Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Will Shu (00:00):
Hey everyone. Welcome
back to Top5 brought to you by
(00:03):
DefineTalent. We are a resultsdriven service, working with
clients to connect them withquality talent, as well as
working to make an impact withinthe recruiting industry. We talk
straight about today'sprofessional world with real
world professionals, experts inrecruitment, job seekers and
business owners alike, have aquestion for us, send it in, and
(00:24):
you might spur our nextconversation. I'm Tara Thurber,
co founder and director oftalent partnerships here at
DefineTalent. And joining metoday are two super special
guests. Will Shu CIO and MatthewBuehlmann, Director of
Cybersecurity from Riverstrong.
Hey gentlemen, how are youtoday?
(00:46):
Hi, Tara.
Matthew Buehlmann (00:47):
Doing well,
thanks.
Tara Thurber (00:48):
Awesome. Awesome.
It's great to have you bothhere, and I would love it if the
two of you would introduceyourselves and just give us a
little professional background.
Will, can we start with you?
Will Shu (01:00):
Sounds good. Thank you
for the introduction. So I'm
Will Shu Iam CIO of riverstrong. My background has been
in IT for quite some time, manydecades. At this point, I've
been head of IT fororganizations from small
businesses to mid market toenterprise. And my recent work
has led me to develop and manageand build a new MSP called
(01:24):
Riverstrong, where Matt and Ihave developed a managed
cybersecurity program that welove to share some aspects of
Tara Thurber (01:31):
Excellent. Thanks,
Will. Matt? How about you?
today.
Matthew Buehlmann (01:36):
Yeah, so I
kind of have a varied
background, but I've been in thesecurity space, probably for
about the last eight years, andIT in the 10 now, at this point,
I've worked a myriad ofdifferent jobs. I've done a lot
of contracting work. Ipreviously was an independent
contractor for privateorganizations, public
organizations. I worked as anauditor, consultant, a VC so a
(01:59):
security engineer for bothfederal and private
organizations. So a lot of hatshave been worn over the past
several years, but generally,sitting in the security space
and doing what I can to helpimprove client infrastructure.
Tara Thurber (02:15):
Wonderful. Well,
we're super excited to have you
both on today. I'm going to jumpright in here, because we've got
to talk about the elephant inthe room, and the recent
Microsoft shutdown that causedglobal infrastructure shutdown.
What happened and should we beworried this will happen again?
Matthew Buehlmann (02:36):
You want to
take this to start.
Will Shu (02:38):
Let me, I'll start.
And please, Matt. Matt has avery Matt, and I have a great
side views and differentperspectives of a lot of these
topics. And I would love to hearwhat his side is as well. But it
was, I guess, I wouldn't call itMicrosoft shutdown, but I guess
it was blamed on Microsoft, butit was a another security
software company that releasedsome software that conflicted
(02:59):
with the Microsoft operatingsystem, which caused the
computers and desktops andservers to crash. So it is it
wasn't malicious or mischievous.
It wasn't a bad intent. It was amostly an accident, from what we
can see as what's happening inthe industry, but it is
(03:20):
something that happens on adaily basis, for the most part,
and it is something that it'shard to avoid. Updates on
software is a everyday thingwhen developers and programmers
find holes, bugs and issues withtheir software, or updating the
detections or algorithms alwaysbeing pushed to update and to
make things better, right? Thistime, it didn't make things
(03:42):
better, unfortunately, makethings a little bit worse and
some of the ramifications of it.
But will this happen again? Mostlikely, yes or not on a
professional side, because thesethings will continue to go.
There are mitigation methods,and for example, don't take the
most immediate releases ofsoftware, plan a period of time
(04:02):
before you implement that intoyour environment, so you can see
what happens in the wild in thissituation. But it'd great to
just hold on these updates. Sothere are there are laser steps,
but all these things takeplanning, and it needs to be
well thought out a little bitprior to as we were all coming
to find out.
Tara Thurber (04:24):
Excellent. And
Matt, what are your thoughts on
it?
Matthew Buehlmann (04:27):
Yeah. So,
yeah, Will's got a pretty spot
on there. I'll expand a littlebit on, you know, it was
CrowdStrike, which is actuallylike a managed detection and
response provider, so a prettycritical security tool, and
obviously widely adopted, whichis part of the reason why we're
talking about it right now, issuch a huge impact across the
world, really.
Tara Thurber (04:46):
Right.
