Episode Show Notes
Episode 2 features two CMTC Cyber Physical Security Services consultants: Ernie Edmonds and Buzz Thomas. Ernie and Buzz cover ten best practices for improving cybersecurity, including small business system architecture, device hygiene, multi-factor authentication, and more. They also discuss the importance of people in establishing and maintaining strong cybersecurity.
Ernie Edmonds is Sr. Managing Consultant of Cyber Physical Security Services at CMTC. Ernie has over 25 years of practice and leadership experience in the information assurance field. He holds numerous certifications including Microsoft Certified Systems Administrator/Engineer, Certified Ethical Hacker, Certified Information Systems Security Professional, Forescout certifications and many others. He has led some of the largest infrastructure and cloud datacenter deployments in the world as technical & product leads and has also worked with small and medium-sized companies.
Buzz Thomas is Managing Consultant of Cyber Physical Security Services at CMTC. Bernie has over 25 years of executive operational experience in areas requiring extreme cyber security discipline including emerging technologies, defense manufacturing, aviation, critical infrastructure, and telecommunications. Bernie’s expertise includes multitudes of certifications in Cyber Security, Cyber Ranges, Threat Hunting, Threat Intel, Business Continuity Planning, Disaster Recovery, Software Development, Infrastructure Design/Deployment and Cloud security.
Highlights
00:01:21 - Introductions
00:02:33 - Importance of people in establishing and maintaining strong cybersecurity
00:06:54 - Definition of seven layers of OSI
00:11:49 - Actionable steps to build awareness and train people regarding cybersecurity
00:14:20 - Definition of small business architecture and how it can be deployed to increase cybersecurity
00:18:56 - Practical steps a small manufacturer can take for architecture
00:26:01 - Definition of malware and practical steps that the small to midsize manufacturer can take to reduce their risk of a malware attack
00:29:22 - Ease of a business to set up listing services, antivirus, anti-malware, and monitoring
00:33:36 - Discussion of how antivirus and anti-malware programs work
00:37:12 - Definition of zero trust and why it is important
00:40:09 - How an SMM could implement a zero trust configuration
00:42:16 - Benefits of backing up data and optimizing data storage; possible approaches to implement
00:48:36 - Difference between hot and cold backups
00:50:15 - Discussion of cybersecurity good housekeeping practices that SMMs should implement
00:52:46 - How to approach monitoring and incident management
00:55:22 - Importance of hard drive encryption and how it can be accomplished
00:57:50 - Discussion of multi-factor authentication
Transcript
[00:00:00] In the world of manufacturing change is the only constant. How are small and medium-sized manufacturers, SMMs, to keep up with new technologies, regulations, and other important shifts let alone leverage them to become leaders in their industries? Shifting Gears, a podcast from CMTC, highlights leaders from the modern world of manufacturing, from SMMs to consultants to industry experts. Each quarter we go deep into topics pertinent to both operating a manufacturing firm and the industry as a whole. Join us to hear about manufacturing sectors' latest trends, groundbreaking technologies, and expert insights to help SMMs in California set themselves apart in this exciting modern world of innovation and change. I'm Gregg Profozich, Director of Advanced Manufacturing Technologies at CMTC. I'd like to welcome you.
In this episode I'm joined by two CMTC Cyber Physical Security Services consultants: Ernie Edmonds and Buzz Thomas. Ernie and Buzz cover ten best practices for improving cybersecurity, including small business system architecture, device hygiene, multi-factor authentication, and more. They also discuss the importance of people in establishing and maintaining strong cybersecurity.
Welcome, Ernie. It's great to have you here today.
Ernie Edmonds [00:01:14] Thanks, Gregg. Appreciate the invite.
Gregg Profozich [00:01:16] Ernie, can you please take a minute or two and tell us a little bit about yourself?
Ernie Edmonds [00:01:20] Sure. Well, my name is Ernie Edmonds. I've got about a 30-year career in cybersecurity. I've been with the federal government for a number of years with some of the largest commercial deployments of things like zero trust, and network access control, and technologies of that nature in the world. With CMTC I've been here about three years. I specifically work with small to medium manufacturers to help them improve their cyber posture and help them weather the storm.
Gregg Profozich [00:01:48] Excellent. Thank you. Thank you so much. Welcome, Buzz. I appreciate you being here with us today.
Buzz Thomas [00:01:53] Thank you, Gregg. I appreciate you having me here.
Gregg Profozich [00:01:55] Buzz, can you also take a minute or two and tell us just a little bit about yourself?
Buzz Thomas [00:01:59] Absolutely. I'm Buzz Thomas. I started in risk management cybersecurity back in 2004 for the Defense Department and since then have worked for the Army, the Air Force, NATO. Worked on every continent and created a number of security offerings. Have patents in 26 countries on cybersecurity products and automation. Now I'm working with Ernie trying to take the understanding of cybersecurity and threat actors and apply it to small and medium businesses to help them.
Gregg Profozich [00:02:34] This should be a great conversation today. Thank you both for being here. We're here to talk a little bit about cybersecurity but in particular, the 10 areas related to cybersecurity that manufacturers need to be aware of. I'm excited about our conversation today. I'm looking forward to hearing your perspectives, your insights, and the practical steps that SMMs can take. In doing a little bit of background research in my prep here and looking at the Internet, I came across the following cybersecurity statistics about small businesses that I found to be very thought-provoking: 43% of cyberattacks target small businesses; 54% of small businesses think they're too small for a cyberattack. Those two seem to be opposed to each other. There was a 424% increase in new small business cyber breaches last year; 54% of small businesses don't have a plan in place for reacting to cyberattacks, and 47% of small businesses say they have no understanding of how to protect themselves against cyberattacks. With these statistics in mind, there's certainly good reason for our discussion topic today. We're here to give SMMs both an understanding of as well as some practical actions they can perform to protect their businesses and maybe start to change just a little bit that percentage of SMMs who have no understanding how to protect themselves against cyber. We've structured our conversation, say, around the top 10 list. For context, here are the 10 elements of cybersecurity that we're going to discuss: number one, cyber awareness and training; number two, small business architecture; number three, malware; number four, home office and mobile devices; number five, zero trust; number six, data storage and backups; number seven, good cyber housekeeping practices; number eight, monitoring and incident management; number nine, encryption; and number ten, multi-factor authentication. As someone who's not a cyber expert, this sounds like a pretty good list to start with from which to begin the cyber journey. When I think about information technology, I find myself thinking about computers, servers, networks, Internet firewalls, et cetera. Before we get into those aspects of all the hardware and networking, for an SMM, how important are their people in establishing and maintaining strong cybersecurity? Buzz, why don't you start us off?
