agree. I mean, and not just because I work for a SaaS company, but I would agree that where, where there’s a big business need, that you have such as email, clearly a business need a need that every business has, um, that, that if a SaaS solution is available and it’s a, it’s a well-known respected et cetera solution that you can vet out then.
Uh, from a security basis, I would prefer that over something that you’re going to, let’s say I would prefer Microsoft 365 over Exchange on prem in a heartbeat. Exchange on prem is harder to secure. It’s harder to manage. So you’ve got to manage the system. You’ve got to manage the storage and then you got to manage the backup of that.
And then you gotta make sure that backup gets off site. All of that is easier if you have Microsoft 365. Right. Um, now you should be backing it up, right? Microsoft is not backing it up for you. That was what you and I talked on your podcast, but there are services, that will back up, obviously Druva offers one, but there are many companies that backup Microsoft 365.
And so I, I think from a security basis, as long as you vet the security vendor, Um, you know, look at, look for things like MFA, look for things like, um, you know, what their, what their NDA situation is to cut the type of data that they have, whether or not they share personal information, uh, cause some, so many of these SaaS vendors, that’s actually their, um, that’s their business model is they’re they’re, they’re either cheap or, free, and they make, you know, their money with using your personal data. That’s that’s, uh, that’s not what I’m recommending.
[00:37:38] Mark Shriner: No. Um, it’s interesting. You know, when you talk about, um, tool selection, I think another factor should be, do you have the in-house expertise? Uh, and if you don’t, how accessible is it on the market? Because right now, depending on what tool you’re trying to deploy, uh, it could be very challenging. I mean, you can, you can get a great deal and that’s interesting, cause it would be what people will start talking about.
Well, how much is this per seat or per license and, and. One of the things that you have to look at is what are your deployment costs going to be? And then what are your ongoing maintenance costs going to be in terms of the, the expertise to manage that? And that’s, that’s something that often doesn’t come into play until after the, you know, they, they, they focus on the technology, um, or the vendor, but not on the total cost of the deployment.
And, uh, I would encourage everybody to do that.
[00:38:31] Prasanna Malaiyandi: Yeah. also along with the deployment, it’s how flexible is it to change as your environment changes as well? I think some in some tools are very static. It’s easy to deploy the first time, but anytime you add a new app or a new environment or something else, it becomes very difficult. Right. Or it’s time consuming to get it, to expand to now cover that new workload, versus maybe it’s better to get something that might be a little bit more complex for the initial deployment, but like you said, ongoing maintenance, ongoing monitoring, right.
All the rest of that becomes a lot easier.
[00:39:04] W. Curtis Preston: Yeah, that that’s, I think that’s why from a security basis, I’m a big fan of SaaS apps because you know, you look at again in the backup space. If you’re, if you’re using an on-prem backup software, you must be up to date, right, on what, you know, you, you have both a, a box, maybe multiple boxes that are, you know, you might have a server, you might have a storage array and a.
That, that you must be up to date on that operating system and protecting that operation, securing it, doing all of those things, uh, hope you have MFA on that backup server, by the way. And then, and then you’ve got the software, the backup software that you have to stay up on and people are notoriously very bad at upgrading their backup software that, uh, the, we, you know, we brought a guy over from Veritas and he told us that their best guess was that the average time that customers took to upgrade their backup software was 18 months.
[00:40:05] Prasanna Malaiyandi: If it works, don’t touch it.
[00:40:07] W. Curtis Preston: People are terrified of upgrading their backup, their backup server. Right. Cause it’s the last line of defense, but the problem is back up. The problem is that ransomware folks, uh, specifically the Conti group are specifically targeting backup servers.
And so not only is it, um, You know, something that, that needs to be protected. It is a, you know, it is a direct attack point, right. So, um,
[00:40:32] Mark Shriner: I’m curious because we touched on consumers before. Uh, what are your recommendations or suggestions for just individuals, um, to, in terms of backing up their, their personal data.
[00:40:44] W. Curtis Preston: Uh, you know, I’m going to sound like a broken record, but SaaS backup, man. Uh, there are, there are SaaS backup Druva’s not one of them. There are SaaS backup companies that target consumers and you’re, you know, you’re looking at like, Like 50 bucks a year, that sort of thing. Um, I, you know, I, I, I pay more than I would like to back up my iPhone, like I pay for paid for iCloud.
So that’s, you know, there’s that, uh, but, but there are a number of services that will back up. What’s important to you. Um, and specifically if, if you’ve got a, if you’ve got a laptop, right. Uh, and, and let’s be honest, you got a laptop. Uh it’s. It’s not that hard to get that laptop backed up. I am not a fan of using uh, USB devices to backup the laptop. I know it works. The problem is that that USB devices generally sitting right next to, or in the same bag that the laptop itself is. You get a theft, there goes your backup. You get a fire that goes your backup. Right. So I much prefer for the same reasons for the companies.
I prefer a cloud-based system that will backup the most important stuff for you. Um,
[00:42:03] Prasanna Malaiyandi: I’ll disagree with Curtis here
[00:42:06] Mark Shriner: Okay,
[00:42:07] Prasanna Malaiyandi: I am.
[00:42:08] Mark Shriner: here we go.
[00:42:09] Prasanna Malaiyandi: Right. I agree that to some extent, yes. SaaS based is good.