Matthew Buehlmann (04:46):
And
essentially, because of the
types of services that softwareoffers, it has to operate at a
very low level of the operatingsystem, so something called the
kernel. And then, withoutgetting too technical, there's
like a user space and a kernelspace. And the user space is
where we're at interacting withon our computers on a day to day
basis, the kernel space is areaswe don't really touch, but for a
(05:08):
company like CrowdStrike, itgives them a lot of insight into
the way that the computer isfunctioning to help catch
malicious actors. So the updateto that area of the operating
system is what caused thisissue. So it was like a logic
error is essentially what it isat a very high level. And the
(05:28):
kernel is again a core of theoperating system, so it protects
the integrity of the computer.
So once that portion of theoperating system space was
corrupted, essentially from thatupdate that will was talking
that Will was talking about.
That's where we get that bluescreen of death, which is
actually like a protectionmechanism. So it's saying, Hey,
(05:49):
I can't operate in the capacitythat I need to to ensure the
continued functionality of thiscomputer. So we're stopping
right here. So yeah, it's Iagree with Will too about it
inevitably happening again.
Maybe not CrowdStrike, butanother organization. I think
that probably a lot oforganizations are taking a good
hard look at their updateprocesses and procedures right
(06:11):
now to make sure that they'renot exposed on the news.
Tara Thurber (06:15):
(laughs)
Matthew Buehlmann (06:16):
But I was
watching some I've watched a
number of different panels,about the Crowdstrike
discussion, read some articles,and there's this really
interesting concept I heardcalled like a black swan event.
So it's an event that's rare,has a massive impact, and it's
only predictable in hindsight.
And I think that that's reallywhat we're dealing with here. Is
this black swan event. And youcan't really predict what the
(06:37):
next Black Swan event will be,you just know that it will
happen at some point. So I thinkthat making sure that you're
operating from a point ofresiliency. So when this does
happen, how are we going tobounce back? Do we have an
incident response plan toaddress this type of outage like
Will said, too. This wasn'tmalicious.
(06:58):
It was just acorrupted update. So making sure
Tara Thurber (06:58):
Awesome. And I
think, too, big questions I
Right.
that you know an incident can bea lot of different things. Be
malicious. It could beunintentional. It could be,
weather, you know, like an actof God, you know, it could be a
flood. So making sure thatyou're moving your point of
resiliency, and you know,general third party risk
management are you betting yourvendors to make sure that they
(07:20):
have the appropriate controls inplaces? Kind of, what I think is
coming out of this a lot.
would have would be forbusinesses, how to vet those
people or those companiesproperly, and just for knowledge
basis, when we're thinking aboutwhat would you say? Now, in your
(07:43):
opinion, both of you Will andMatt, what are the top three
cybersecurity threats facingbusinesses today?
Will Shu (07:51):
I'm so curious to hear
what Matt's three are.
Tara Thurber (07:54):
(laughs)
Will Shu (07:56):
I did take some notes
for myself. So for me, top three
for me is account hijacking, andthat's a daily occurrence across
the board, and happens almostdaily, sometimes, depending on
what's happening across of ourmanaged services customers.
Alerts do happen quite often,weird configurations, forwarding
rules, access connections arehappening across many, many,
(08:21):
many companies, and it's only acouple ways that we can define
and figure out and to discoverthese things. And that's where
my second tip is,is reallyasking the right questions or
having access to the rightprofessionals, right? If you're
we go to doctors because we donot know the specialties of
(08:42):
medicine. Technology is anotherspecialty that you need
professionals in your corner toprotect you, to look for your
best interest, look for yourbusiness's best interest at
heart. And that's really thethat's my biggest tip, right
there, is that that's thebiggest threat, in my opinion,
is not having professionalsaround near you to be able to
help you ask and answer theright questions. This leads into
(09:05):
what you were saying before. Howcan small businesses ask this
question? It's really hardwithout being in the industry,
and that's why the industry isso getting larger and larger
that now trap gets bigger andbigger, and you need
professionals on the other sideto fight these traps and to ask
and answer the right questionsfor you. And the third risk, for
(09:26):
me is it's account hijacking.
Someone takes over your accountwhen you log into it, but the
other side of it is remotecontrol, or access to your
computer or back end access thatyou're unaware of. And that's
how the events and where eventsstart. That's how malicious acts
start by having no controlbehind the scenes to a computer
in your organization. So thoseare my top three.