Buzz Thomas [00:04:41] That's really a big question. Cybersecurity is reliant on people, and people are reliant on cybersecurity. In cyber we look at users as sometimes the weakest link in the security chain. They are the ones that are most often tricked into making mistakes, but they're also the ones that can be trained to change what they're doing in order to help secure a company. When it's a small company, they don't have the infrastructure and the money to put a lot of automation and vendors in place to protect them, so they rely completely on the people. It's all about the people.
Gregg Profozich [00:05:15] Ernie, anything to add to that?
Ernie Edmonds [00:05:16] To agree with Buzz completely, the human aspect is the practice-oriented thing here. With technology, and with servers, and switching, and so forth, routing, firewalls, things of that nature, it becomes very scientific in nature. We can configure those devices. They stay put. If I tell something to do whatever I tell it, it's going to do it until it dies or somebody changes it. With people, we're not that way. We're very susceptible to things like social engineering. Often, they're called layer eight. Most people are familiar with the seven layers of OSI. Well, layer eight is the human. That is when you just find that people are unpredictable. You think that you trained them 100%. Well, that was yesterday, but what about today? Back East we have a saying: a steady rain soaks. When the rain comes, if it's just a complete deluge, then it washes away, and it doesn't lend itself to growth. But if you have a really gentle, soaking rain for a week, then it's going to penetrate the soil. So, things will grow. To take that into a cyber perspective, often we have things like annual awareness training or new hire training, something like that. Whereas that checks the box for compliance or whatever it might happen to be, but a really good thing is every week or two to introduce maybe one or two concepts to where the users are able to ponder on that and let it soak in. The steady rain does a lot more as far as conditioning them for when some attack does come, whether it be social engineering or something else.
Gregg Profozich [00:06:53] I think that's a great point, and I love the analogy that you're using there. You mentioned the seven layers of OSI. Take us through a quick definition of what that is.
Ernie Edmonds [00:07:01] Sure. The OSI model consists of seven layers. The first one is the physical layer. That can be your cabling, whether it be copper or fiber, or in the case of wireless, it's simply the air that the RF travels through. Layer two, it's still a pretty low level. It's called the datalink layer, and that's where some of your technologies like your network card or your wireless access card, things like that will live as far as the actual hardware device. Going up into layer three, that is the network layer, which is going to allow for routing and things of that nature. The Internet is a routed network, so TCP/IP or whatever. IP is actually Internet Protocol. That's the routable network protocol at layer three. Going on up, the stack, layer four, is where you'll have both TCP, Transmission Control Protocol, which is a connection-oriented protocol. It's an acknowledged protocol. If something is lost in transit, then it will resend it, because the other guy didn't receive it. The other side of that is UDP, User Datagram Protocol, which is not connection-oriented. That's a fire and forget. If it's something like a game or a YouTube presentation, often it will be UDP, because you don't care if you lose a frame; you're simply going to continue on with what you're watching. Same thing with game data; you don't care. Session layer, layer five, is when you get into things like SQL Server and some of those technologies; also, Microsoft, what's called remote procedure calls. That's one of the foundational technologies that allows networking with Windows to work. Layer six, that's where things like encryption, decryption at the OS level and the application level happen. Then finally, layer seven are things like your web browser. That's a layer seven application. The actual protocol that lives underneath it in the OSI model would be HTTP or HTTPS, secure hypertext protocol. Seven layers. Everything in technology and with computers leverages this model. From a security perspective the more a security person understands how these interconnections with the model work, the better off they'll be in solutioning problems or solutioning remedies to a problem. Then finally, if an attack happens, to be able to understand exactly what's happening and protect against that or for whatever is happening.
Gregg Profozich [00:09:22] If I understand correctly, it sounds complex. Seven layers and a lot of scientific and computer science terms and Internet security terms that you mentioned there. But if I'm distilling this out, essentially, every company who has Internet access and who has email up and running has this whole infrastructure in place. We've got the wiring, the data level, the network, the TCP/IP. All that's already built-in. This is just decomposing into the seven key areas to evaluate risk and threat. Is that a good way to think about it?
Ernie Edmonds [00:09:50] That's exactly right. When you're dealing with the seven layers, it's all baked into modern networking. You don't have a serial connection like the Atari joystick controllers, what I remember, that DB9 connector. You simply don't use that to connect computers anymore, or parallel interface, or anything like that.
Gregg Profozich [00:10:08] But man, did we just date ourselves, huh?
Ernie Edmonds [00:10:10] Yeah, we really did. I've been doing this a while. I started with computers in the '70s, actually. All of this is now part of modern networking. All of these machines, whether it be Windows, Unix, Linux, Mac, whatever, they all use TCP/IP for their networking protocols. But we start talking about Ethernet, the actual wired connection, that's a layer two. What happens is when you can separate these out and figure out what talks to what, you can figure out that... You mentioned email. Microsoft Outlook is an email client. That is the front-end application. What talks to Microsoft Exchange on the back end, it's important to realize that anything at layer seven like email talks to layer seven on the back end. Seven talks to seven; six talks to six; four talks to four. Once you understand that, it helps you to understand how the bolts bolt together. Then if you are facing an attack, how can you stop it, where does it manifest, and what are the alternatives to where you can mitigate and ultimately remediate what's happening.
Gregg Profozich [00:11:19] The people play an incredibly important role because they deal at level seven.
Ernie Edmonds [00:11:23] No, they actually are at what we call layer eight. It's a fictitious layer eight, because although one through seven is technically based, but the person is the unknown, because, like we were talking earlier, we're very practice-oriented. We are not scientific as creatures. It's a best-effort all the time. That's why figuratively speaking layer eight is the most susceptible, because that's the human element.
Gregg Profozich [00:11:49] I think we're going to touch on some layer eight issues a little later in our list when we get to malware and encryption, things like that, multi-factor authentication. Let's keep moving through the list. Ernie, you mentioned a few minutes ago, steady rain soaks. How do we turn that into actionable steps? If I'm a small to midsize manufacturer, how do I put that into practice building awareness and training my people?
Ernie Edmonds [00:12:11] It could be as simple as putting out a notice on the bulletin board in the breakroom. You could change out this sheet of paper every week or so. What I've done in the past was... We had monitors throughout the environment. These were for some larger companies, so there would be just all over the place breakrooms and what have you. But I would put one theoretical concept, and then I would put one tactical thing that they could do to protect. I would change these every week. I had a combination of 50 of these. Essentially, they'd see the same one every year. One of the ones that I would use that was philosophical would be something like you would have a picture of a toothbrush with a smiley face, and it would say “Passwords are like toothbrushes; you don't share them.” That tells people not to share their password. People probably shouldn't do the toothbrush, either. Anyway, that's one of the ways that you can implement is just change these out regardless of the medium as long as people understand and digest. You don't want to overload them. I like this one and one to where they think about it for a week. Sometimes you'll even hear them talking about it in the breakroom. They'll laugh about the toothbrush. But once you get people to understand the concept, just that steady rain, it will soak in. Six months from now you can ask somebody, "What's the difference between the toothbrush and a password?" "Nothing. You don't share them." They'll remember stuff like that.