[00:42:14] W. Curtis Preston: I just muted your microphone Prasanna.
[00:42:18] Prasanna Malaiyandi: Thanks, Curtis.
[00:42:22] W. Curtis Preston: I’ve never done that. That was fun.
[00:42:25] Prasanna Malaiyandi: I agree that there are certain things that you do, you will, you want to use a SaaS based service for. But if you’re not willing to shell out, or if you don’t think you really need it, take at least what’s there with your existing, uh, laptop, for instance. Like if you have Time Machine, I know Curtis, we’ve had the discussion about Time Machine in the past.
You’re not as thrilled about it, but if you do have a mechanism, use that mechanism rather than have nothing. Right. I’d rather have someone use something rather than being like, oh, do I want to pay $50 a year or whatever it is? Yes. Those are better solutions, but take what you have and just do something.
[00:43:02] W. Curtis Preston: Yeah, I’m not going to disagree with that. Uh, I mean the only thing I will say is that hard drive that you, if you have the hard drive already, I’m not saying it’s bad. I’m just saying you just need to think about the fact that, um, that hard drive is, you know, it’s so do things like rotate, but the problem is you go buy.
You go buy a modern hard drive. To, to, you know, to back up your, your system. Well, that’s going to be a hundred bucks plus, right. That’s a couple of years of the service that I’m talking about. So just saying, just saying, um, so anyway, what,
[00:43:41] Prasanna Malaiyandi: thought, I think the big thing is just do something. Don’t do nothing.
[00:43:45] Mark Shriner: Yeah,
[00:43:46] W. Curtis Preston: I think we’re saying that for, I think that’s our summary statement. Maybe we’ll make that the pilot title of the podcast just do something.
[00:43:54] Mark Shriner: kind of like the Nike thing, but, but just, just put, just change it to something. Do do something it’s not as inspiring as it, but something,
[00:44:08] W. Curtis Preston: I like it.
[00:44:09] Mark Shriner: Hey, I gotta ask you guys something. Um, you know, cause you asked me earlier. Uh, so, uh, how did your, uh, the idea to do a podcast come about and you know, and your friendship and you know, how did that work?
[00:44:22] W. Curtis Preston: Um, I dunno, I, I got, I got the idea of doing a podcast after being. After going from like, not believing in podcasts. Like I didn’t, I didn’t get it. Like, I didn’t understand why anybody would do a podcast. And then I, and then I started listening to podcasts. I, I got in a situation where they were valuable to me as a person.
Then I was like, you know, I talk a lot. Maybe this would be something to do. And so, uh, and then I encountered Prasanna in the office. He used to work at Druva. That’s how, that’s where I met him. And, uh, I went up to him. And, uh, uh, I proposed the idea of us doing a podcast together because I thought that we had a, you know, a decent interaction and Prasanna just jumped at the chance.
Didn’t you Prasanna?
[00:45:08] Prasanna Malaiyandi: I was like, what are we going to talk about for 20 minutes? I have nothing to talk about at all. I don’t know what you’re talking about.
[00:45:16] W. Curtis Preston: yeah, yeah, yeah. It very quickly
[00:45:19] Mark Shriner: So wait, when did, when did you guys launch
it?
[00:45:22] W. Curtis Preston: About three years ago.
[00:45:23] Mark Shriner: I got to say that I feel, um, extremely uncredentialed, um, because I’m looking at Curtis’s background and he’s he’s got diplomas or certificates or something. At least he’s got books there.
[00:45:36] Prasanna Malaiyandi: yeah.
[00:45:38] W. Curtis Preston: That’s my book right there.
[00:45:40] Mark Shriner: Oh, it’s your book. Little product placement there on the shoulder. All right.
[00:45:43] W. Curtis Preston: just a little bit. I mean, it’s a very small, so it’s not that good of a product placement, but, uh, yeah.
[00:45:49] Mark Shriner: Subliminal. Subliminal. Yeah.
[00:45:51] W. Curtis Preston: So, yeah. Um, so, uh, all right. Well, well, thanks a lot, mark, for coming on the podcast.
[00:45:57] Mark Shriner: This has been awesome. I don’t get a chance to be on too many other podcasts other than my own. And, um, I’ve really, really enjoyed this. You guys are awesome and funny and obviously very, um, deep subject matter experts in this area. So I’ve enjoyed it.
[00:46:11] W. Curtis Preston: and I, and, and unlike being on your podcast, you can now just leave.
[00:46:16] Mark Shriner: Yeah. See you guys. I’m out of here. What are you going to get this edited? Curtis? What is he gonna go online, man? I mean, come on man. It’s already Thursday.
[00:46:24] W. Curtis Preston: Exactly.
Thanks Prasanna, you know, it’s, you know, even though you ditched me
[00:46:29] Prasanna Malaiyandi: I’m sorry
[00:46:30] W. Curtis Preston: Curtis
know,
[00:46:31] Prasanna Malaiyandi: I’m sorry, I disagreed with you about SaaS, but yeah, do
[00:46:34] W. Curtis Preston: yeah, whatever, whatever. All right. And thanks to the listeners, make sure to subscribe so that you can restore it all.
—– Signature and Disclaimer —–
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I’ve specialized in backup & recovery since 1993. I’ve written the O’Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.
The post Just do something! (about your security and your backups) appeared first on Backup Central.