Tara Thurber (09:48):
Wow. Matt, what do
you have over there?
Matthew Buehlmann (09:51):
Yeah, I
think, you know, Will and I are
actually aligning on some ofthese, which is to be expected.
Tara Thurber (09:57):
Yeah.
Matthew Buehlmann (09:58):
And you know.
Riverstrong, we predominantlyfocus on small, medium sized
businesses, and that's themajority of the threat research
that I've done. So I do want tojust put that caveat in here,
that this is where that's comingfrom. But what we're seeing
there's a couple of trends. One,the big one, is this
exploitation of legitimate toolsand native system tools. So
things that exist on yourcomputer by default, things like
(10:21):
PowerShell, Command Prompt,Dynamic Link libraries can be
used in ways that are malicious,but the software, in and of
itself, isn't malware. And inthat same vein, like legitimate
remote access tools, so likewhat was alluding to there, as
an MSP/MSSP, we have remotemonitoring management tools that
(10:44):
we use to assess the health ofsystems remote in if we need to,
provide technical support. Andthat's all well and good, but
if, again, a malicious adversaryis able to load one of these
remote monitoring managementtools, remote access tools onto
your computer that's notinherently malicious, so a
traditional antivirus isn'tgoing to detect that, but the
(11:05):
way that it's being used can beagain, for nefarious purposes to
deploy malware, ransomware ortry to enumerate and get access
to other systems. The other oneis right in line with what Will
was talking about accounthijacking and business email
compromise. So there's a newterm, identity threat detection
and response, and it's taking alook at the identities that
(11:27):
exist. And when I sayidentities, I mean user
accounts, those being in thecloud. Now it's very accessible
to the broader internet, asopposed to maybe sitting behind
a firewall or traditionalaccount that would be internal
only infrastructure, traditionalActive Directory environment. So
yeah, trying to take advantageof those accounts, like Will was
(11:49):
saying for data, dataexfiltration, using it as a
springboard to try to targetmaybe other accounts of the
organization, high, more higherprofile or higher value accounts
or areas like human resources oraccounting, where the debt,
where the data lives.
Yeah, we'reeven just using that account to
Tara Thurber (12:06):
Yeah.
launch more phishing emails. Sothat's definitely a trend we're
seeing, and it's on the rise.
There's a Verizon data breachreport. This is from 2023 and I
think that it the number ofinstances of business email
compromise or pretexting, whichis very similar, just about
double. So definitely somethingto be aware of. And the last
thing I had was ransomware,which is nothing new. Everybody
(12:29):
knows about it. I almost didn'twant to put it on here, because
I didn't see much of a gimme.
(laughs)
Matthew Buehlmann (12:34):
But we're
just seeing the ransomware
networks expand. It's becomingmore prolific. It is profitable,
and there are criminalorganizations that are springing
up specifically with the goal ofproviding ransomware services.
They're like, either offeringransomware for hire, we'll take
at, you know, ransomware companyfor you, or even just ransomware
(12:55):
as a service. So the same waythat we use, like office 365 or
QuickBooks, or these otherservices in the cloud. They
offer their ransomware service.
They have, they go as far ashave, like, bug bounty programs.
So they'll say, Can you give us,here's our code. Can you figure
out a way, you know? Are thereany glitches with it? Can you
make it better? Can you make itfaster? Can you make it harder
to resist? They have marketingefforts to try to reach out to
(13:15):
potential clients.
Tara Thurber (13:17):
Wow!
Matthew Buehlmann (13:18):
And they're
like, releasing updates for
their software. It's like a it'slike an actual software tool
that we use, but it'sransomware. So we're seeing more
and more of that, and thebarrier to entry for conducting
ransomware attacks is gettinglower and lower. So it's
definitely something that'sthat's big in the space right
now.
Tara Thurber (13:36):
Yeah, do you think
too, with so many companies
going remote, that's why there'sbeen a big increase? And I feel
it's even become more dangerousfor some companies, because if
you don't know, or you're notconnected with professionals, it
(13:59):
could be detrimental tosomebody's business, if the if
they're all remote now andvirtual.
Will Shu (14:07):
There'sa different way
of looking at and upgrading the
So your data is yourkey, and what you're trying to
business.
Tara Thurber (14:09):
Right.
protect and keep. So the moreholes that you allow access to
your data, the more risks thatyou expose. So having your
employees out in the world,needing to access data from a
central location creates morerisk in that inherent structure.