Gregg Profozich [00:13:34] Buzz, anything from your past experience you've done that's practical, simple stuff like that?
Buzz Thomas [00:13:38] All of the answers tend to fall into people, process, or technology groups. One of the things that we implemented in the past was in addition to the annual training that we had to do, we would teach people how to present security topics. We'd give them a 15-minute slot to teach one of the security concepts that they need to know. Then when they did it, they would get some sort of award. It could be time off; it could affect their raise, eligibility, and things like that. We built it into the annual performance appraisals to say if you do this, which is helping us spread the information of security awareness, it'll benefit you personally. That has been really successful in my past.
Gregg Profozich [00:14:21] So, simple practical steps. At the regular daily or every shift safety meeting have somebody present once a week or every couple days on cybersecurity. Bring up the topic; make sure it's still top of mind is what I hear you guys saying, so we can think twice before we just get into a simple habit and open the wrong email, double-click the wrong link, et cetera, et cetera. Second topic we wanted to talk about was small business architecture. Can you define for us what a small business architecture is and how it can be deployed to increase cybersecurity?
Ernie Edmonds [00:14:49] Sure. Architecture is the foundational design. What we see dealing with small to medium manufacturers and small to medium enterprises, even some larger organizations, they have what we call a flat topology. Topology is just the lay of the land. What we find is a flat topology. It's like a single bucket. Everything goes into this bucket, whether it be their email server, or their workstations, or the Fire Stick to watch YouTube, whatever. All these IoT devices all go into this common bucket. When we talk about this bucket, I equate that to, say, a row of houses, like row houses in Baltimore. If one house catches fire, the whole block burns down. That's the problem with this bucket analogy and the flat topology that we find most small to mediums are using. What we have is a multi-layer topology that is based on the value, and the importance, and the sensitivity of the data. It is completely abstract from the technology. The technology supports it, but the model itself is prioritization of data from a security perspective. If it's something like people records, PII, personally identifiable information, or controlled unclassified information, this is important, because this model is for unclassified things. But what happens is when we put things in what we call the green zone, it is very protected. There are only a finite amount of ways for information to flow in and out of that zone, and only certain devices and certain people can access it. When we get down into what we call the red zone, that's where all your IoT is going to go, whether it be the Fire TV, the Apple TV, whatever you're using. Those are very much open, but because of this layered topology, those devices can never talk to something, say, in this green zone. This multi-tiered protection layer topology or trust zone topology, depending on which term you use, is very effective. It works out really well from nearly every concept of security to protect the value of the data from an availability, integrity, and confidentiality perspective.
Gregg Profozich [00:17:06] If I'm understanding you correctly, putting it all in the bucket is the row house. If I don't put it all in the bucket, if I do multi-layer, or multi-tiered, or trust zone topology, I basically am separating the houses with a setback of a few feet between them so if one catches on fire the others are largely protected.
Ernie Edmonds [00:17:20] Correct. It doesn't matter if red burns to the ground. It matters to red, but from the green perspective, that's where you're going to put the things that matter to your business. When you consider mission essential and mission-critical applications, and data, and information, those are the ones that need to be protected. It works really well in allowing the flexibility to use these IoT and lesser security posture devices while still protecting what matters.
Gregg Profozich [00:17:49] It sounds like we're talking about a number of the elements of the NIST cybersecurity framework, IPDRR: identify, protect, detect, respond, and recover. Ernie, when you're talking about that multi-layer as opposed to flat, it's like which information do I want to keep secure; which information really doesn't matter so much?
Ernie Edmonds [00:18:05] Exactly. Back when I was with the government, we had mission-critical, which is something that has to survive no matter what, and then we had mission essential, which may be payroll. People want to get paid, but that's peripheral to the actual mission. Then there's mission optional, which is something like the lunch menu. If you've got an automated lunch menu, if that goes offline, then print it off, and people can read it, but that mission-critical is what really matters.
Gregg Profozich [00:18:29] When I think about this, I often think about my house. The wife's wedding ring goes in the safe; the newspaper from yesterday, don't care what happens to it. I have lots of information. I have lots of things in my house. I've got a newspaper; I've got a bunch of books; I've got furniture, this and that. There's replaceable stuff, and there's irreplaceable stuff. Protect the things that are irreplaceable; the other stuff don't worry about. That helps simplify the cybersecurity problem to a degree, because if I have 1,000 things inside my company to worry about, no, you don't; you have 12.
Ernie Edmonds [00:18:55] That's exactly right.
Gregg Profozich [00:18:56] The one thing I want to do here is... We talked about actionable steps. For small business architecture, what are some practical steps a small manufacturer can take?
Buzz Thomas [00:19:04] Well, I would start by saying that the question is about what is a small business architecture and how would you get it. But what we need to put in there is maybe something around the word viable. If you think back to the statistics that you read off at the beginning of this and you say what is small business architecture, it's not what Ernie was just describing. It should be, but it's not. What it tends to be is very similar to what you have in your home and, in some degrees, less secure, because these are public-facing systems with public IP addresses, and they don't have architecture per se. They may have a firewall, and some don't. Some have routers, and there's no protection. I think that what the small businesses, small to mediums, need to look at first is understanding what the threats are and their options. The architecture, well, we call it the stoplight model with the red, yellow, and green zones. That is 100% scalable from being in your house as a user to a small business to a medium business to a large corporation. In fact, I think Ernie implemented this originally at DHS. It scales massively. The answers that we're going to give to this question are around that stoplight model. But something unique to SMMs is that they don't have the staff to be able to implement these things properly. Typically, they'll have one IT person, or two, or three, and they can't do all the monitoring, and logging, alert responses. You mentioned the cybersecurity framework which is often used as a metric to see if in each of those categories you're doing well. We would ideally want these SMMs to align their cybersecurity defensive posture with the CSF cybersecurity framework, but they won't have the personnel. What they really need to do is bring in a third party to do their really hard stuff—outsource this kind of thing—and then architect their systems, their rights, and permissions, so that they can be properly secured. I'll turn that over to you, Ernie.
Ernie Edmonds [00:21:06] Just exactly what you were saying. With this architecture and some of the things that small to mediums come up with or can't come up with, they're so frequently resource-constrained. They find themselves the target of anybody else. Whether it be a large company like Boeing-Lockheed, or retail with Target, or Sony and movie production, all these hacks have happened. They're not individual unique attacks; they are variations of a theme. What happens is a small to medium will find themselves in the crosshairs of an adversary using exactly or, within reason, the same attack. The problem is they don't have the resourcing, whether it be budget for tools or things like that or the deep understanding of the cybersecurity SME. They just don't have the resources to hire those individuals, or to buy the products, or have somebody with a complete vision of security to outline their security program. They just don't have the resourcing. They do the best they can, but here they are going up against the same actor that would annihilate them. That's what we find that the small to mediums are most at risk at. They just simply don't have the resourcing to combat this type of an attack.
Gregg Profozich [00:22:22] I think I heard you say earlier that the multi-tiered is an abstraction. It doesn't mean to have a red, yellow, green level I have to triple the amount of equipment I have—one red server, or green server, yellow server. There are ways within the existing hardware that I may have as a small to midsize manufacturer to accomplish this. Or am I misunderstanding that?
Ernie Edmonds [00:22:39] No, you're exactly right. What happens is you've got certain servers. Let's start there. That's where you started. There are certain servers that will contain certain data. Say it's a file server or database server, whatever it happens to be. The data that's there, you always go to the high watermark. If it's got potentially yellow data and green data, put it to the green level to where the yellow just benefits from added protection, but the green is protected. It's the same server. If you wanted to separate that out, then you could do that. You could do a multi-homed environment or whatever that would look like to where you could isolate yellow from green, and there you'd be. When you talk about these layers, though, let's shift over to the network a little bit. The network is configuration. That's all a network is. When you start talking about protection layer topology, trust zone topology, whatever, it's just the configuration. If it's a small to medium and they've gone to Best Buy or whatever, Amazon, and bought a firewall, well, it's probably not going to have the capability. Say it's Linksys, or Netgear, or whatever your favorite SOHO router is; it's probably not going to have the ability to do this topology. It's not mature enough. But there are real firewalls that aren't expensive. There's even open source. If you look at pfSense and OPNsense, those firewalls are fantastic. They will do this without even a thought, and it's just a matter of configuration. Now you've got just a free firewall that's on your computer. You've got to have enough interfaces to support it. But it doesn't have to be expensive at all, and yet it provides this enterprise-grade security to help them weather that proverbial storm.
Gregg Profozich [00:24:20] I think I'm hearing between what you're saying, Ernie, and what Buzz is saying, that if I have staff internally, have them do it, and if I don't, hire a third party to come in and get to the basic level of a not flat topology. Put the right level, the simplest level of multi-layer, and segment my data between the red, yellow, and green and take all the yellow and green or all the green itself and put it in a separate instance or a separate level so that it can be protected differently. That's the practical steps we want to have as the takeaway from that. Is that correct, or am I inferring something incorrectly?
Ernie Edmonds [00:24:53] Yeah, that's mostly right. Just to clarify, we use red, yellow, green as a baseline. Sometimes you'll have things like industrial control systems, ICS SCADA, things like that which break outside of this model a little bit. Sometimes you'll have multiple green zones or possibly multiple red zones. It just depends on the company, how they want to segment and how they want to separate their data to where it works for them. As long as you're using a model similar, the baseline can be changed. Then when we get into ICS, sometimes they will put a green below the green, an actual layer below it—it's what we call very green—just because it is protected even more so than green. ICS systems, you just simply can't afford any type of an anomaly, whether it be something as simple as a vulnerability assessment scan. If it hits the wrong device and it dumps a vat of molten aluminum onto the floor, people could really find themselves impacted. Those protections, that's why a lot of times you got to modify this model to where it makes sense for what you're doing and the risks associated with that.
Gregg Profozich [00:26:01] The next topic we wanted to talk about was malware. In recent months there's been a lot in the media about malware. What exactly is it, and what are the practical steps that the small to midsize manufacturer can take to reduce their risk of a malware attack? Buzz, why don't you get us started off?
Buzz Thomas [00:26:17] All right. I alluded to this before when I was talking about monitoring and incident response, but I'll start with the most common sense thing. Everyone's heard of antivirus, and the contemporary versions of antivirus are malware protection software. The very first, most critical thing is there needs to be malware protection software on the systems. There's a particular flavor of protective software called listing services which almost no one uses but is the most powerful thing that you could use to protect yourself. Listing services are sometimes called default deny lists, default allow list, whitelist, sometimes blacklisting, but the trend now is to just call them listing services. Those kinds of services allow you to say we know what the good programs are, and we don't know what the bad programs are, so we're going to turn on this service so that only things we already know are good can run. That means if you get a virus and you have that malware, ransomware, it won't run, because it's not on your list of things that you know are good. Second, to that is general malware protection and antivirus protection. Third is what I was saying about monitoring and response. There's got to be somebody who has the time to respond to alerts when something pops up. If you can afford someone, that's great, and that will be very fast. If you can't, there's managed service providers that can do this as a service for a very good fee.
Gregg Profozich [00:27:46] Excellent. Ernie, anything to add?
Ernie Edmonds [00:27:48] Just going on to the whitelist, blacklist, allow list, deny list, whatever you want to call it, that is so powerful. The example Buzz used is one where you've got... Can things like Word, Excel, PowerPoint, Edge, Chrome, Firefox, whatever, those would all be on there, but if a company is really wanting to take this a step further, they can make a list of applications for each rule. For the company, the default might be that they have a browser. Next would be the office suite, whether it be Microsoft Office or whatever. Maybe that would be all that you'd have for the core business. No solitaire, nothing like that, no games, and that would be fine for the base. Well, what about your engineering staff? Maybe they need something like Visio for architectural diagrams or something like that. You can have an engineering group and allow those applications that they need. Then going over to finance, maybe you've got QuickBooks or something like that. They would have those apps along with the basic core apps. Now nothing will run except for what you have explicitly allowed. Everything else is implicitly denied. Another thing is you don't have to worry about what people are installing on their computers, because the installers won't run. This really tightens the posture a lot. Building off of what Buzz was saying, this is something that we encourage and we advise. It's not the easiest and not the quickest thing to do, but the benefits are amazing, in short.
Gregg Profozich [00:29:22] Listing services, antivirus, anti-malware, and monitoring are the things we're talking about. Can you just talk about how powerful they are? If I'm a small to midsize manufacturer, is setting up a listing service something I can do myself if I have very little IT experience, or do you have to hire somebody, do you have to have somebody? What does it take?
Buzz Thomas [00:29:38] They could do it themselves if they know anything about Windows Active Directory capabilities. If they don't, they could buy something to install on their system. There's a number of good vendors that specialize in that. If they wanted to outsource it, they could have someone else do it for them.
Gregg Profozich [00:29:54] There's application packages I could download and use to do this for me?
Buzz Thomas [00:29:55] That's correct.
Gregg Profozich [00:29:59] Any good ones come to mind?
Buzz Thomas [00:30:00] Yeah. Carbon Black is my favorite. It used to be Bit9, and then Carbon Black bought them. That's probably, in my opinion, the best one. You also have capabilities within Active Directory to run it, and you've got AppLocker which comes with Active Directory, as well. You can use Microsoft variants for that.
Gregg Profozich [00:30:18] Excellent. Since the pandemic, there's been a significant increase in the number of people working from home. Tell us about how to ensure home office and mobile device security. Buzz, you want to start us off?