So t's a very, very differentway of looking, and you need do
(14:32):
need to ask the right questionsas to we work in this phase in
an office today, but noweveryone is at home. So how do
we protect the data, what arethe processes that or policies
as well, that we expect ouremployees to adhere to when
they're not in a protectedenvironment? So it is questions
to ask them to make sure thatyou're that you understand as a
(14:52):
business owner, and that youaccept some of these issues, or
you work to mitigate it, right?
Right.
Will Shu (14:57):
So it's taking a look
at. At how you're working and
who's doing what.
Tara Thurber (15:03):
Well, and I think
too, even if an individual
brings their laptop to a cafeand they use the cafe's Wi Fi,
that can be very risky, too. Soit's also making sure employees
know, yes, you may be workingfrom home, but going out and
utilizing open Wi Fi networkscan be very dangerous as well,
(15:25):
right?
Will Shu (15:26):
Correct. It goes to
the policies and the processes,
because there are technologyways to prevent a computer from
connecting to a public Wi Fi.
Tara Thurber (15:35):
Okay. Okay.
Will Shu (15:36):
Can implement that,
people do. Companies do, but it
does create problems foremployees, right? Oh, I can't go
to the internet, then thereforeI can't work.
Tara Thurber (15:45):
(laughs) Yeah!
Will Shu (15:45):
So you have to find
that middle ground, but it does
take communications, trainingand policies and enforcement of
these things to make it safe.
But Matt, if you had anotherperspective.
Matthew Buehlmann (15:58):
No, I think
you hit on it right there. And
for the policy piece, I thinkthere's the probably the hardest
part, actually, I take it back,creating policies is difficult,
so making sure that's in placeis hard. But then making sure
that people are aware of thosepolicies, and then you're
actually putting eyeballs on thethings that you want them to
see, is maybe even moredifficult. So, but yeah,
(16:19):
creating those guidelines is thefirst step, because I think for
the most part, people want to dothe right thing. And maybe
that's naive of me to say fromthe security world, but I think
especially for small businesses,when we've got skin in the game,
we have stake here.
And if yougive a legitimate reason and a
Tara Thurber (16:33):
Yeah.
good way for them to work withintheir environment, then
generally, they'll meet whatyou're trying to get across.
Right, right? Sowhat would you say, both of you,
Matt and Will, what are theessential steps, I know,
(16:54):
processes, procedures, butpolicies. What would you say
essential steps businessesshould take to protect
themselves against cyberthreats? And I'm going to stack
it with another question of, Howcan small and medium sized
enterprises improve theircybersecurity measures on a
tight budget as well?
Will Shu (17:16):
I'll let Matt go first
this time.
Matthew Buehlmann (17:18):
Yeah, so I
think that, again, focusing on
the SMB space like a key thingto understand is you are not too
small to be a target. And datacontinually, continually, like
represents this. You know,there's a Forbes article that
businesses with less than 100employees are 350% more likely
to receive social engineeringattacks. CISA, which is a
(17:41):
cybersecurity and infrastructuresecurity agency, said that small
businesses are three times morelikely to be the target cyber
criminals than larger companies,and that Verizon data breach
report from 2023 that Imentioned when they compared
incidents from small businessesand large businesses, there was
a 41% increase in incidents anda 68% increase in confirmed data
(18:03):
breaches for small businesseswhen compared to large
businesses. And the reason I'mbringing all this up is because,
there's this disparity herewhere there's a lack of
resources, kind of like youalluded to through your question
there, Tara.
Tara Thurber (18:15):
Yeah.
Matthew Buehlmann (18:16):
Less people,
less time, less money.
Tara Thurber (18:18):
Right.
Matthew Buehlmann (18:18):
But the types
of attacks that are targeting
enterprise clients, and thetypes of attacks that are
targeting small businesses aregetting more and more similar.
So there really does have to be,taking a step up in the level of
security for your organization.
And, antivirus is not enough.
That's like one of the big keythings I do want to kind of
(18:39):
drive home. So you need to havesome sort of enhanced detection
mechanism to not just dosignature based analysis. So
essentially, taking a look at afile and saying, We know this is
bad because of its fingerprint,we need to take a look at that
the behavioral aspects that arehappening on a system. What are,
what are like process insights,what are, what's actually
happening, maybe with some ofthose legitimate tools that I
(19:00):
referenced earlier on, and canwe determine that it's malicious
because of the way that it'sbeing used, not just because
what the program is? So thecloud can't be ignored, is
another one I wanted to harp onagain we talked about, what are
the key threats business emailcompromise like Will said,
account hijacking is huge, somaking sure that that is an area
(19:21):
that's being addressed isdefinitely important. And then
from the budgeting perspective,outsourcing can be beneficial.
When you think about the costbehind hiring a full time
employee, especially when youstart to get into the senior
level like CISOs or seniorengineers, senior security
analysts, those are expensiverecurring costs. So outsourcing
(19:44):
can give you, a lot of expertisefor a much more manageable cost.
So that's something that candefinitely be used by small
businesses to supplement or evenaugment their onset on premise
IT staff. So those are just somethoughts. I have.
Tara Thurber (20:01):
Awesome. It's
crazy when you think about the
account hijacking. I have afriend of mine that started a
business a couple of years ago,and she was completely taken
out. Somebody got in and tookout her website, all of her
social, her email, everything,and she lost everything. She had
(20:21):
to shut everything down. Andeventually slowly, start all
over and rebuild her business.
And she's an individual thattook years to grow what she had
created, and then ended upstarting at square one. And it
must be so frustrating, even forthe small businesses, or the
startups even that are justtrying to start the business and
(20:44):
get it out there to then behijacked, so to speak, and have
to hit restart again.
Matthew Buehlmann (20:56):
Yeah,
absolutely. And I think I don't
have the exact stat off top ofmy head. But the amount when
small businesses are targeted,or the victim of, like a
ransomware attack, for instance,which is kind of a worst case
scenario, there is a much, muchsmaller percentage of bouncing
back from that, as opposed to,like, large organization,
obviously, we're working onsmaller margins. So it is sad,
(21:17):
and you know, Will, and Iactually just launched some
client business last week. Youknow, you see these people small
businesses, and you really kindof get invested in who they are
and what they're doing. Itfeels, it's not just this big,
amorphous enterprise.
Tara Thurber (21:28):
Right! (laughs)
Matthew Buehlmann (21:29):
It's like,
it's Sally down the street.
Tara Thurber (21:33):
It's family all of
a sudden!
Matthew Buehlmann (21:35):
So it is sad
and scary, and that's why I
think there's a lot of value Isee in protecting the SMB space.
That's my two my two cents onyour thought there.
Tara Thurber (21:46):
Excellent.
Will Shu (21:46):
So we also work with a
lot of nonprofits, and the work
that they do for theircommunities is really
heartwarming, and we help them.
They're also on tight budgetsbecause they are nonprofits and
we do go and help them. So toanswer your question on, how do
we do this on a tight budget?
There, if there are standardsthat we create and that has
(22:06):
standard protections, much likethe old adage of you must have
antivirus to be secure, thereare similar, newer technology
stacks that you should have andincludes MDR and other other
tools that we can help deploy,but in the as you get further,
though, all businesses aredifferent, right?
Every day, business isa different organism, and each
Tara Thurber (22:25):
Right.
organism, or each patient oreach prescription needs to be
tailored for your business. Sowe have some basic everyone can
take an Advil, and we could allbe safe. But as your symptoms,
as your organism gets morecomplex. We need to sit down and
look at what is there, and toreally be able to determine what
(22:46):
data what's happening and how dowe protect these things? So we
we look, we speak withprofessionals, and we look to
define what those differencesare, and then look for the best,
cost efficient way to to manage,protect and to deal with that
those things so, so it's not aand I hope that folks are
talking to the security firms,or they just want to sell you
(23:07):
everything and every tool underthe sun. You may not need it all
depending on your situation, butor you may need even more,
depending on your complexity andyour situation. So it is a
taking back to the need to speakto a professional to get a good
diagnosis, to get a goodunderstanding of your current
posture, what are your riskstoday, and to then be able to
(23:27):
prescriptively and use yourbudget wisely to address the
most impactful, biggest bang forthe buck, or low hanging fruit,
those buzzwords come into playto get the most out of your
That makes totalsense. It's a lot too for
Will Shu (23:38):
Go ahead, Matt. I'm
curious.
budget.
individuals and founders tothink about, but it's also one
of the top things thatindividuals, founders and small
businesses alike, need to reallyfocus on. It's amazing, amazing.