Buzz Thomas [00:30:31] Well, the conversation we had about architecture for small to mediums applies here, as well. The concept is security. It doesn't really matter if the user of that security is at home, or an office, or a building, or a government agency. The concept of using network segmentation, which is what we were calling the red, yellow, green networks, is super important. If you're a home office user, you should look at maybe separating your network as a worker from your family's network as entertainment between two separate Wi-Fi devices and just connecting, physically plugging things into those two separate networks to keep the traffic separate. That way, if something is compromised by someone clicking on that link in a bad website, it doesn't affect your work or your confidential documents, things like that.
Gregg Profozich [00:31:23] If I don't have a segmented network, and I'm working from home right now, and somebody else in the family is on the network, and they click something linked to a bad actor site or something like that, I'm on a VPN. Am I protected? Is my work stuff protected, or are there still vulnerabilities there?
Buzz Thomas [00:31:37] There are still vulnerabilities. It would make sense to think that you're protected because your traffic to your office is encrypted, but the problem isn't the traffic to your office. Your computer is on your local LAN using that Wi-Fi. If there's a bot, some sort of malware that can spread within your home network, it will get on your system. Then when you log in, even if you're using government PIV cards with multi-factor authentication, now you have an infected machine that's connecting to your work back end. That's the nightmare that corporations are trying to avoid. It's so simple to just have two separate Wi-Fi devices and then plug everything into the work one that's work and everything that's home into the home one. You don't need any special knowledge.
Gregg Profozich [00:32:21] Can I segment my network into one access point I have for my Internet connection? Can I break it there, or do I physically need two different modems or data connections to the Internet?
Buzz Thomas [00:32:30] It's a good question. If you're Ernie, you can segment it. You can go in and set up traffic forwarding, things like that, within the firewall, within the router, to make this happen. But that takes special knowledge, and you can make mistakes. It's almost self-setting if you just have two of them and you plug things in physically to the separate networks. It takes no knowledge, and it gives you the same protection.
Gregg Profozich [00:32:51] If I take two of the Ethernet cables that my Internet service provider gave me and I plug in the two different modems, I could do it that simply?
Buzz Thomas [00:33:00] The way that would work is, typically, you have a modem or cable modem that comes into your facility or your house, and then you have one Ethernet cable that plugs into that and goes into your Wi-Fi device. What you would have to do is buy a separate Wi-Fi device and then an Ethernet cable from that new one into the switch or the ports on the back of your old Wi-Fi device. Now you've created two subnets that are separate. They all have to go to the same router to leave, but that's all it takes for the home network segmentation. Don't forget antivirus and malware protection.
Gregg Profozich [00:33:35] And update them regularly.
Buzz Thomas [00:33:36] Regularly.
Gregg Profozich [00:33:36] Run the updates, get the latest files. How does that work? When I get the latest files for an antivirus or anti-malware, is the manufacturer actually updating for the latest malware threats that are out there and finding pieces of code to look for? How does that actually work?
Buzz Thomas [00:33:48] It is. That's the business they're in. They're trying to first identify things that they know. This is called a signature-based approach, where they identify what is the malware that's out there and what does it look like, and they put up rules to keep it away from your system. The other approach is heuristics or artificial intelligence, where they're looking for changes from baseline configurations or baseline behaviors, and they want to identify malware based on that. That's the new push in malware protection now.
Gregg Profozich [00:34:18] We talked about home security there. The other part of the question was mobile devices.
Ernie Edmonds [00:34:22] Mobile devices. Everything modern is really strong coming out of the box. Privacy and security are two different things. From a security perspective, they're pretty strong; from a privacy perspective, there's possibly nothing worse, especially Android. Google put out Android, and once you have the Play Store and some of these Google services, they know everything on your phone, essentially. But from a security perspective Google does a lot of things right, nearly everything right. Apple, the same way. Apple actually has an advantage, in my opinion, on privacy, but from a security perspective, they are right there. That's what we're really talking about with mobile devices. We're talking about phones, tablets, and laptops. Laptops are mobile computers. Everything that applies to a desktop obviously applies to a laptop. But from a phone perspective, security, as long as you don't root it, what's called rooting on Android or jailbreaking on iOS, the Apple devices, don't do that ever. It's not worth the risk. You might get an additional feature that six months down the road the next version of the OS will have, but your exposure to bad actors is night and day. You are almost certainly going to get hacked if you jailbreak or root unless you really know what you're doing. I think companies should have a policy that any device that is going to connect via email or any other way, whether it be VPN or whatever, even if it's a personally owned device—bring your own device, bring your own disaster, however you want to say that—there should be a policy that no jailbroken or rooted device can connect in that way. You're simply not allowed to use that device to connect to the corporate infrastructure. That should be a rule, a policy that all companies have. There's three ways to handle security: there's a policy, which is high level; and then there's procedures at the medium level, and then at the lowest level there are technical solutions. Technical solutions are the most scientific. The flip side of that is they're the most pricey. It takes very little money to write a sentence that makes policy. It took a couple dollars. If you have procedures, then it might take you 10 minutes, 15 minutes to write the procedure. If somebody is making $100 an hour, do the math. Then if you get into this technical level, these tools can be expensive. We talked about Active Directory. Active Directory is part of Windows Server. The last time I checked it's right around $900 for a server license for that. It gives you a lot of capability, but there's a cost associated with that. It's ideally better to go in most cases to the technical solution, just because you get rid of this practice aspect, but understand there will almost always be a higher cost of implementation. Just keep that in mind.
Gregg Profozich [00:37:12] We'll move along to the next one I think we mentioned a couple times now, the word zero trust. I don't know what it is. Why don't you tell me and tell our listeners what it is and why it's important?
Buzz Thomas [00:37:22] Zero trust has been around for a long time as a concept. Recently the US government put out an executive order saying that the government itself must start using this new concept, and any private companies that are servicing those organizations have to use it, as well. Now there's this massive push to start using zero trust. At the most basic level, zero trust started off as a way to communicate about getting access on a network. For example, you have two devices on a network—maybe your PC and a server—and your PC wants to access something on the server. If you just allow it access, then that means you're implicitly trusting that PC to access the server. This new to the government paradigm of zero trust really means you're not allowed to implicitly trust anything anymore. That means that whenever you want to access something, there has to be a policy engine, a type of computer that decides whether or not you should be accessing that device or that data. Once the decision is made, then there has to be a policy enforcement computer, something that allows you in or blocks you. That's the most basic way I can describe what zero trust is. Now, it applies not just at that one access from one computer to another but goes all the way up these seven layers that Ernie was talking about before, even to people and finances. The zero trust model as it's being implemented in the government right now is constrained to network and system security, but the concepts are going up that stack.
Gregg Profozich [00:39:02] What would the policy decision point be? How would the policy computer know how to authenticate me or verify that on me?