It's wild. So I'm going toswitch gears just a little bit,
(24:02):
because we like adding a littlefun question for all of our
guests. And in honor of theOlympics, our question is, if
you could turn any mundaneactivity into an Olympic sport,
Matthew Buehlmann (24:13):
(laughs)
Yeah, I, I had two thoughts on
what would you have a goodchance at winning a medal in?
this one. One is, I'm prettygood at flipping eggs without
breaking the yolk.
Will Shu (24:34):
(laughs)
Matthew Buehlmann (24:34):
I think I
could kind of hold my own in
that. But best in the world, youknow, there probably are some
chefs out there, you beat me. Iwas thinking that catching
things that fall off shelves.
I'm also pretty good at. Random,random hand eye coordination
activities. So I think eitherthose, I could give a run for a
medal.
Tara Thurber (24:51):
I love that. Cat
like reflexes, Matt (laughs)!
Matthew Buehlmann (24:53):
Yeah, right.
It's not all just behind thecomputer screen.
Tara Thurber (24:57):
Right! (laughs)
Will. What do you have for us?
Will Shu (25:01):
The hard thing to try
to come up with some mundane
thing that I'm good at I livein New Jersey with Tara here.
Tara Thurber (25:10):
Yeah.
Will Shu (25:11):
And when the spring
and the summer season comes up,
the weeds that come out of thegrounds that we're trying to
always remove is tremendous. So,you know what? I'm really good
at picking leaves, apparently.
Tara Thurber (25:22):
(laughs) Weeds!
Will Shu (25:22):
Weeds. I travel across
my yard and really, really
quick, kind of a mindlessgardening kind of a thing. But I
think I will kick ass in weedpulling (laughs).
Tara Thurber (25:34):
(laughs loudly)
Will, I love that. And it's
funny, I love pulling weeds. Itis such a meditative act, and
especially in the spring or inthe fall when you're doing
gardening. But I love that too,both of you. I like what you
brought to the table today.
(laughs).
Matthew Buehlmann (25:53):
Thank you.
Tara Thurber (25:55):
So Matt and Will,
what would be your
Top5Cybersecurity Tips for 2024and Beyond?
Will Shu (26:04):
All right, I had
written down five because I did
think this through prior. Myfirst one is get close to an IT
and cybersecurity professional.
You need someone in your cornerto protect you and making sure
that you're doing the rightthing for your business. Second
one is, know your risks andexposures. You should know
what's at risk, and then we candeal with that exposure. Number
(26:27):
three is, be willing to investthe time and money into it, like
every other thing that you needto do when it's good for you,
takes time, money, effort andthe will to work at these
things. The fourth one I have isknowing what to do if and when
disaster strikes. That'sactually one of the biggest tips
(26:47):
that I have. Is a lot oforganizations that we meet, they
do get ransomware, and theydon't know where to start. They
don't have any plans in place,and it all this is about time
and reaction, being able toaddress things knowing where
things are and what the recoverytime objectives are for each of
these things. This way you canadd an expectation of when
(27:07):
you're back in business, knowhow much revenue you're losing
because your business can'toperate. And these things really
help you understand whatinvestments should go into these
things. So that's my, my fourthone, and the fifth one is a easy
one, never trust any links. Justdon' (laughs).
Matthew Buehlmann (27:23):
(laughs)
Tara Thurber (27:23):
(laughs)
Will Shu (27:27):
If you get an email
from Chase to go look at your
account, go to chase.com, andlog in with your account, just
don't click any links. Don'ttrust any links.
Tara Thurber (27:35):
Love that. Love
that. And I'd say, would that be
the same thing with textmessages?
I, for instance, Ijust got a text message the
Will Shu (27:41):
Yes!
other day from TD Bank saying
that my account has been usedand they've put everything on
hold - contact - And there was alink, and I, I didn't click on
the link on my phone, but itgoes for phones too.
It does Never trust a link.
Tara Thurber (28:02):
Okay.
Will Shu (28:03):
Doesn't matter where
it is, to be honest (laughs).
Tara Thurber (28:05):
Got it. Got it.
Thanks. Well, Matt, do you havea separate top five to bring to
the table?
Matthew Buehlmann (28:11):
Yeah, yeah,
no, I definitely, I really
appreciate Will's there. I'mvery much plus one to the link,
not clicking links and notopening attachments, too.
Tara Thurber (28:19):
Yeah.