Buzz Thomas [00:39:08] Typically, these policy engines will look at things like what group are you in your Active Directory or your LDAP. In other words, the computer has a list of everyone that would be accessing things, and it would look to see do you have permissions to get into what you're trying to. That's an old-style model. Now with zero trust, there's a continuous evaluation requirement. It's almost like a real-time continuous score of the requester asking for access. It will look at things like where are you; are you in this country; are you in this building; have you asked for this before; what groups are you in; are you technically allowed this information; are you from a trusted computer; do you have a VPN? There's a whole list of things that will be looked at to say we trust you this much; your score is 75%. The level maybe is 70%. If you get above 70, you can access it, but if that changes according to zero trust, even in the middle of your working, your access is gone.
Gregg Profozich [00:40:09] Wow. How would a small to midsize manufacturer go about implementing the...? It sounds like some very technical and somewhat complex architecture and configuration.
Buzz Thomas [00:40:19] It is. I don't think that the SMMs are going to have to worry about implementing this right away. But what they are going to have is a ton of vendors coming to them saying we are zero trust solutions; use us; we have a cloud solution; it's zero trust; or we have an enterprise solution; it's zero trust. They should know what it is if they want to entertain that conversation. But as they get larger or if they start taking on government contracts, then they're really going to have to look at getting some zero trust expertise in-house.
Gregg Profozich [00:40:51] Is it mandatory if you're a government contractor at this point?
Buzz Thomas [00:40:55] It's not mandatory at this point, but it's coming.
Gregg Profozich [00:40:57] But that day's coming. Got it. Ernie, anything to add there?
Ernie Edmonds [00:41:01] Another part of this equation is if I start talking to a supplier, how do I know my suppliers are who I think they are? Maybe it's a spoofed email. That happens all the time. Now, if I think I'm talking to Lockheed, how do I know unless they have a digital certificate on their email or something that I know that Lockheed's Lockheed? You have to look at it from not only this technical perspective but things like social engineering from the person or to the person, this layer eight as we keep talking about, but also things like contracting vehicles. Zero trust means literally that—nothing is trusted. Even the phone number, or the email, or whatever it is, the person, nobody's trusted until they are verified, and then they're trusted. That is across the gambit no matter what it is. It's not just technical in nature.
Gregg Profozich [00:41:52] Got it. Not trust, then verify; verify and conditionally trust.
Ernie Edmonds [00:41:57] Correct.
Gregg Profozich [00:41:57] As long as the verification doesn't throw up a red flag.
Ernie Edmonds [00:41:59] Yeah. As the person goes on with it, then it may be that I'm starting to believe that Buzz isn't really Buzz. He's not really Ernie, because Ernie's accent is changing. It sounded more Irish or something. There's going to be red flags that you just have to continually listen for.
Gregg Profozich [00:42:16] Let's talk a little bit about data. What are the benefits of backing up data and optimizing data storage? What are some simple, effective approaches that SMMs can use?
Buzz Thomas [00:42:25] This is going to merge into the malware conversation a bit now. The landscape has changed. In the past, data backup was a simple concept. You could just think about going to run Box or Dropbox, some web-accessible backup service, and then my data will be there. But then we started having problems with ransomware. Then ransomware would encrypt all your data including anything in the backup locations. Then your copies would turn encrypted, as well, because they were automatically synchronized. Cloud services started trying to adapt to that. Dropbox will do things like allow you to revert to a previous state to try to fight that. But now ransomware is going even further. Backup strategies need to think of security, too, not just access to the data that was backed up. For SMMs one of the things they should consider is doing a local backup to an area of the network that can't be rewritten; you can't save over top of it. The example here is if you save your document in your normal folder, and then you get malware, that document is damaged now, but if you save it in your normal folder, and then set up a simple automated routine to make a copy of that in another folder that can't be written over, that means that document can no longer be infected. It also means that if you get ransomware and it tries to encrypt that secondary file location, it can't, because it has no permissions to modify. There aren't permissions to modify. This idea of having a shadow copy that's write once and read many used to be called a worm drive. If you had a system that would do that, it can protect you from ransomware. When you're thinking of your data backup, consider doing something like that as a first step for ensuring data, and then do all your other backup routines cloud-wise or otherwise from that protected location.
Gregg Profozich [00:44:24] In other words, if I do a write once, read many, would I do that in versions weekly or monthly like that? I get infected on a Thursday; my backup runs Friday. Infection's already there when it gets pulled on Friday. But if I can go to last week's, I can get it. Is that how it works?
Buzz Thomas [00:44:37] It depends on how small an organization we're talking about is. Typically, larger and mature organizations will have those differential backups so that every day they could restore to any point in time. Continuous backup is another version of that. A small shop would just have the copies they have. All I'm suggesting is whatever the process you do for backing up, before you do it, you have this step where you put things into a folder that it can't be changed. Then continue your normal backups with whatever strategy you can afford.
Ernie Edmonds [00:45:09] That's a good way to look at that in a small to medium that often I'll advise is... Resources are finite. The write once, read many is great. The way you would do that is you would give somebody the ability... Say, it's a folder. You would have either your agent or the people, however, you want to configure it, to where they can write, but they can't modify. What's already there can't be modified, but they can save it as dash one, dash two, or whatever. Windows does it with the parentheses one, two. That is a good way to do that to where nothing can be overwritten. Then you can do Delta analysis and figure out what actually needs backing up. But anyway, what I advise people is have a hot backup that is real-time so that if something happens, whether it be ransomware or whatever, they can restore once they make sure that the ransomware is gone and it's not going to just recorrupt it again. That'll take care of it. But always keep a cold backup, an offline backup, in case ransomware were to just wipe you out. You can do everything right and still some zero-day ransomware or whatever comes in and obliterates your entire show. You want to make sure that before you restore any of this stuff that the culprit is gone. That could be that you have to wipe your systems. That's usually what people do at this point. The data is what matters; the systems don't matter. You just wipe the system; start over; reinstall the stuff, the apps, whatever; then put a known good configuration on it for your Active Directory. Some people use cloud-based Azure AD or something like that. Once you get stuff back on, then now you've got this cold backup. You should have multiple copies of the cold backup, because what if the ransomware is time bombed? So, your cold backup is also compromised. Go back in time far enough to where you can get a legitimate copy that is uninfected, uncorrupted, and put that data back. Now your restoration is there, and your recovery is there, and you're back to working. Now, everybody's a little bit different, like what Buzz was saying. Your resourcing, I might have $100 and Gregg, you might have $1,000. Well, you have a lot more options than I do. I need to be responsible with the stewardship of the resources I have, but at the same time I've got to get something going, something that will keep us operating in case this happens. Understand the risks; make the best decision you can; and then if you see that something needs to change, then change it to the extent you can.
Buzz Thomas [00:47:45] And test, test, test. You need to make sure your restore works.