Matthew Buehlmann (28:20):
But yeah. So
my mine are in no particular
order here, but access controlis crucial. So that's how we're
controlling how we get into allof these sensitive services. So
implement multi factorauthentication wherever you can,
and if possible, not just MFA,but phishing resistant MFA and
(28:40):
CISA, that cyber security andinfrastructure security agency I
mentioned earlier, has guidanceon that. You know, instead of
passwords, use pass phrases. Andeven better than that, use a
password manager, if you can. Soyou don't you only have to
remember one long, securepassword, not all the other
ones, and then, yeah, justmaking sure the admin rights are
under control. You know, if youcan control access in an
(29:02):
environment, you know the accessroles that exist and the objects
they have access to, that's agood start for securing your
system. Kind of to Will's point.
My second one was patchingvulnerability management, so
exposure management, so, youknow, proactively patching
systems is one of the lowhanging fruits that you do to
(29:22):
make sure, like Will talk abouta little bit ago, but to make
sure that you're protectedagainst threats, and so that's
partial part of that is, youknow, addressing these zero day
vulnerabilities that come out,but also making sure that you're
covering legacy vulnerabilitiesthat exist. Threat actors aren't
only going to use the mostrecent version. If they see, you
know, you're running on a SQLServer. You know, 2008 or
(29:42):
server, 2008 or two you knowthey're gonna, they're gonna try
to exploit the vulnerabilitiesof these legacy seat models. So
making sure you're aware andaddressing that. Security
awareness training again, kindof in line with the not clicking
links, is a really good way to,you know, you. Raise awareness
and create like a culture ofsecurity in your organization.
That's what you really want. Youwant people to care and be
(30:04):
invested in it. So raising thatbaseline level of security
comprehension is definitely agood way to combat social
engineering attacks, which aregenerally pretty successful and
pretty lucrative. My fourth one,if we're keeping track here, as
use a framework to implementcybersecurity for your
organization. So a lot of timeswhen we're building a security
(30:24):
program or trying to do securityin an organization, it's kind of
just throwing darts of board.
You know, I'm going to buy thistool to do this, and I'm going
to make sure that we, you know,put MFA on some accounts, but
not all of them, if you use asecurity framework. So that's
things like NIST cybersecurityframework, or the Center for
Internet Security has sets ofcontrols, or ISO 2700 it's
(30:48):
basically a roadmap and guidanceon how to effectively implement
security in your organization.
So we're partial to NISTcybersecurity framework at River
strong, but there's a lot outthere, and it just gives you a
more structured approach, andmaybe helps you think about some
things you might not have beenconsidering.
Tara Thurber (31:07):
Okay.
Matthew Buehlmann (31:08):
And the last
piece of advice I have, as far
as you know, for implementingsecurity 2024, and beyond, is
adaptability. So we're alwaysgoing to be in this cat and
mouse game of the maliciousactor has new a new
vulnerabilities discovered, andthat's then we patch it, and
then a new tool is created, butthen we create detection
(31:29):
mechanisms to figure out whenthat tool is in use, and that's
just constantly going to begoing on for the rest of
eternity, so which is kind ofexhausting to think about.
But you know,if you develop the processes,
Tara Thurber (31:38):
(laughs)
procedures and safeguards and
controls to protect yourorganization. If you take the
steps to implement defense indepth, making sure that you have
multiple controls to coverdifferent areas, you're going to
put yourself in a betterposition to be resilient and
adapt to the new threats thatcome out. You know, we think
(31:59):
about things like artificialintelligence, we haven't
necessarily seen that activelybeing used in the wild for
malicious cyber attacks yet on awidespread scale. But as that
type of thing comes in thefuture, you know, again, when
we're building that system andsecurity program that's centered
around adaptability andresilience, that's going to
really help to make sure thatyou're prepared for today and
(32:22):
tomorrow starts.
Wow. Thank youboth for sharing all of these
tips. I mean, I think everythingthat you both have shared today
is extremely valuable for all ofour listeners. So I thank you
both for joining us for our Top5Cybersecurity Tips for 2024, and
(32:45):
beyond, Matt and Will, thank youfor taking your time out of your
busy days today, day today tomeet with us. And we're excited
to get this out there to ouraudience.
Matthew Buehlmann (32:57):
Sounds good.
Thanks for having us. Yeah. Havea good rest of your summer!
Tara Thurber (33:00):
Alright, you too.
We are DefinedTalent, aDefinedLogic service coming to
you at Top5.