Ernie Edmonds [00:47:49] Yeah. If you don't, you've got some paperweights. I've had that happen. I've been in this industry a long time. I started out as a sysadmin in Newport News, Virginia. I had an issue, and my backup failed, so we had a problem. My cold backup actually worked. I had a multistage. I had a hot and a cold, and the cold was there. But had I not had a cold that actually worked, my hot didn't work. It errored out, and it did not have the data to restore. Like Buzz was saying, test these things. Usually weekly is fine, but just make sure that you can restore a sample set, some folder, not the actual production folder. Just save it to some alternate location. Make sure that it works, and then test it periodically.
Gregg Profozich [00:48:36] The difference again between hot and cold backups?
Ernie Edmonds [00:48:39] A hot backup is going to be online all the time. Then a warm backup will be not in a production environment, but it's pretty quick to get back if you need to. It will be live. It'll be actually powered up, but it will be isolated to some degree to where it can't just be immediately done. Your restoration time, instead of being five minutes, might be an hour, 30 minutes, whatever. Then a cold backup will be actually powered down. If God forbid you get wiped out by malware, this thing is protected, because it was not powered up. Then once you get your systems restored, you can restore back the data from that cold backup. Now the potential is there that you can be up and running.
Gregg Profozich [00:49:24] Got it. How are you guys making a differentiation between data and systems? To put it in a Microsoft example, I get corrupted. I have all my data files for Word, and Excel, and PowerPoint in a cold backup. They're on a disk somewhere on a machine that's shut down. When Microsoft gets corrupted and I can no longer access Word, and Excel, and PowerPoint, I can wipe my system clean and reinstall those pieces of software, get them back up on what's basically a brand-new machine now, and then connect them to the source where I have the cold backup where all my data files are. Now I have all my documents, and my presentation decks, and my spreadsheets. That's the concept here we're talking about?
Ernie Edmonds [00:50:01] It's kind of the concept, but you would not connect it directly to the cold; you would import a copy of the cold and to the new operating system, as you put it.
Gregg Profozich [00:50:10] Just in case.
Ernie Edmonds [00:50:11] Yeah, exactly. It's a one-way transfer. You don't want to hurt your cold backup.
Gregg Profozich [00:50:15] Got it. Buzz, Ernie, what are some cybersecurity good housekeeping practices that SMMs should implement?
Buzz Thomas [00:50:22] I'll start with the most obvious thing which is also the most prevalent problem in companies, and organizations, and government, simple thing of applying security fixes—security patches and software fixes. If you look at the statistics, it's well over 80% of the infections and compromises happen because of lack of security hygiene, meaning patching. That's the top of the list. Number two is far beyond it. If you are looking for the most powerful thing, it's that. Now, it's not just patching; it's patching at a reasonable time. If you look at the Verizon cybersecurity report, it comes out to tell you that when they look at the compromises across the board, they find that not only were things not patched but they were months not patched. Verizon's report said nine months on average. They were behind patching. That led to not only lots of breaches but lots of covert infections, where organizations don't even know that something's happened yet.
Gregg Profozich [00:51:27] If I do my Windows update and apply that concept to all the different pieces of software I have, downloaded the latest patches and making sure all the security holes that they're finding and fixing in these patches are now implemented and deployed on my system, I get head and shoulders above?
Buzz Thomas [00:51:41] By far.
Gregg Profozich [00:51:42] Is there a second thing after patches, or is it just that simple?
Ernie Edmonds [00:51:42] I'm going to say education, understanding that eighth layer again. Don't just randomly click. Understand what you're clicking on, and train people to not just randomly click. Common sense goes a long way. Patching applied with a reasonable amount of care will do a lot in this area.
Buzz Thomas [00:52:03] I actually have a list of things that everyone should be doing, seven more items. We've talked about some of these, but definitely patching and then list services. We talked about list services before. Encryption of sensitive data, segmentation of networks, and then multi-factor authentication, and then three more, one of which Ernie already mentioned—always implement your security in a fashion called least privilege, where you give someone only the permission they need, nothing extra, in order to do their job, followed by separation of duties so that not all the power is with a single person, and, to Ernie's point, continuous, ongoing security training.
Gregg Profozich [00:52:46] Great list. If the two of you were partners and owned a small manufacturing company, how would you approach monitoring and incident management?
Ernie Edmonds [00:52:54] What would come into play here is from a monitoring perspective, what is my visibility. I need to be able to see. One of the companies that I used to work for, we had a concept called see, control, orchestrate. The first thing is to see what's going on. Complete visibility is what you're looking for, whether that would be application-based, or network-based, or something in between. Then you want to be able to see...or even the actions of individuals. If you're doing key log analysis or something like that, you can tell if Ernie is actually the person at the keyboard, because everybody types a little bit differently. The typing tempo is different; just the way... There's a fingerprint to that. The next thing is to control this. Once you determine that there is a bad actor, or a potential bad actor, or something of interest—that's what we would call interesting observation—now we've got to determine what to do with it. We talked about skewing the needle earlier with zero trust. That's an indication of potential compromise, and there's a lot of other ones, too. You would try to control what that thing is doing. If it's not Ernie, if it's this guy pretending to be Ernie, it's limited. The next thing is if that comes into play with, say, multiple vendors, or multiple tools, or something like that, to get some comprehensive ability to control. Then you would have this machine speed orchestrated response. Machine speed is what you're going for, because an actor—malware, ransomware—by the time you read an email, you're toast at least to some degree. You want to be able to understand and act as quickly as possible. This is where your detection and control aspects. It's better to have those pretty sensitive and pretty agile in their control behavior. Then if you need to follow up and maybe turn somebody back on because it was an inadvertent loss of productivity, then you try to get them up and running as quickly as you can. From a detection perspective, you want that fast. Then the ongoing monitoring—that's where you're going to have this person that can make determinations outside of what the program logic can do. That can be somebody in-house if you've got the resourcing, or there's third parties out there. Symantec and other ones offer these services. Varying degrees of competency and varying degrees of price, but you want to make the best decision you can based on the resources available.
Gregg Profozich [00:55:22] Got it. We mentioned a minute ago, Buzz, data encryption. What's the importance of hard drive encryption, and how can it be accomplished?
Buzz Thomas [00:55:29] Hard drive encryption is really talking about encrypting devices more than encrypting data that you're using. When you encrypt a hard drive, you're only affecting the data when the drive is turned off. Hard drive encryption—when the drive is on, your computer's operating, data is not encrypted. What this protects you against when you use drive encryption is someone getting your data by stealing your hard drive, accessing it when it's offline, walking out the door with it, breaking in, taking it out the window. There have been entire companies that have gone out of business because intellectual property was lost. In Defense Department manufacturing it's super critical to keep stuff secret that's secret. Even when systems are off, they need to encrypt those drives. We need to keep that separate from data in use encryption. Hard drive encryption is data at rest versus data in use. Your SMMs need to be able to encrypt data at rest as well as in transport and in some cases, like in databases, even when in use, three levels of encryption.
Gregg Profozich [00:56:42] If I have my hard drive encrypted and somebody breaks into my company and walks off with a laptop, they won't be able to access it?
Buzz Thomas [00:56:49] That's correct.
Gregg Profozich [00:56:50] Encrypting the data in transport is making sure... Like a VPN, as it's out on the Internet and the bits and bytes are moving through at the speed of light, nobody can sniff them, pull them out, copy them, replicate them, et cetera. They're going to get to their end choice through a tunnel that can't be violated.
Buzz Thomas [00:57:06] Also correct.
Gregg Profozich [00:57:07] Then the last one is “in use”. I'm not sure what that one means. Let's talk just a little bit more about that.
Buzz Thomas [00:57:13] There are databases that have the capability to keep encryption during use. Sometimes they encrypt only parts of a field, and sometimes it's the entire field. Oracle, I think, was the first one to do this so that people even with access to the database wouldn't be able to see the data unless they had a specific key for that data field.
Gregg Profozich [00:57:34] Got it. While I'm writing to the database, nobody else can get to it unless they have the same key that says everyone else is locked out?
Buzz Thomas [00:57:41] That's right. Most vendors do this through encryption; some do it through masking, but either way, it's to keep you from being able to see what's in the cells.
Gregg Profozich [00:57:50] Got it. Our last topic for today was multi-factor authentication. What is it, what's the benefit of it, and how can it be implemented?
Ernie Edmonds [00:57:58] Multi-factor. Let's talk about what a factor is. In this case, there are three factors that come into play. The first factor is what you know, things like PIN, password, whatever. That's what you know. The person knows that. The second is who you are. That would be something like your fingerprint, retina, iris, whatever. It's not going to change, but it's unique to who Ernie is. Then the third one is going to be what you have. Buzz mentioned the PIV keycard with the DOD. That's what you have. Another thing could be the Google authenticator, or Microsoft authenticator, or whatever on your phone or, even at the worst case, your SMS code that comes in on your phone. I say that's worst case. It's better than nothing, but with cloning and stuff like that, it's not that strong. Any two of these three is dual-factor or multi-factor. Sometimes you see it listed as 2FA because it's two of the factors. Any combination of two of these three factors is multi-factor authentication. Now, what's not multi-factor authentication is if you have a PIN and a password or two passwords; that's multiple usage of the same factor—2X of the same factor. That is not multi-factor auth. Any two of these three, when you have a two factor, your password doesn't have to be as strong. It still should be stronger than just nothing, but it doesn't have to be 12 character and all that complexity, because now you've got this authenticator app. Assuming somebody doesn't have access to your phone, that's pretty strong. Another thing that this does is replay resistance. A factor that comes into play is a replay attack. When somebody is trying to log in, you can capture his credentials and replay. Well, when you have biometrics, it never changes. Regardless of what my Samsung phone says, my fingerprint doesn't change. There's the thought that if I try to replay this thing in 10 minutes it will work. Well, if I'm using this authenticator app or even the SMS text message, it's good for a minute, five minutes, whatever, so it provides replay resistance. This is a very strong thing to do. If I were to give a ranking of which thing out of these 10 somebody should look at first, this would be it.
Gregg Profozich [01:00:24] You bring up a good topic there, but I want to let Buzz add anything on MFA, if he'd like to. Multi-factor authentication?
Buzz Thomas [01:00:30] Well, that was a good coverage. I would mention that some vendors are starting to add your location as one of the factors, not only what you have, and what you know, and what you are, but maybe where are you. In other words, if you try to log in and you're not where you should be, they won't trust you.
Gregg Profozich [01:00:45] Got you. If I'm supposed to be working from home today, and somebody tries logging in from Hawaii, and they have my fob for my code, and they have my password, it still would say, "Hmm"?
Buzz Thomas [01:00:55] Yeah.
Gregg Profozich [01:00:56] Got it. We've talked about a tremendous amount of things, and there's been a lot of both technical talk and some practical applications here as we've gone through everything. If I'm a small to midsized manufacturer, there's an awful lot to do and a lot of technical things I may not know that I have to learn. I may feel overwhelmed; I may be in the paralysis of I don't know what to do, so I have to figure this out first, and until I do, I can't start. Where should I start? What are the two or three things I should start in my crawl, walk, run of my cybersecurity journey?
Ernie Edmonds [01:01:22] My top three would be multi-factor authentication. Do that on everything that will let you, whether it be your personal banking, or social media, whatever. That is first to do. Number two would be whitelisting of applications, allow listing, whatever you want to call that. Whitelisting is better than blacklisting or deny listing, because deny listing is an explicit deny list. If you've got 100 items, it's the new one at 12 o'clock tomorrow that's going to bite you. Whitelisting, allow listing, is a better concept. That would be my number two. Thirdly would be network isolation, the architecture with the multiple zones. To recap, first multi-factor authentication; second would be whitelisting of apps, and architecture would be third.
Gregg Profozich [01:02:07] Okay. Buzz?
Buzz Thomas [01:02:09] That's exactly my list, with one and two being separate. I had listing is first and MFA is second, but that is on the technical side what I would say you should start with as an SMM. I would also say there are people and programs that are set up to help you in these kinds of things. Seeking out assistance, whether it's from vendors, or government, or grants or something like that would be a good idea.
Gregg Profozich [01:02:35] We've covered an awful lot of ground today. I think that our listeners are going to have a lot of information to digest. I love the fact that we've got just the three things to start with. Ernie, Buzz, it was great to have you here. Thank you so much for joining me and for sharing your perspectives, your insights, and your expertise with me and with our listeners.
Ernie Edmonds [01:02:52] Thanks, Gregg.
Buzz Thomas [01:02:52] It was a real pleasure.
Gregg Profozich [01:02:54] To our listeners, thank you for joining me for this conversation with Ernie Edmonds and Buzz Thomas in discussing the 10 things you need to know and do for cybersecurity. Have a great day. Stay safe and healthy. Thank you for listening to Shifting Gears, a podcast from CMTC. If you enjoyed this episode, please share it with others and post it on your social media platforms. You can subscribe to our podcasts on Apple Podcasts, Spotify, or your preferred podcast directory. For more information on our topic, please visit www.cmtc.com/shiftinggears. CMTC is a private nonprofit organization that provides technical assistance, workforce development, and consulting services to small and medium-sized manufacturers throughout the state of California. CMTC's mission is to serve as a trusted adviser providing solutions that increase the productivity and competitiveness of California's manufacturers. CMTC operates under a cooperative agreement for the state of California with the Hollings Manufacturing Extension Partnership Program, MEP, at the National Institute of Standards and Technology within the Department of Commerce. For more information about CMTC, please visit www.cmtc.com. For more information about the MEP National Network or to find your local MEP center, visit www.nist.gov/mep.
